T1563Techniquelateral-movementagent-callable

T1563Remote Service Session Hijacking

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service. Adversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)

ATT&CK tactics· 1

Lateral Movement

References

  1. https://attack.mitre.org/techniques/T1563
  2. https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
  3. https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1563: Remote Service Session Hijacking | SQUR Knowledge Base