MITRE ATT&CK Technique
Description
Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, `c:\windows\system32\tscon.exe [session number to be stolen]`, an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-25T18:35:42.765Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may hijack a legitimate user’s remote desktop '
'session to move laterally within an environment. Remote '
'desktop is a common feature in operating systems. It allows a '
'user to log into an interactive session with a system desktop '
'graphical user interface on a remote system. Microsoft refers '
'to its implementation of the Remote Desktop Protocol (RDP) as '
'Remote Desktop Services (RDS).(Citation: TechNet Remote '
'Desktop Services)\n'
'\n'
'Adversaries may perform RDP session hijacking which involves '
"stealing a legitimate user's remote session. Typically, a "
'user is notified when someone else is trying to steal their '
'session. With System permissions and using Terminal Services '
'Console, `c:\\windows\\system32\\tscon.exe [session number to '
'be stolen]`, an adversary can hijack a session without the '
'need for credentials or prompts to the user.(Citation: RDP '
'Hijacking Korznikov) This can be done remotely or locally and '
'with active or disconnected sessions.(Citation: RDP Hijacking '
'Medium) It can also lead to [Remote System '
'Discovery](https://attack.mitre.org/techniques/T1018) and '
'Privilege Escalation by stealing a Domain Admin or higher '
'privileged account session. All of this can be done by using '
'native Windows commands, but it has also been added as a '
'feature in red teaming tools.(Citation: Kali Redsnarf)',
'external_references': [{'external_id': 'T1563.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1563/002'},
{'description': 'Beaumont, K. (2017, March 19). RDP '
'hijacking\u200a—\u200ahow to hijack '
'RDS and RemoteApp sessions '
'transparently to move through an '
'organisation. Retrieved December 11, '
'2017.',
'source_name': 'RDP Hijacking Medium',
'url': 'https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'},
{'description': 'Korznikov, A. (2017, March 17). '
'Passwordless RDP Session Hijacking '
'Feature All Windows versions. '
'Retrieved December 11, 2017.',
'source_name': 'RDP Hijacking Korznikov',
'url': 'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html'},
{'description': 'Microsoft. (n.d.). Remote Desktop '
'Services. Retrieved June 1, 2016.',
'source_name': 'TechNet Remote Desktop Services',
'url': 'https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx'},
{'description': 'NCC Group PLC. (2016, November 1). '
'Kali Redsnarf. Retrieved December '
'11, 2017.',
'source_name': 'Kali Redsnarf',
'url': 'https://github.com/nccgroup/redsnarf'}],
'id': 'attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'lateral-movement'}],
'modified': '2025-10-24T17:49:30.049Z',
'name': 'RDP Hijacking',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}