T1563: Remote Service Session Hijacking
Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.
Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_lateral_movement: PT-CR-227: RDP_Session_Hijacking: Startup of "tscon" for RDP session hijacking is detected mitre_attck_lateral_movement: PT-CR-787: RDP_Shadow_Session_Initiation: Startup of mstsc.exe with the /shadow flag to establish a shadow RDP connection is detected hacking_tools: PT-CR-2134: SharpToken_Usage: SharpToken was used. This tool can find leaked tokens from all processes in the system and exploit them. If attackers accessed a low-privileged account, they can use this tool to upgrade to "NT AUTHORITY\SYSTEM" privileges. SharpToken can also be used to capture interactive user sessions.
Subtechniques
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may take control of preexisting sessions with remote services to move laterally in an environment. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may take control of preexisting sessions with remote services to move laterally in an environment. |
---|
ID | DS0028 | Data source and component | Logon Session: Logon Session Creation | Description | Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. |
---|
Mitigation
ID | M1018 | Name | User Account Management | Description | Limit remote user permissions if remote access is necessary. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Do not allow remote access to services as a privileged account unless necessary. |
---|
ID | M1027 | Name | Password Policies | Description | Set and enforce secure password policies for accounts. |
---|
ID | M1030 | Name | Network Segmentation | Description | Enable firewall rules to block unnecessary traffic between network security zones within a network. |
---|
ID | M1042 | Name | Disable or Remove Feature or Program | Description | Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary. |
---|