Skip to content

T1563 Remote Service Session Hijacking

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.12

Item Value
ID T1563
Sub-techniques T1563.001, T1563.002
Tactics TA0008
Platforms Linux, Windows, macOS
Version 1.1
Created 25 February 2020
Last Modified 24 October 2025

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary.
M1030 Network Segmentation Enable firewall rules to block unnecessary traffic between network security zones within a network.
M1027 Password Policies Set and enforce secure password policies for accounts.
M1026 Privileged Account Management Do not allow remote access to services as a privileged account unless necessary.
M1018 User Account Management Limit remote user permissions if remote access is necessary.

References

  1. Beaumont, K. (2017, March 19). RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation. Retrieved December 11, 2017. 

  2. Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved November 17, 2024.