1. Home
  2. ATT&CK Techniques
  3. T1563 Remote Service Session Hijacking

T1563 Remote Service Session Hijacking

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-06 Configuration Settings mitigates T1563 Remote Service Session Hijacking
CM-05 Access Restrictions for Change mitigates T1563 Remote Service Session Hijacking
AC-17 Remote Access mitigates T1563 Remote Service Session Hijacking
IA-06 Authentication Feedback mitigates T1563 Remote Service Session Hijacking
IA-04 Identifier Management mitigates T1563 Remote Service Session Hijacking
RA-05 Vulnerability Monitoring and Scanning mitigates T1563 Remote Service Session Hijacking
CM-08 System Component Inventory mitigates T1563 Remote Service Session Hijacking
SC-46 Cross Domain Policy Enforcement mitigates T1563 Remote Service Session Hijacking
CM-02 Baseline Configuration mitigates T1563 Remote Service Session Hijacking
CM-02 Baseline Configuration mitigates T1563 Remote Service Session Hijacking
IA-02 Identification and Authentication (Organizational Users) mitigates T1563 Remote Service Session Hijacking
CM-07 Least Functionality mitigates T1563 Remote Service Session Hijacking
SI-04 System Monitoring mitigates T1563 Remote Service Session Hijacking
AC-12 Session Termination mitigates T1563 Remote Service Session Hijacking
AC-02 Account Management mitigates T1563 Remote Service Session Hijacking
AC-03 Access Enforcement mitigates T1563 Remote Service Session Hijacking
AC-04 Information Flow Enforcement mitigates T1563 Remote Service Session Hijacking
AC-05 Separation of Duties mitigates T1563 Remote Service Session Hijacking
AC-06 Least Privilege mitigates T1563 Remote Service Session Hijacking
SC-07 Boundary Protection mitigates T1563 Remote Service Session Hijacking

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1563 Remote Service Session Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1563 Remote Service Session Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1563 Remote Service Session Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563 Remote Service Session Hijacking

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1563 Remote Service Session Hijacking
Comments
This control provides partial detection for some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1563 Remote Service Session Hijacking
Comments
This control can be used to identify anomalous traffic related to RDP and SSH sessions or blocked attempts to access these management ports.
References
  1. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1563.001 SSH Hijacking 21
T1563.002 RDP Hijacking 26