It is described in the RFC 793 (TCP) section 3.4. But I doubt you will ever see such a handshake, because it does not fit into the typical client-server-scenario where one end is waiting for connects and the other end does the connect. Edit: the handshake you envision exists and it is called "split handshake".
TCP 3-way handshake and port scanning - Coen Goedegebure Sep 18, 2018 Hacker 'handshake' hole found in common firewalls Moy says the exploit used in the test is known as the "TCP Split Handshake," which begins during the point that the firewall and any connection is being initiated during the TCP "handshake" process Network Firewall Vendors Address TCP Split Handshake
Todo es seguro ~~: TCP Split Handshake
Measuring and Optimizing TCP Splitting for Cloud Services TCP splitting platform: Our TCP splitting platform consists of three parts: split-TCP proxies,back-enddatacenters,anda redirectionserver[as shownin figure4].We deploy our split-TCP proxies [about 2K LOC in C++] on a fraction (11 locations worldwide - XX in US, XX in Europe, XX in Japan, XX) of the satellite datacenters of Microsoft’s
TCP Split Handshake Drop - Palo Alto Networks
TCP 3-way handshake and port scanning - Coen Goedegebure Sep 18, 2018 Hacker 'handshake' hole found in common firewalls Moy says the exploit used in the test is known as the "TCP Split Handshake," which begins during the point that the firewall and any connection is being initiated during the TCP "handshake" process Network Firewall Vendors Address TCP Split Handshake This TCP split handshake attack has been publicly known for over a year, and all firewalls should defend against it, but at the time, it wasn’t the case. In fact, 5 of the 6 firewalls that NSS labs tested FAILED to detect and block the TCP Split Handshake Attack. NSX Distributed Firewall and "Enable TCP Strict