Skip to content

DET0079 Detection of Remote Service Session Hijacking

Item Value
ID DET0079
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1563 (Remote Service Session Hijacking)

Analytics

Windows

AN0216

Detection of anomalous RDP or remote service session activity where a logon session is hijacked rather than newly created. Indicators include mismatched user credentials vs. active session tokens, service session takeovers without corresponding successful logon events, or RDP shadowing activity without user consent.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624, 4648
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
ExpectedUserSessionMap Mapping of users to hosts they are expected to access; deviations indicate possible hijacking.
TimeWindow Threshold for detecting rapid pivoting via hijacked sessions.

Linux

AN0217

Detection of SSH/Telnet session hijacking via discrepancies between authentication logs and active session tables. Adversary behavior includes reusing or stealing active PTY sessions, attaching to screen/tmux, or issuing commands without corresponding login events.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve: Commands executed within an SSH session where no matching logon/authentication event exists
Logon Session Creation (DC0067) NSM:Connections Mismatch between recorded user logon and active sessions (e.g., wtmp/utmp entries without corresponding authentication in auth.log)
Network Traffic Flow (DC0078) NSM:Flow Long-lived or hijacked SSH sessions maintained with no active user activity
Mutable Elements
Field Description
MonitoredServicePorts Ports for SSH/Telnet/RDP monitored for session hijacking; may vary by environment.

macOS

AN0218

Detection of hijacked VNC or SSH sessions on macOS where adversaries take over an existing session rather than authenticating directly. Indicators include process execution from active sessions without new logon events, manipulation of TTY sessions, or anomalous network activity tied to dormant sessions.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) macos:unifiedlog Authentication inconsistencies where commands are executed without corresponding login events
Process Creation (DC0032) macos:unifiedlog Execution of processes linked to hijacked sessions (e.g., anomalous parent-child process lineage)
Network Traffic Content (DC0085) NSM:Flow Suspicious long-lived or reattached remote desktop sessions from unexpected IPs
Mutable Elements
Field Description
SessionIdleThreshold Time threshold for inactive sessions flagged as suspicious when commands suddenly resume.