EXPLORE
Sign In
← Back to Explore
T1563

Remote Service Session Hijacking

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service. Adversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijack...

LinuxmacOSWindows
9
Detections
1
Sources
0
Threat Actors

BY SOURCE

9elastic

PROCEDURES (8)

Persist2 detections

Auto-extracted: 2 detections for persist

Service1 detections

Auto-extracted: 1 detections for service

Remote1 detections

Auto-extracted: 1 detections for remote

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Child Process1 detections

Auto-extracted: 1 detections for child process

DETECTIONS (9)

Network Connection Initiated by Suspicious SSHD Child Process
elasticmedium
Potential Execution via SSH Backdoor
elasticmedium
Potential Remote Desktop Shadowing Activity
elastichigh
Potential THC Tool Downloaded
elastichigh
Renaming of OpenSSH Binaries
elasticlow
SSH Authorized Key File Activity Detected via Defend for Containers
elasticmedium
SSH Authorized Keys File Activity
elasticmedium
SSH Key Generated via ssh-keygen
elasticlow
Unusual SSHD Child Process
elasticlow