AN0217: Analytic 0217
Detection of SSH/Telnet session hijacking via discrepancies between authentication logs and active session tables. Adversary behavior includes reusing or stealing active PTY sessions, attaching to screen/tmux, or issuing commands without corresponding login events.
Analyst context for executives and security teams
This analytic matters because it focuses on a high-risk gap between “who authenticated” and “who is currently using an interactive Linux session.” If an SSH or Telnet session is hijacked, reused, or accessed through tools such as screen or tmux without a corresponding login event, the organization may see command activity that appears to come from a legitimate user while missing the actual access event that explains it.
Executive priority
Security leaders should treat this as an identity and incident-response validation point for Linux environments: can the team prove that active interactive sessions map back to expected authentication records? The business value is in reducing ambiguity during investigations, strengthening audit evidence around administrative access, and identifying blind spots where attackers or unauthorized users could operate through existing sessions without triggering normal login-based controls.
Technical view
For SOC and IR teams, the practical test is whether Linux authentication records can be compared against active session state. The ATT&CK object describes discrepancies between authentication logs and active session tables, including possible reuse or theft of active PTY sessions, attachment to screen/tmux, or command activity without matching login events. Because no official detection logic or tactic mapping is supplied, teams should implement this as a validation and correlation use case rather than assuming a ready-made detection.
Likely telemetry
- Linux authentication logs for SSH and, where present, Telnet access
- Active session table data showing current logged-in users and terminals
- PTY/session metadata sufficient to associate commands or shells with interactive sessions
- Evidence of screen or tmux session attachment where such tooling is used
- Command execution or shell activity records, if collected, to compare against authentication timing
Detection direction
- Validate that authentication logs and active session tables are both collected, time-synchronized, and retained long enough for investigation.
- Look for active interactive sessions or command activity that lack a plausible corresponding authentication event.
- Tune for legitimate administrative workflows involving screen or tmux so detections distinguish expected session persistence from suspicious attachment or reuse.
- Account for blind spots where Telnet is not monitored, auth logs are incomplete, session data is not centralized, or command telemetry is unavailable.
- Use this analytic as correlation logic; the supplied ATT&CK record does not provide an official detection rule, thresholds, or false-positive model.
Mitigation priorities
- Prioritize visibility first: ensure Linux authentication and active session data are available to SOC and IR teams.
- Reduce exposure from legacy or weak remote access patterns, especially where Telnet exists, using locally approved access-hardening standards.
- Review administrative use of persistent terminal multiplexers such as screen and tmux and define what is normal, authorized, and logged.
- Strengthen incident playbooks so unexplained active sessions trigger containment and identity validation steps.
- Use findings as compliance and audit evidence for administrative access monitoring where applicable.
Analyst notes and limits
This is a detection analytic for Linux in the enterprise ATT&CK domain, not a technique entry. Its value is mainly in validating correlation between login evidence and active interactive session state. No related ATT&CK objects, tactic mapping, aliases, labels, or official detection implementation were supplied.
The supplied object contains a short description but no official detection logic, relationships, tactic mapping, or environmental assumptions. Local logging configuration, time synchronization, command auditing, and approved administrative workflows are required to determine whether this analytic is feasible and how noisy it will be.
Analytic 0217
Detection of SSH/Telnet session hijacking via discrepancies between authentication logs and active session tables. Adversary behavior includes reusing or stealing active PTY sessions, attaching to screen/tmux, or issuing commands without corresponding login events.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8864ed85843f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0217Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.