title: SSH Hijacking (T1563.001)
id: df00tech-t1563-001
status: experimental
description: "Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. This technique exploits trust relationships established via public key authentication by taking over existing SSH connections rather than creating new ones. The primary attack vector involves accessing the SSH agent socket (typically at /tmp/ssh-XXXXX/agent.NNNN), which allows any process with access to the socket to authenticate as the session owner without knowing their password or private key. With root access, an attacker can enumerate all SSH agent sockets on the system, set SSH_AUTH_SOCK to point to a victim's agent socket, and transparently use loaded SSH keys to authenticate to remote systems. More invasive methods include using ptrace-capable debuggers (gdb, strace) to inject commands into active SSH sessions or extract credentials from sshd process memory. MEDUSA malware has been documented using SSH hijacking for credential capture, and the technique has been leveraged by UNC3886 in post-exploitation lateral movement campaigns."
references:
  - https://attack.mitre.org/techniques/T1563/001/
  - https://df00tech.com/detections/T1563.001
author: df00tech
date: 2026/03/12
tags:
  - attack.t1563.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate SSH key management — users listing their own loaded keys with ssh-add -l during normal workflow, particularly on developer workstations and jump boxes"
  - System administrators using gdb or strace for authorized debugging of SSH daemon issues on development or staging servers
  - "Automated configuration management agents (Ansible, Chef, Puppet) that enumerate SSH-related processes or socket paths during host inventory collection"
  - SSH multiplexing via ControlMaster that creates and accesses socket files in /tmp in ways structurally similar to hijacking sockets
  - "Security scanning and endpoint agent tools that read /proc/<pid>/environ or enumerate /tmp to collect environment variables for compliance auditing"
level: high