Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0079: Detection of Remote Service Session Hijacking

DET0079 is a MITRE ATT&CK detection strategy for Remote Service Session Hijacking, a lateral-movement behavior where an adversary may take over an existing...

EnterpriseDET0079Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0079 is a MITRE ATT&CK detection strategy for Remote Service Session Hijacking, a lateral-movement behavior where an adversary may take over an existing remote service session such as SSH, RDP, telnet, or similar remote access activity. The business significance is that the activity can blur the line between legitimate administration and adversary movement, especially when valid sessions already exist. For leaders, this makes it important to validate whether remote access monitoring, identity controls, and incident response processes can distinguish expected administrator activity from suspicious takeover or session misuse.

Executive priority

Prioritize this as a resilience and identity/SOC readiness issue rather than only a malware detection problem. The related ATT&CK technique is lateral movement across Linux, macOS, and Windows environments, so coverage depends on whether the organization can evidence who initiated remote sessions, where sessions moved, and whether session activity aligns with expected users, systems, and administrative workflows. Executives should ask whether remote access logs are collected centrally, whether privileged remote sessions are governed, and whether incident responders can rapidly reconstruct session ownership during an investigation.

Technical view

The supplied ATT&CK object does not include official detection logic or platform metadata for the detection strategy itself. Its relationship to T1563 indicates the validation scope should focus on detecting suspicious use or takeover of preexisting remote service sessions used for lateral movement. SOC and detection teams should map available telemetry for remote access services across Linux, macOS, and Windows, then test whether they can correlate session creation, session reuse, user identity, source and destination hosts, and subsequent commands or process activity. IR teams should ensure playbooks can differentiate authorized administration from anomalous session control or unexpected activity inside an existing session.

Likely telemetry

  • Remote service authentication and session logs, including SSH, RDP, telnet, or comparable remote access services where present
  • Endpoint logon/session events from Linux, macOS, and Windows systems
  • Identity and access records showing user, privilege level, source, destination, and time of remote access
  • Process, command, or administrative activity occurring after remote session establishment
  • Network connection metadata between internal hosts that may show lateral remote service use

Detection direction

  • Inventory which remote services are in use and confirm whether session-level telemetry is retained centrally for investigation.
  • Correlate remote session activity with identity context, source host, destination host, user role, time of day, and expected administrative patterns.
  • Tune detections to account for legitimate help desk, system administration, and automation workflows to reduce false positives.
  • Look for relationship-driven lateral movement context: remote session activity followed by unexpected actions on another host may be more meaningful than a single login event.
  • Validate blind spots around unmanaged systems, local-only logs, short retention, shared administrator accounts, and remote access tools that do not provide clear session ownership.

Mitigation priorities

  • Establish authoritative logging for remote access services and ensure logs are centralized with sufficient retention.
  • Strengthen identity controls for remote administration, especially privileged accounts and session accountability.
  • Limit remote service exposure to systems and users with a documented operational need.
  • Use administrative workflow governance, such as controlled access paths and auditable privileged sessions where applicable.
  • Prepare incident response procedures for reconstructing session activity and determining whether actions were performed by the legitimate user or by a commandeered session.
Analyst notes and limits

This take is based on the DET0079 detection strategy metadata and its relationship to ATT&CK technique T1563, Remote Service Session Hijacking. The detection strategy itself has no official description, detection text, tactics, or platforms supplied. The related technique provides the lateral-movement context and the Linux, macOS, and Windows platform scope.

No active exploitation, actor attribution, guaranteed detection method, or vendor-specific control is stated in the supplied ATT&CK fields. Local architecture, remote access tooling, logging configuration, identity model, and administrative practices are required to determine real coverage and alert quality.

Official MITRE ATT&CK definition

Detection of Remote Service Session Hijacking

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1563 Remote Service Session Hijacking This object detects Remote Service Session Hijacking.
Relationship explorer

All related ATT&CK context

detects · Technique T1563: Remote Service Session Hijacking Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c7af9dacb2027e72...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c7af9dacb202…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0079
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use