AN0218: Analytic 0218
Detection of hijacked VNC or SSH sessions on macOS where adversaries take over an existing session rather than authenticating directly. Indicators include process execution from active sessions without new logon events, manipulation of TTY sessions, or anomalous network activity tied to dormant sessions.
Analyst context for executives and security teams
This analytic matters because it focuses on a harder-to-see access pattern on macOS: an adversary taking over an already-established VNC or SSH session instead of creating a fresh login. For leaders, the key issue is whether the organization can distinguish legitimate remote administration from suspicious activity occurring inside an existing or dormant session.
Executive priority
Prioritize this as a remote access monitoring and incident readiness question for macOS environments. Security leaders should ask whether SOC teams can correlate process activity, session state, login records, TTY behavior, and network activity well enough to support incident decisions when there is no obvious new authentication event. This is especially relevant for business continuity and audit evidence where remote administration is common and session misuse could be missed by controls focused only on new logons.
Technical view
Validate whether macOS telemetry can show process execution associated with active VNC or SSH sessions, absence of corresponding new logon events, TTY session changes, and network activity tied to sessions that appear dormant or inconsistent with normal use. Because ATT&CK provides no separate detection logic and no relationship context for this analytic, SOC teams should treat it as a coverage-validation prompt rather than a complete rule. Detection engineering should focus on correlating session lifecycle, process ancestry, terminal/session identifiers, and network timing around remote sessions.
Likely telemetry
- macOS authentication and logon/session records
- SSH session logs and remote access service logs
- VNC or screen-sharing session records where available
- Process execution telemetry with parent/child process context
- TTY or terminal session metadata
Detection direction
- Validate that process execution from remote sessions can be correlated to session start, session owner, and authentication events.
- Look for process activity occurring within an existing VNC or SSH session without a corresponding new logon event.
- Review TTY session manipulation or unexpected terminal/session changes in the context of remote access activity.
- Correlate network activity to sessions that appear dormant, idle, or inconsistent with expected administrator behavior.
- Tune carefully for legitimate remote administration, automation, long-lived SSH sessions, and support workflows to reduce false positives.
Mitigation priorities
- Inventory where macOS systems permit SSH, VNC, or similar remote session access.
- Ensure remote access activity is logged with enough detail to support session-to-process correlation.
- Limit and govern remote access privileges according to operational need.
- Review session timeout, idle session handling, and administrative access procedures for macOS systems.
- Use incident response playbooks that account for session hijacking scenarios where no new authentication event is present.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS and describes indicators of hijacked VNC or SSH sessions, but it does not include a full detection implementation, tactics, relationships, or linked techniques. Glexia’s defensive value is therefore in using it to test whether existing monitoring can prove or disprove session takeover behavior rather than simply alert on new logins.
Official detection content was not provided, and no relationship context was supplied. This take does not infer adversary attribution, active exploitation, business impact, or detection coverage. Local macOS logging configuration, remote access tooling, retention, and administrative behavior are required to make this analytic operational.
Analytic 0218
Detection of hijacked VNC or SSH sessions on macOS where adversaries take over an existing session rather than authenticating directly. Indicators include process execution from active sessions without new logon events, manipulation of TTY sessions, or anomalous network activity tied to dormant sessions.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2cf1b17d12ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0218Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.