last

Created by Will Huang (@In0de_16)

Description

The command shows a list of user sessions including the user name, terminal used, host name, start and stop times, and duration. It also indicates if a session is still active or was terminated unexpectedly.

Created	Tactics	Tags
2023-04-27	Discovery	oneliner account network

Paths

/usr/bin/last

Use Cases

Enumerate the users who are currently logged into the system.

The following command will display sessions that are currently active.

last | grep "still logged in"

Enumerate all user accounts that have logged into the system previously.

The last command can be used to output users who have previously logged in, by specifying the tty interface ‘console’.

last -t console

Enumerate all hosts that have remotely logged into the system before.

An attacker can use ’last’ with a filter to retrieve the connection date and remote host information for remote logins.

last | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'

Detections

System Network Connections Discovery

Resources

last Man Page

last #

Description ##

Paths ##

Use Cases ##

Enumerate the users who are currently logged into the system. ##

Enumerate all user accounts that have logged into the system previously. ##

Enumerate all hosts that have remotely logged into the system before. ##

Detections ##

Resources ##