Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0588: Detection of Remote Service Session Hijacking for RDP.

This detection strategy matters because RDP session hijacking is tied to lateral movement: an adversary may take over a legitimate user’s existing remote d...

EnterpriseDET0588Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because RDP session hijacking is tied to lateral movement: an adversary may take over a legitimate user’s existing remote desktop session rather than creating an obviously new access path. For leaders, the business issue is whether the organization can distinguish authorized remote administration from suspicious takeover of an interactive session, especially on Windows systems where RDP/RDS is used for operations or support.

Executive priority

Prioritize this as a validation item for remote access governance, SOC readiness, and incident response decision-making. The ATT&CK object provides no official detection logic, so the key executive question is not “do we have this rule?” but “can we prove we collect and correlate the evidence needed to investigate RDP session activity and lateral movement involving legitimate user sessions?” This is also useful audit evidence for access monitoring and privileged administration controls where RDP is in scope.

Technical view

The supplied relationship says DET0588 detects T1563.002, RDP Hijacking, a Windows-related lateral movement technique involving hijacking a legitimate user’s remote desktop session. Because the detection strategy has no official description, platforms, tactics, or detection text, SOC and detection engineering teams should treat it as a coverage-validation prompt. Confirm whether RDP/RDS session activity, user logon/session state, host security events, and lateral movement context can be correlated without assuming that successful authentication alone means legitimate use.

Likely telemetry

  • Windows host security and logon/session events related to Remote Desktop Services activity
  • RDP/RDS session creation, reconnection, disconnection, and user/session change records where available
  • Authentication records for users and privileged accounts accessing systems over remote desktop
  • Endpoint telemetry showing interactive logon context and subsequent activity on the target system
  • Asset and identity context to distinguish expected administration paths from unusual lateral movement patterns

Detection direction

  • Validate visibility into RDP session lifecycle events, not only successful logons.
  • Correlate remote desktop activity with user identity, source system, destination system, and administrative role expectations.
  • Tune for environment-specific baselines because RDP is commonly used for legitimate administration and support.
  • Review blind spots around unmanaged Windows hosts, limited endpoint logging, missing session-state data, and gaps between identity logs and host telemetry.
  • Use the related ATT&CK context, T1563.002 under lateral movement, to prioritize detections that identify suspicious movement using legitimate user sessions rather than only blocked or failed access attempts.

Mitigation priorities

  • Inventory where RDP/RDS is permitted and confirm business ownership for those access paths.
  • Restrict and monitor remote desktop access, especially for privileged accounts and administrative systems.
  • Ensure logging is enabled and retained for RDP-related authentication and session activity on in-scope Windows systems.
  • Prepare incident response procedures for investigating suspected session hijacking, including identity review and host-level timeline reconstruction.
  • Use coverage findings to guide remote access hardening, access policy review, and compliance evidence collection.
Analyst notes and limits

This object is a MITRE ATT&CK detection strategy, DET0588, for Detection of Remote Service Session Hijacking for RDP. The meaningful context comes primarily from its relationship to T1563.002, RDP Hijacking. Because the official object does not provide detection logic, the Glexia take emphasizes practical validation of telemetry and control coverage rather than a specific analytic.

The supplied ATT&CK fields do not include an official description, official detection text, tactics, or platforms for the detection strategy itself. Windows, lateral movement, and RDP/RDS context are derived from the related T1563.002 technique. Local architecture, logging configuration, remote access patterns, and identity governance evidence are required to determine actual detection coverage.

Official MITRE ATT&CK definition

Detection of Remote Service Session Hijacking for RDP.

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1563.002 RDP Hijacking Sub-technique This object detects RDP Hijacking.
Relationship explorer

All related ATT&CK context

detects · Technique T1563.002: RDP Hijacking Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
54f91c5dd6373d20...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 54f91c5dd637…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0588
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use