T1563 Remote Service Session Hijacking Mappings

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1563 Remote Service Session Hijacking
AC-2 Account Management Protects T1563 Remote Service Session Hijacking
AC-3 Access Enforcement Protects T1563 Remote Service Session Hijacking
AC-4 Information Flow Enforcement Protects T1563 Remote Service Session Hijacking
AC-5 Separation of Duties Protects T1563 Remote Service Session Hijacking
AC-6 Least Privilege Protects T1563 Remote Service Session Hijacking
CA-8 Penetration Testing Protects T1563 Remote Service Session Hijacking
CM-2 Baseline Configuration Protects T1563 Remote Service Session Hijacking
CM-5 Access Restrictions for Change Protects T1563 Remote Service Session Hijacking
CM-6 Configuration Settings Protects T1563 Remote Service Session Hijacking
CM-7 Least Functionality Protects T1563 Remote Service Session Hijacking
CM-8 System Component Inventory Protects T1563 Remote Service Session Hijacking
IA-2 Identification and Authentication (organizational Users) Protects T1563 Remote Service Session Hijacking
IA-4 Identifier Management Protects T1563 Remote Service Session Hijacking
IA-6 Authentication Feedback Protects T1563 Remote Service Session Hijacking
RA-5 Vulnerability Monitoring and Scanning Protects T1563 Remote Service Session Hijacking
SC-46 Cross Domain Policy Enforcement Protects T1563 Remote Service Session Hijacking
SC-7 Boundary Protection Protects T1563 Remote Service Session Hijacking
SI-4 System Monitoring Protects T1563 Remote Service Session Hijacking

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1563.002 RDP Hijacking 18
T1563.001 SSH Hijacking 17