Remote Service Session Hijacking: SSH Hijacking

Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux, macOS and Windows 10 systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.

In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.[1][2][3][4]

SSH Hijacking differs from use of SSH because it hijacks an existing SSH session rather than creating a new session using Valid Accounts.[5]

Procedure Examples

Name Description

Facefish hijacks the active ssh session by injecting malicious code to the ssh/sshd process


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Use of SSH may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.



Lateral Movement
System Requirements
SSH service enabled
trust relationships configured
established connections
Permissions Required
Data Sources
Authentication logs

Created: 05 January 2021

Last Modified: 05 January 2021