远程服务会话劫持是指攻击者通过非法手段接管已建立的合法远程会话(如RDP、SSH、Telnet),进而实施横向移动或特权操作的技术。与创建新会话不同,该技术利用现有会话的认证状态,规避了账户认证环节的检测。传统防御手段主要依赖监控异常会话特征(如非常用设备登录、非常规时段活动)以及检测会话进程的异常行为(如非常用命令行参数)。
为应对基于会话特征分析和行为审计的防御机制,攻击者发展出高度隐蔽的会话劫持技术,通过加密流量混淆、进程上下文寄生、时序行为模仿及凭证环境复现等策略,将恶意操作深度嵌入合法会话流,实现"无痕化"的会话控制,显著提升了攻击行为的隐蔽性与持续性。
现有远程服务会话劫持匿迹技术的核心逻辑聚焦于会话环境的深度伪造与操作行为的隐形化改造。攻击者通过协议层、进程层、行为层的多维隐匿策略突破传统检测维度:加密中间人劫持在维持协议合规性的前提下实现流量操控,将恶意交互隐藏在加密隧道中;进程伪装注入通过寄生合法服务进程,使恶意操作获得系统层面的合法性背书;低频时序注入利用用户行为建模实现攻击节奏的智能化适配,规避基于操作频次的异常检测;凭证反射式接管则构建攻击会话与合法会话的镜像特征,突破身份认证维度的防御机制。四类技术的共性在于突破传统会话劫持技术的显性特征,通过协议合规化、进程合法化、行为拟人化、环境镜像化等手法,使恶意会话与正常业务活动在多个检测维度上实现特征融合,迫使防御方必须采用上下文关联分析、多维度行为建模等高级检测手段才能有效识别威胁。
匿迹技术的演进导致传统基于单点日志审计或简单规则匹配的防御体系逐渐失效,防御方需构建会话环境完整性验证机制,实施端到端的加密信道保护,并引入用户行为基线分析、进程内存保护等技术,同时建立跨设备的会话关联分析能力,以应对高隐蔽会话劫持攻击的挑战。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过复现合法会话的协议特征、进程上下文及用户行为模式,使恶意会话在协议交互、进程树结构、命令语法等维度与正常业务流量高度一致。例如进程伪装注入技术将恶意代码嵌入系统服务进程,使得攻击行为在进程监控中呈现合法特征,实现深度伪装。
利用零日漏洞或未公开的协议实现缺陷(如特定版本的RDP协议漏洞)实施劫持,使得传统基于已知特征的检测手段无法识别攻击过程。部分技术(如加密中间人劫持)依赖对加密协议实现层的漏洞利用,形成检测盲区。
通过端到端加密通信或内存驻留技术,避免敏感操作数据(如窃取的凭证、注入的恶意指令)在传输过程或存储介质中明文暴露。加密信道劫持技术更通过动态加解密机制,使网络层无法获取有效攻击载荷。
低频时序注入技术将恶意操作拆解为长周期、低频率的微操作序列,配合凭证反射攻击中的环境参数动态调整,使得攻击特征在时间维度被大幅稀释,传统基于短时间窗口的检测策略难以有效捕获完整攻击链。
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary. |
| M1030 | Network Segmentation |
Enable firewall rules to block unnecessary traffic between network security zones within a network. |
| M1027 | Password Policies |
Set and enforce secure password policies for accounts. |
| M1026 | Privileged Account Management |
Do not allow remote access to services as a privileged account unless necessary. |
| M1018 | User Account Management |
Limit remote user permissions if remote access is necessary. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may take control of preexisting sessions with remote services to move laterally in an environment. |
| DS0028 | Logon Session | Logon Session Creation |
Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. |
| DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
| Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
||
| DS0009 | Process | Process Creation |
Monitor newly executed processes that may take control of preexisting sessions with remote services to move laterally in an environment. |