Remote Service Session Hijacking

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.[1][2]

ID: T1563
Sub-techniques:  T1563.001, T1563.002
Platforms: Linux, Windows, macOS
Permissions Required: SYSTEM, root
Version: 1.0
Created: 25 February 2020
Last Modified: 23 March 2020
Provided by LAYER 8


ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary.

M1030 Network Segmentation

Enable firewall rules to block unnecessary traffic between network security zones within a network.

M1026 Privileged Account Management

Do not allow remote access to services as a privileged account unless necessary.

M1018 User Account Management

Limit remote user permissions if remote access is necessary.


ID Data Source Data Component
DS0017 Command Command Execution
DS0028 Logon Session Logon Session Creation
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow
DS0009 Process Process Creation

Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

Monitor for processes and command-line arguments associated with hijacking service sessions.