Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.
Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2019-1724 | Cisco Small Business RV Series Router Firmware | primary_impact | T1563 | Remote Service Session Hijacking | |
CVE-2019-18573 | RSA Identity Governance & Lifecycle | primary_impact | T1563 | Remote Service Session Hijacking | |
CVE-2019-3790 | Pivotal Ops Manager | primary_impact | T1563 | Remote Service Session Hijacking | |
CVE-2019-3784 | Stratos | primary_impact | T1563 | Remote Service Session Hijacking | |
CVE-2020-5290 | rctf | primary_impact | T1563 | Remote Service Session Hijacking | |
CVE-2019-16782 | rack | primary_impact | T1563 | Remote Service Session Hijacking | |
CVE-2018-8852 | e-Alert Unit (non-medical device) | primary_impact | T1563 | Remote Service Session Hijacking | |
CVE-2019-12258 | n/a | uncategorized | T1563 | Remote Service Session Hijacking |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1563 | Remote Service Session Hijacking | |
action.malware.vector.Network propagation | Network propagation | related-to | T1563 | Remote Service Session Hijacking |
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1563.002 | RDP Hijacking | 20 |
T1563.001 | SSH Hijacking | 19 |