Description
Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.
Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)
Platforms
Sub-Techniques (2)
Mitigations (5)
Network SegmentationM1030
Enable firewall rules to block unnecessary traffic between network security zones within a network.
Disable or Remove Feature or ProgramM1042
Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary.
Password PoliciesM1027
Set and enforce secure password policies for accounts.
User Account ManagementM1018
Limit remote user permissions if remote access is necessary.
Privileged Account ManagementM1026
Do not allow remote access to services as a privileged account unless necessary.
References
- Beaumont, K. (2017, March 19). RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation. Retrieved December 11, 2017.
- Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1563 (Remote Service Session Hijacking)?
T1563 is a MITRE ATT&CK technique named 'Remote Service Session Hijacking'. It belongs to the Lateral Movement tactic(s). Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept rem...
How can T1563 be detected?
Detection of T1563 (Remote Service Session Hijacking) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1563?
There are 5 documented mitigations for T1563. Key mitigations include: Network Segmentation, Disable or Remove Feature or Program, Password Policies, User Account Management, Privileged Account Management.
Which threat groups use T1563?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.