216.73.216.233

T1563: T1563

View on MITRE ATT&CK The MITRE Corporation · Published 25/02/2020 19:26 · Modified 21/05/2026 18:46

Essential information

MITRE technique ID
T1563
Confidence
100/100
Revoked
No
Published
25/02/2020 19:26
Modified
21/05/2026 18:46
Author / Source
The MITRE Corporation

Aliases

Remote Service Session Hijacking

Platforms

windows macos linux

Description

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service. Adversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)

Kill chain phases

Kill chainPhase
mitre-attack lateral-movement

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.