RDP Hijacking
RDP Hijacking [T1563.002]
Information
Introduction
RDP Hijacking (T1563.002) is a sub-technique categorized under MITRE ATT&CK's "Remote Service Session Hijacking" (T1563). It involves attackers commandeering legitimate Remote Desktop Protocol (RDP) sessions without requiring the user's credentials. Attackers leverage this method to gain unauthorized access, maintain persistence, and evade detection by blending into legitimate remote desktop traffic.
Deep Dive Into Technique
RDP Hijacking exploits the Remote Desktop Protocol, a commonly used Microsoft protocol for remote management and administration. Attackers typically use this method after gaining initial access to a compromised network or system. The detailed execution includes:
Session Enumeration: Attackers first enumerate active RDP sessions on a compromised host. Commonly, tools like
query user,qwinsta, or PowerShell scripts are utilized to list active sessions and their session IDs.Session Hijacking: Once an active session is identified, attackers can hijack it using native Windows tools or specialized scripts and utilities. Common techniques include:
Leveraging the built-in Windows
tscon.exeutility to redirect an active session to another session or attacker-controlled endpoint.Using custom scripts or tools such as RDPWrap or RDPHijack to automate session hijacking processes.
Privilege Requirements: Usually, attackers require administrative privileges on the targeted host to successfully hijack an RDP session. Privilege escalation methods may precede the hijacking attempt.
Persistence and Stealth: Attackers use RDP hijacking to maintain persistent access to systems without needing repeated authentication attempts, thus avoiding alerting security monitoring systems.
When this Technique is Usually Used
Attackers typically employ RDP Hijacking during the following scenarios and stages:
Post-Exploitation Stage:
After initial compromise and gaining administrative privileges, attackers hijack existing legitimate sessions to blend in and maintain stealthy persistence.
Attackers use this technique to circumvent multi-factor authentication (MFA) or other authentication mechanisms by taking over sessions already authenticated by legitimate users.
Lateral Movement Stage:
Attackers leverage active RDP sessions to move laterally within the network, accessing sensitive systems without triggering authentication logs or alerts.
Credential Access Stage:
Attackers hijack sessions to access sensitive data, credentials, or proprietary information that legitimate users have already unlocked or accessed within their active session.
How this Technique is Usually Detected
Detection of RDP Hijacking requires vigilant monitoring and correlation of logs and events. Common detection methods and indicators include:
Windows Event Logs Monitoring:
Monitor Windows Security Logs (Event ID 4624, 4778, 4779) for unusual session logon/logoff events or session reconnections.
Review System Logs for suspicious use of
tscon.exeor other session management utilities.
Endpoint Detection and Response (EDR) Tools:
EDR solutions can detect suspicious process executions, anomalous session activity, or unauthorized use of administrative tools.
Behavioral Analytics:
Implement behavioral analytics to detect anomalous user activity, such as unusual session reconnections or unexpected session redirections.
Network Traffic Analysis:
Analyze network traffic for unusual RDP session characteristics, such as unexpected IP addresses, abnormal session durations, or unusual session timing.
Specific Indicators of Compromise (IoCs):
Unexpected session reconnection events.
Execution of session enumeration commands (
qwinsta,query user) by unauthorized accounts.Unusual use of
tscon.exeor similar utilities.Suspicious RDP session activity from unexpected IP addresses or endpoints.
Why it is Important to Detect This Technique
Early detection of RDP Hijacking is critical due to its significant potential impact on systems and networks:
Data Theft and Exfiltration:
Attackers leveraging hijacked sessions can access sensitive, proprietary, or confidential information without triggering authentication alerts.
Persistence and Stealth:
Hijacked sessions allow attackers to maintain persistent and stealthy access, making it difficult to detect and eradicate threats.
Bypassing Security Controls:
RDP Hijacking enables attackers to bypass multi-factor authentication, credential checks, and other security mechanisms, increasing the risk of unauthorized access.
Operational Disruption:
Attackers controlling legitimate user sessions can disrupt normal business operations, cause service outages, or manipulate critical systems.
Compliance and Regulatory Impact:
Undetected session hijacking may lead to compliance violations, regulatory penalties, and loss of customer trust.
Examples
Real-world examples and scenarios involving RDP Hijacking include:
APT41 Attack Campaign:
Attackers from APT41 have been observed leveraging RDP Hijacking to move laterally within compromised networks, using existing administrative sessions to evade detection and bypass authentication controls.
Tools Used: Native Windows utilities (
tscon.exe), custom PowerShell scripts.Impact: Persistent access, data exfiltration, and stealthy lateral movement within targeted networks.
FIN6 Financial Sector Attacks:
FIN6 threat actors have utilized RDP Hijacking to maintain persistence and gain access to financial systems without triggering alarms or authentication alerts.
Tools Used: Built-in Windows session management utilities, custom session enumeration scripts.
Impact: Theft of financial data, unauthorized financial transactions, and significant monetary loss.
Ransomware Operators (Ryuk, Conti):
Ransomware groups have employed RDP Hijacking to access privileged sessions, escalate privileges, and deploy ransomware payloads without detection.
Tools Used: Native RDP utilities (
tscon.exe), session enumeration tools, and custom scripts.Impact: Large-scale ransomware infections, significant operational disruption, and financial damage.
These examples highlight the practical threat posed by RDP Hijacking, emphasizing the importance of robust detection and mitigation strategies.
Last updated
Was this helpful?