Description
Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)
Platforms
Mitigations (7)
Limit Access to Resource Over NetworkM1035
Use remote desktop gateways.
Network SegmentationM1030
Enable firewall rules to block RDP traffic between network security zones within a network.
Operating System ConfigurationM1028
Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.(Citation: Windows RDP Sessions)
User Account ManagementM1018
Limit remote user permissions if remote access is necessary.
AuditM1047
Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups.
Disable or Remove Feature or ProgramM1042
Disable the RDP service if it is unnecessary.
Privileged Account ManagementM1026
Consider removing the local Administrators group from the list of groups allowed to log in through RDP.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0001 | Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has targeted victims with remote administration tools including RDP.(Citation: Novetta-Axiom) |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0366 | WannaCry | Malware | [WannaCry](https://attack.mitre.org/software/S0366) enumerates current remote desktop sessions and tries to execute the malware on each session.(Citat... |
References
- Beaumont, K. (2017, March 19). RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation. Retrieved December 11, 2017.
- Korznikov, A. (2017, March 17). Passwordless RDP Session Hijacking Feature All Windows versions. Retrieved December 11, 2017.
- Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.
- NCC Group PLC. (2016, November 1). Kali Redsnarf. Retrieved December 11, 2017.
Frequently Asked Questions
What is T1563.002 (RDP Hijacking)?
T1563.002 is a MITRE ATT&CK technique named 'RDP Hijacking'. It belongs to the Lateral Movement tactic(s). Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an inte...
How can T1563.002 be detected?
Detection of T1563.002 (RDP Hijacking) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1563.002?
There are 7 documented mitigations for T1563.002. Key mitigations include: Limit Access to Resource Over Network, Network Segmentation, Operating System Configuration, User Account Management, Audit.
Which threat groups use T1563.002?
Known threat groups using T1563.002 include: Axiom.