ID | Name |
---|---|
T1563.001 | SSH Hijacking |
T1563.002 | RDP Hijacking |
Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.
Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.[1][2]
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program |
Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary. |
M1030 | Network Segmentation |
Enable firewall rules to block unnecessary traffic between network security zones within a network. |
M1027 | Password Policies |
Set and enforce secure password policies for accounts. |
M1026 | Privileged Account Management |
Do not allow remote access to services as a privileged account unless necessary. |
M1018 | User Account Management |
Limit remote user permissions if remote access is necessary. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may take control of preexisting sessions with remote services to move laterally in an environment.
|
DS0028 | Logon Session | Logon Session Creation |
Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.
|
DS0029 | Network Traffic | Network Traffic Content |
Monitor network traffic for signs of hijacked sessions, such as unusual traffic patterns or unexpected session resumptions. Identify suspicious remote connections that align with ongoing user sessions.
|
Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
||
DS0009 | Process | Process Creation |
Monitor newly executed processes that may take control of preexisting sessions with remote services to move laterally in an environment. |