Home
ATT&CK Techniques
T1563 Remote Service Session Hijacking

T1563 Remote Service Session Hijacking Mappings

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-17	Remote Access	Protects	T1563	Remote Service Session Hijacking
AC-2	Account Management	Protects	T1563	Remote Service Session Hijacking
AC-3	Access Enforcement	Protects	T1563	Remote Service Session Hijacking
AC-4	Information Flow Enforcement	Protects	T1563	Remote Service Session Hijacking
AC-5	Separation of Duties	Protects	T1563	Remote Service Session Hijacking
AC-6	Least Privilege	Protects	T1563	Remote Service Session Hijacking
CA-8	Penetration Testing	Protects	T1563	Remote Service Session Hijacking
CM-2	Baseline Configuration	Protects	T1563	Remote Service Session Hijacking
CM-5	Access Restrictions for Change	Protects	T1563	Remote Service Session Hijacking
CM-6	Configuration Settings	Protects	T1563	Remote Service Session Hijacking
CM-7	Least Functionality	Protects	T1563	Remote Service Session Hijacking
CM-8	System Component Inventory	Protects	T1563	Remote Service Session Hijacking
IA-2	Identification and Authentication (organizational Users)	Protects	T1563	Remote Service Session Hijacking
IA-4	Identifier Management	Protects	T1563	Remote Service Session Hijacking
IA-6	Authentication Feedback	Protects	T1563	Remote Service Session Hijacking
RA-5	Vulnerability Monitoring and Scanning	Protects	T1563	Remote Service Session Hijacking
SC-46	Cross Domain Policy Enforcement	Protects	T1563	Remote Service Session Hijacking
SC-7	Boundary Protection	Protects	T1563	Remote Service Session Hijacking
SI-4	System Monitoring	Protects	T1563	Remote Service Session Hijacking
CVE-2019-1724	Cisco Small Business RV Series Router Firmware	primary_impact	T1563	Remote Service Session Hijacking
CVE-2019-18573	RSA Identity Governance & Lifecycle	primary_impact	T1563	Remote Service Session Hijacking
CVE-2019-3790	Pivotal Ops Manager	primary_impact	T1563	Remote Service Session Hijacking
CVE-2019-3784	Stratos	primary_impact	T1563	Remote Service Session Hijacking
CVE-2020-5290	rctf	primary_impact	T1563	Remote Service Session Hijacking
CVE-2019-16782	rack	primary_impact	T1563	Remote Service Session Hijacking
CVE-2018-8852	e-Alert Unit (non-medical device)	primary_impact	T1563	Remote Service Session Hijacking
CVE-2019-12258	n/a	uncategorized	T1563	Remote Service Session Hijacking
action.hacking.variety.Abuse of functionality	Abuse of functionality	related-to	T1563	Remote Service Session Hijacking
action.malware.vector.Network propagation	Network propagation	related-to	T1563	Remote Service Session Hijacking

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1563.002	RDP Hijacking	20
T1563.001	SSH Hijacking	19