Remote Service Session Hijacking

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.[1][2]

ID: T1563
Sub-techniques:  T1563.001, T1563.002
Platforms: Linux, Windows, macOS
Version: 1.1
Created: 25 February 2020
Last Modified: 15 April 2025

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary.

M1030 Network Segmentation

Enable firewall rules to block unnecessary traffic between network security zones within a network.

M1027 Password Policies

Set and enforce secure password policies for accounts.

M1026 Privileged Account Management

Do not allow remote access to services as a privileged account unless necessary.

M1018 User Account Management

Limit remote user permissions if remote access is necessary.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may take control of preexisting sessions with remote services to move laterally in an environment.

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")| search (command_line="attach-session" OR command_line="tmux attach" OR command_line="screen -r" OR command_line="rdpwrap")| stats count by user, host, parent_process_name, process_name, command_line, _time| eval hijacking_attempt=if(count > threshold OR match(command_line, "attach|hijack|reconnect"), "suspicious", "normal")| where hijacking_attempt="suspicious"

DS0028 Logon Session Logon Session Creation

Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

sourcetype IN ("WinEventLog:Security", "linux_secure", "macos_secure")| search event_code=4624 OR process="sshd" OR message="Accepted password for"| eval abnormal_login=if(logon_type IN ("3", "10") AND src_ip IN ("untrusted_ip_range") AND user NOT IN ("allowed_users"), "suspicious", "normal")| where abnormal_login="suspicious"| stats count by src_ip, user, host, logon_type, _time| table _time, src_ip, user, host, logon_type, abnormal_login

DS0029 Network Traffic Network Traffic Content

Monitor network traffic for signs of hijacked sessions, such as unusual traffic patterns or unexpected session resumptions. Identify suspicious remote connections that align with ongoing user sessions.

sourcetype=flow| search (dest_port=22 OR dest_port=3389 OR dest_port=23) AND (connection_state="ESTABLISHED")| eval session_hijack=if(session_duration > threshold_duration AND connection_origin="suspicious_ip", "possible_hijack", "normal")| where session_hijack="possible_hijack"| stats count by src_ip, dest_ip, dest_port, connection_state, _time| table _time, src_ip, dest_ip, dest_port, session_hijack

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009 Process Process Creation

Monitor newly executed processes that may take control of preexisting sessions with remote services to move laterally in an environment.

References