Detection of anomalous RDP or remote service session activity where a logon session is hijacked rather than newly created. Indicators include mismatched user credentials vs. active session tokens, service session takeovers without corresponding successful logon events, or RDP shadowing activity without user consent.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624, 4648 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| ExpectedUserSessionMap | Mapping of users to hosts they are expected to access; deviations indicate possible hijacking. |
| TimeWindow | Threshold for detecting rapid pivoting via hijacked sessions. |
Detection of SSH/Telnet session hijacking via discrepancies between authentication logs and active session tables. Adversary behavior includes reusing or stealing active PTY sessions, attaching to screen/tmux, or issuing commands without corresponding login events.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | execve: Commands executed within an SSH session where no matching logon/authentication event exists |
| Logon Session Creation (DC0067) | NSM:Connections | Mismatch between recorded user logon and active sessions (e.g., wtmp/utmp entries without corresponding authentication in auth.log) |
| Network Traffic Flow (DC0078) | NSM:Flow | Long-lived or hijacked SSH sessions maintained with no active user activity |
| Field | Description |
|---|---|
| MonitoredServicePorts | Ports for SSH/Telnet/RDP monitored for session hijacking; may vary by environment. |
Detection of hijacked VNC or SSH sessions on macOS where adversaries take over an existing session rather than authenticating directly. Indicators include process execution from active sessions without new logon events, manipulation of TTY sessions, or anomalous network activity tied to dormant sessions.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | macos:unifiedlog | Authentication inconsistencies where commands are executed without corresponding login events |
| Process Creation (DC0032) | macos:unifiedlog | Execution of processes linked to hijacked sessions (e.g., anomalous parent-child process lineage) |
| Network Traffic Content (DC0085) | NSM:Flow | Suspicious long-lived or reattached remote desktop sessions from unexpected IPs |
| Field | Description |
|---|---|
| SessionIdleThreshold | Time threshold for inactive sessions flagged as suspicious when commands suddenly resume. |