Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.AA-05.03 | Service accounts | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement protects against RDP Hijacking through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement protects against RDP Hijacking through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides protection from Remote Service Session Hijacking: RDP Hijacking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Blocking network traffic that is not necessary can mitigate, or at least alleviate, use of remote desktop to move laterally in an environment.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit access can prevent RDP hijacking.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement protects against RDP Hijacking through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement protects against RDP Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement protects against RDP Hijacking through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1563.002 | RDP Hijacking |
Comments
This control may detect RDP hijacking through use of the tscon.exe binary. The following alerts may be generated: "Suspect integrity level indicative of RDP hijacking", "Suspect service installation".
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1563.002 | RDP Hijacking |
Comments
This control can detect RDP hijacking.
References
|