Remote Service Session Hijacking (T1563)

View on ATT&CK

In Playbook

Technique & Subtechniques

Associated Tactics

  • Lateral Movement

Lateral Movement (TA0008)

The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

View on ATT&CK

Procedure Examples

Description Source(s)
Beaumont, K. (2017, March 19). RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation. Retrieved December 11, 2017. RDP Hijacking Medium
Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved February 17, 2020. Breach Post-mortem SSH Hijack