# T1563 Remote Service Session Hijacking

-----------------------------------------------------------------------

## Technique Description

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)

## Technique Detection

Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

Monitor for processes and command-line arguments associated with hijacking service sessions.

-----------------------------------------------------------------------

### Tactics:

  *   Lateral-Movement

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * SYSTEM

  * root

### Data Sources:

  * **Logon Session:** Logon Session Creation

  * **Process:** Process Creation

  * **Network Traffic:** Network Traffic Content

  * **Network Traffic:** Network Traffic Flow

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1563)

  * [Rdp Hijacking Medium](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6), Beaumont, K. (2017, March 19). RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation. Retrieved December 11, 2017.

  * [Breach Post-Mortem Ssh Hijack](https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident), Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved February 17, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will take control of preexisting sessions with remote services to move laterally in an environment.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Use of these services may be legitimate, depending upon the network environment and how it is used.

## Analytical References

  * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md
  * https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
  * https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Monitor processes and command-line arguments for actions that could be taken to gather network information.'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```process.name : tsconn.exe```

#### Analytic 2

  * **Information:** 'Monitor processes and command-line arguments for actions that could be taken to gather network information monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```process.command_line : *cmd.exe /k* or *cmd.exe /c*```

#### Analytic 3

  * **Information:** 'Authentication Logs'

  * **Source:** 'Windows Audits'

  * **Tool:** 'Kibana'

  * **Notes:** '4624 – An account was successfully logged on 4625 - An account failed to log on.'

  * **Query:** ```event.code : 4624 or 4625 AND logontype : 10```

#### Analytic 4

  * **Information:** 'RDP logs'

  * **Source:** 'Windows Audits'

  * **Tool:** 'Kibana'

  * **Notes:** 'Not normally included in winlogbeats but under: Event Viewer\Applications and Service Logs\Microsoft\Windows\(TerminalServices-LocalSessionManager\Operational) or (TerminalServices-RemoteConnectionManager\Operational)
  
  21 – Session logon succeeded
  23 – Session logoff succeeded
  25 – Session reconnection succeeded
  41 - Begin session arbitration
  
  More RDP logs could be found in TerminalServices-ClientActiveXCore (RDPClient/Operational'
  
  * **Query:** ```event.code : 21 or 23 or 25 or 41```
  
  

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------