Esc
RDP Hijacking - T1563.002
(ATT&CK® Technique)
Definition
Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1563002["RDP Hijacking"] --> |accesses| RDPSession["RDP Session"]; class T1563002 OffensiveTechniqueNode;
class RDPSession ArtifactNode; click RDPSession href "/dao/artifact/d3f:RDPSession";
click T1563002 href "/offensive-technique/attack/T1563.002/"; click RDPSession href "/dao/artifact/d3f:RDPSession"; T1563002["RDP Hijacking"] --> |produces| AdministrativeNetworkTraffic["Administrative Network Traffic"]; class T1563002 OffensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode; click AdministrativeNetworkTraffic href "/dao/artifact/d3f:AdministrativeNetworkTraffic";
click T1563002 href "/offensive-technique/attack/T1563.002/"; click AdministrativeNetworkTraffic href "/dao/artifact/d3f:AdministrativeNetworkTraffic"; T1563002["RDP Hijacking"] --> |accesses| RemoteSession["Remote Session"]; class T1563002 OffensiveTechniqueNode;
class RemoteSession ArtifactNode; click RemoteSession href "/dao/artifact/d3f:RemoteSession";
click T1563002 href "/offensive-technique/attack/T1563.002/"; click RemoteSession href "/dao/artifact/d3f:RemoteSession"; SessionTermination["Session Termination"] -->
| deletes | RDPSession["RDP Session"];
SessionTermination["Session Termination"] -.->
| may-evict | T1563002["RDP Hijacking"] ;
class SessionTermination DefensiveTechniqueNode;
class RDPSession ArtifactNode;
click SessionTermination href "/technique/d3f:SessionTermination"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1563002["RDP Hijacking"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1563002["RDP Hijacking"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1563002["RDP Hijacking"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1563002["RDP Hijacking"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1563002["RDP Hijacking"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1563002["RDP Hijacking"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1563002["RDP Hijacking"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; SessionTermination["Session Termination"] -->
| deletes | RemoteSession["Remote Session"];
class SessionTermination DefensiveTechniqueNode;
class RemoteSession ArtifactNode;
click SessionTermination href "/technique/d3f:SessionTermination"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | AdministrativeNetworkTraffic["Administrative Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1563002["RDP Hijacking"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";