Technique on mitre.org

T1563: Remote Service Session Hijacking

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Subtechniques

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may take control of preexisting sessions with remote services to move laterally in an environment.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ID	DS0028	Data source and component	Logon Session: Logon Session Creation	Description	Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly executed processes that may take control of preexisting sessions with remote services to move laterally in an environment.

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments that may take control of preexisting sessions with remote services to move laterally in an environment.
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0029	Network Traffic: Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
DS0028	Logon Session: Logon Session Creation	Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.
DS0009	Process: Process Creation	Monitor newly executed processes that may take control of preexisting sessions with remote services to move laterally in an environment.

Mitigation

ID	M1018	Name	User Account Management	Description	Limit remote user permissions if remote access is necessary.

ID	M1026	Name	Privileged Account Management	Description	Do not allow remote access to services as a privileged account unless necessary.

ID	M1027	Name	Password Policies	Description	Set and enforce secure password policies for accounts.

ID	M1030	Name	Network Segmentation	Description	Enable firewall rules to block unnecessary traffic between network security zones within a network.

ID	M1042	Name	Disable or Remove Feature or Program	Description	Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary.

ID	Name	Description
M1018	User Account Management	Limit remote user permissions if remote access is necessary.
M1026	Privileged Account Management	Do not allow remote access to services as a privileged account unless necessary.
M1027	Password Policies	Set and enforce secure password policies for accounts.
M1030	Network Segmentation	Enable firewall rules to block unnecessary traffic between network security zones within a network.
M1042	Disable or Remove Feature or Program	Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary.