T1563.002 RDP Hijacking Mappings

Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)

Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-11 Device Lock Protects T1563.002 RDP Hijacking
AC-12 Session Termination Protects T1563.002 RDP Hijacking
AC-17 Remote Access Protects T1563.002 RDP Hijacking
AC-02 Account Management Protects T1563.002 RDP Hijacking
AC-03 Access Enforcement Protects T1563.002 RDP Hijacking
AC-04 Information Flow Enforcement Protects T1563.002 RDP Hijacking
AC-05 Separation of Duties Protects T1563.002 RDP Hijacking
AC-06 Least Privilege Protects T1563.002 RDP Hijacking
CM-02 Baseline Configuration Protects T1563.002 RDP Hijacking
CM-05 Access Restrictions for Change Protects T1563.002 RDP Hijacking
CM-06 Configuration Settings Protects T1563.002 RDP Hijacking
CM-07 Least Functionality Protects T1563.002 RDP Hijacking
CM-08 System Component Inventory Protects T1563.002 RDP Hijacking
IA-02 Identification and Authentication (organizational Users) Protects T1563.002 RDP Hijacking
RA-05 Vulnerability Monitoring and Scanning Protects T1563.002 RDP Hijacking
SC-46 Cross Domain Policy Enforcement Protects T1563.002 RDP Hijacking
SC-07 Boundary Protection Protects T1563.002 RDP Hijacking
SI-04 System Monitoring Protects T1563.002 RDP Hijacking