1. Home
  2. Techniques
  3. Enterprise
  4. Remote Service Session Hijacking
  5. SSH Hijacking

Remote Service Session Hijacking: SSH Hijacking

ID Name
T1563.001 SSH Hijacking
T1563.002 RDP Hijacking

Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.

In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.[1][2][3][4]

SSH Hijacking differs from use of SSH because it hijacks an existing SSH session rather than creating a new session using Valid Accounts.

ID: T1563.001
Sub-technique of:  T1563
Tactic: Lateral Movement
Platforms: Linux, macOS
Contributors: Anastasios Pingios
Version: 1.1
Created: 25 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1220 MEDUSA

MEDUSA can be configured to capture SSH credentials via SSH hijacking.[5]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. [6]
M1027 Password Policies

Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected.
M1026 Privileged Account Management

Do not allow remote access via SSH as root or other privileged accounts.
M1022 Restrict File and Directory Permissions

Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0256 Detection Strategy for SSH Session Hijacking AN0710

Suspicious reuse of SSH agent sockets across multiple users or processes, anomalous access to ~/.ssh/ or /tmp/ssh-* sockets, and abnormal patterns of lateral movement via SSH without new authentication events. Defender view: detect when one process accesses another user's SSH agent or when an existing SSH connection is used to pivot unexpectedly.
AN0711

Unusual access to SSH agent sockets in /tmp/ or /private/tmp, process access to another user’s $SSH_AUTH_SOCK, and lateral SSH activity without corresponding login events. Defender view: correlation of socket access with anomalous network flows to internal systems.

References

  1. Duarte, H., Morrison, B. (2012). (Mis)trusting and (ab)using ssh. Retrieved January 8, 2018.
  2. Adam Boileau. (2005, August 5). Trust Transience: Post Intrusion SSH Hijacking. Retrieved December 19, 2017.
  3. Beuchler, B. (2012, September 28). SSH Agent Hijacking. Retrieved November 17, 2024.
  1. Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved November 17, 2024.
  2. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
  3. Hatch, B. (2004, November 22). SSH and ssh-agent. Retrieved January 8, 2018.