Remote Service Session Hijacking

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.[1][2][3]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

Monitor for processes and command-line arguments associated with hijacking service sessions.

References

Attachments

ID
VT0025
MITRE ID
Sub-techniques
Tactic
Lateral Movement
Platforms
Linux
Windows
macOS
Permissions Required
SYSTEM
root
Data Sources
Authentication logs
Netflow/Enclave netflow
Process command-line parameters
Process monitoring
Version
1.0

Created: 05 January 2021

Last Modified: 05 January 2021