T1563 Remote Service Session Hijacking Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let RDPHijack = DeviceProcessEvents
| where FileName =~ "tscon.exe"
    or (FileName in~ ("cmd.exe", "powershell.exe") and ProcessCommandLine has "tscon")
| extend HijackType = "RDP_tscon"
| extend RiskDetail = strcat("tscon invoked by: ", InitiatingProcessFileName, " as ", AccountName);
let SSHAgentHijack = DeviceProcessEvents
| where ProcessCommandLine has_any ("SSH_AUTH_SOCK", "/tmp/ssh-", "ssh-agent")
    and ProcessCommandLine has_any ("export", "env", "printenv", "cat /proc")
    and not (FileName in~ ("sshd", "ssh-agent"))
| extend HijackType = "SSH_Agent_Hijack"
| extend RiskDetail = strcat("SSH_AUTH_SOCK access by non-ssh process: ", FileName);
let SSHControlMaster = DeviceProcessEvents
| where FileName =~ "ssh"
    and ProcessCommandLine has_any ("ControlMaster", "ControlPath", "-o ControlMaster", "-S /tmp")
    and not (InitiatingProcessFileName in~ ("sshd", "ansible", "fabric"))
| extend HijackType = "SSH_ControlMaster_Abuse"
| extend RiskDetail = strcat("SSH multiplexing hijack attempt from: ", InitiatingProcessFileName);
let TTYHijack = DeviceProcessEvents
| where ProcessCommandLine has_any ("/proc/", "/dev/pts/", "reptyr", "injcode")
    and ProcessCommandLine matches regex @"/proc/\d+/fd"
| extend HijackType = "TTY_Hijack"
| extend RiskDetail = "Process fd hijack targeting remote session TTY";
union RDPHijack, SSHAgentHijack, SSHControlMaster, TTYHijack
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    HijackType,
    RiskDetail,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessAccountName,
    FolderPath
| order by TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate IT administrators using tscon.exe for authorized session management or helpdesk reconnection workflows
Ansible, Fabric, or other automation tools that legitimately use SSH ControlMaster for connection multiplexing to improve performance
SSH agent forwarding used by developers or DevOps engineers for legitimate key forwarding across jump hosts

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval proc=coalesce(Image, NewProcessName), cmdline=coalesce(CommandLine, ProcessCommandLine), parent=coalesce(ParentImage, ParentProcessName), user=coalesce(User, SubjectUserName), host=coalesce(Computer, ComputerName)
| eval hijack_indicator=case(
    match(proc, "(?i)tscon\.exe"), "RDP_Session_Hijack_tscon",
    match(proc, "(?i)(cmd|powershell)\.exe") AND match(cmdline, "(?i)tscon"), "RDP_Session_Hijack_indirect",
    match(cmdline, "SSH_AUTH_SOCK") AND NOT match(proc, "(?i)(sshd|ssh-agent)\.?"), "SSH_Agent_Socket_Access",
    match(cmdline, "(?i)(ControlMaster|ControlPath)") AND match(proc, "(?i)ssh$"), "SSH_ControlMaster_Hijack",
    match(cmdline, "/proc/\d+/fd|reptyr|injcode"), "TTY_FD_Hijack",
    true(), null())
| where isnotnull(hijack_indicator)
| eval risk_score=case(
    hijack_indicator="RDP_Session_Hijack_tscon" AND match(user, "(?i)system"), 90,
    hijack_indicator="RDP_Session_Hijack_tscon", 75,
    hijack_indicator="SSH_Agent_Socket_Access", 70,
    hijack_indicator="SSH_ControlMaster_Hijack", 65,
    hijack_indicator="TTY_FD_Hijack", 80,
    true(), 60)
| table _time, host, user, proc, cmdline, parent, hijack_indicator, risk_score
| sort - risk_score, _time

high severity medium confidence

Data Sources

Sysmon Windows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Authorized helpdesk or IT staff using tscon.exe to reconnect disconnected user sessions for troubleshooting
Infrastructure automation frameworks (Ansible, Capistrano, Fabric) using SSH ControlMaster for connection efficiency
Penetration testers or red team exercises conducting authorized lateral movement testing

Elastic Security (EQL)

eql

any where event.category == "process" and (
  /* RDP tscon hijack */
  process.name : "tscon.exe"
  or (process.name : ("cmd.exe", "powershell.exe") and process.args : "*tscon*")
  or /* SSH agent socket abuse */
  (
    process.args : ("*SSH_AUTH_SOCK*", "*/tmp/ssh-*", "*ssh-agent*")
    and process.args : ("*export*", "*env*", "*printenv*", "*cat /proc*")
    and not process.name : ("sshd", "ssh-agent")
  )
  or /* SSH ControlMaster abuse */
  (
    process.name : "ssh"
    and process.args : ("*ControlMaster*", "*ControlPath*", "*-o ControlMaster*", "*-S /tmp*")
    and not process.parent.name : ("sshd", "ansible", "fabric")
  )
  or /* TTY/fd hijack */
  (
    process.args : ("/proc/*/fd", "*/dev/pts/*", "*reptyr*", "*injcode*")
    and process.args : ("/proc/[0-9]*/fd")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat Filebeat (Sysmon module)

Required Tables

logs-endpoint.events.process-* winlogbeat-* filebeat-*

False Positives

System administrators legitimately using tscon.exe to reconnect their own disconnected RDP sessions for maintenance
Ansible, Fabric, or other automation tools that use SSH ControlMaster multiplexing for connection efficiency
Security tools or session recording software that reads /proc filesystem entries or uses reptyr for legitimate terminal capture

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "Process Name",
  "Command" AS command_line,
  "Parent Process Name",
  CASE
    WHEN LOWER("Process Name") LIKE '%tscon.exe%' THEN 'RDP_Session_Hijack_tscon'
    WHEN (LOWER("Process Name") LIKE '%cmd.exe%' OR LOWER("Process Name") LIKE '%powershell.exe%')
         AND LOWER("Command") LIKE '%tscon%' THEN 'RDP_Session_Hijack_indirect'
    WHEN LOWER("Command") LIKE '%SSH_AUTH_SOCK%'
         AND LOWER("Process Name") NOT LIKE '%sshd%'
         AND LOWER("Process Name") NOT LIKE '%ssh-agent%' THEN 'SSH_Agent_Socket_Access'
    WHEN LOWER("Process Name") LIKE '%/ssh' OR LOWER("Process Name") LIKE '%\\ssh.exe'
         AND (LOWER("Command") LIKE '%controlmaster%' OR LOWER("Command") LIKE '%controlpath%') THEN 'SSH_ControlMaster_Hijack'
    WHEN LOWER("Command") LIKE '%/proc/%/fd%'
         OR LOWER("Command") LIKE '%reptyr%'
         OR LOWER("Command") LIKE '%injcode%' THEN 'TTY_FD_Hijack'
  END AS hijack_indicator,
  CASE
    WHEN LOWER("Process Name") LIKE '%tscon.exe%' AND LOWER(username) LIKE '%system%' THEN 90
    WHEN LOWER("Process Name") LIKE '%tscon.exe%' THEN 75
    WHEN LOWER("Command") LIKE '%SSH_AUTH_SOCK%' THEN 70
    WHEN LOWER("Command") LIKE '%controlmaster%' THEN 65
    WHEN LOWER("Command") LIKE '%/proc/%/fd%' OR LOWER("Command") LIKE '%reptyr%' THEN 80
    ELSE 60
  END AS risk_score,
  sourceip
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 15, 100, 101, 143)
  AND (
    LOWER("Process Name") LIKE '%tscon.exe%'
    OR (LOWER("Command") LIKE '%tscon%' AND (LOWER("Process Name") LIKE '%cmd.exe%' OR LOWER("Process Name") LIKE '%powershell.exe%'))
    OR (LOWER("Command") LIKE '%SSH_AUTH_SOCK%' AND LOWER("Process Name") NOT LIKE '%sshd%' AND LOWER("Process Name") NOT LIKE '%ssh-agent%')
    OR ((LOWER("Command") LIKE '%controlmaster%' OR LOWER("Command") LIKE '%controlpath%') AND (LOWER("Process Name") LIKE '%/ssh' OR LOWER("Process Name") LIKE '%\\ssh.exe'))
    OR LOWER("Command") LIKE '%/proc/%/fd%'
    OR LOWER("Command") LIKE '%reptyr%'
    OR LOWER("Command") LIKE '%injcode%'
  )
ORDER BY risk_score DESC, event_time DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon Linux Audit (auditd) IBM QRadar Endpoint

Required Tables

events

False Positives

IT helpdesk staff using tscon.exe to reconnect users to their own disconnected sessions during remote support
DevOps pipelines using SSH ControlMaster for connection multiplexing to reduce authentication overhead
Legitimate debugging sessions where developers use reptyr to capture output from daemonized processes

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*linux* OR _sourceCategory=*endpoint*
| parse field=_raw "*" as raw_event
| if (sourcetype matches "*Sysmon*" OR sourcetype matches "*Security*", "windows", "linux") as os_type
| fields EventID, CommandLine, Image, ParentImage, User, Computer, _sourceCategory
| eval proc = if(Image != "", Image, "")
| eval cmdline = if(CommandLine != "", CommandLine, "")
| eval parent = if(ParentImage != "", ParentImage, "")
| where (
    (proc matches "(?i).*tscon\.exe.*")
    or (proc matches "(?i).*(cmd|powershell)\.exe.*" and cmdline matches "(?i).*tscon.*")
    or (cmdline matches ".*SSH_AUTH_SOCK.*" and !(proc matches "(?i).*(sshd|ssh-agent).*"))
    or (cmdline matches "(?i).*(ControlMaster|ControlPath).*" and proc matches "(?i).*[/\\\\]ssh(\.exe)?$")
    or (cmdline matches ".*/proc/[0-9]+/fd.*" or cmdline matches "(?i).*(reptyr|injcode).*")
  )
| eval hijack_type = if(proc matches "(?i).*tscon\.exe.*", "RDP_tscon_Hijack",
    if(proc matches "(?i).*(cmd|powershell)\.exe.*" and cmdline matches "(?i).*tscon.*", "RDP_tscon_Indirect",
    if(cmdline matches ".*SSH_AUTH_SOCK.*", "SSH_Agent_Socket_Abuse",
    if(cmdline matches "(?i).*(ControlMaster|ControlPath).*", "SSH_ControlMaster_Hijack",
    if(cmdline matches ".*/proc/[0-9]+/fd.*" or cmdline matches "(?i).*(reptyr|injcode).*", "TTY_FD_Hijack",
    "Unknown")))))
| eval risk_score = if(hijack_type = "RDP_tscon_Hijack" and User matches "(?i).*SYSTEM.*", 90,
    if(hijack_type = "RDP_tscon_Hijack", 75,
    if(hijack_type = "SSH_Agent_Socket_Abuse", 70,
    if(hijack_type = "SSH_ControlMaster_Hijack", 65,
    if(hijack_type = "TTY_FD_Hijack", 80, 60)))))
| fields _messageTime, Computer, User, proc, cmdline, parent, hijack_type, risk_score
| sort by risk_score desc, _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sumo Logic Installed Collector (Linux) Sysmon for Windows Linux Audit logs

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*linux*

False Positives

Windows administrators legitimately using tscon to reconnect their own disconnected terminal server sessions
SSH-based deployment tools like Ansible or Capistrano that use ControlMaster for performance during multi-host deployments
Penetration testing teams or red team exercises performing authorized lateral movement simulations

Google Chronicle / SecOps

yaral

rule t1563_remote_service_session_hijacking {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects remote service session hijacking via RDP tscon abuse, SSH agent socket manipulation, SSH ControlMaster/ControlPath attacks, and TTY file descriptor hijacking"
    reference = "https://attack.mitre.org/techniques/T1563/"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1563"
    mitre_attack_sub_technique = "T1563.001, T1563.002"
    created = "2026-04-21"
    version = "1.0"

  events:
    (
      /* RDP tscon hijack - direct execution */
      ($e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.target.process.file.full_path, `(?i).*tscon\.exe$`))

      or

      /* RDP tscon hijack - via cmd/powershell */
      ($e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.target.process.file.full_path, `(?i).*(cmd|powershell)\.exe$`)
      and re.regex($e.target.process.command_line, `(?i).*tscon.*`))

      or

      /* SSH agent socket abuse */
      ($e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.target.process.command_line, `.*SSH_AUTH_SOCK.*`)
      and re.regex($e.target.process.command_line, `.*(export|env|printenv|cat /proc).*`)
      and not re.regex($e.target.process.file.full_path, `(?i).*(sshd|ssh-agent)$`))

      or

      /* SSH ControlMaster/ControlPath multiplexing abuse */
      ($e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.target.process.file.full_path, `(?i).*[/\\]ssh(\.exe)?$`)
      and re.regex($e.target.process.command_line, `(?i).*(ControlMaster|ControlPath|-S /tmp).*`)
      and not re.regex($e.principal.process.file.full_path, `(?i).*(sshd|ansible|fabric).*`))

      or

      /* TTY/fd hijack via /proc or known tools */
      ($e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.command_line, `.*/proc/[0-9]+/fd.*`)
        or re.regex($e.target.process.command_line, `(?i).*(reptyr|injcode).*`)
        or re.regex($e.target.process.command_line, `.*/dev/pts/.*`)
      ))
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Endpoint Detection (EDR) Windows Event Logs via Chronicle forwarder Linux Auditd via Chronicle forwarder

Required Tables

UDM Events (process_launch entity)

False Positives

Legitimate system administrators using tscon.exe from SYSTEM context during scheduled maintenance windows on terminal server environments
CI/CD pipeline agents using SSH ControlMaster multiplexing for efficient deployment operations across multiple target hosts
Authorized red team exercises or penetration testing activities involving session hijacking techniques within scope of engagement

CrowdStrike LogScale (CQL)

cql

// T1563 Remote Service Session Hijacking Detection
// Covers: RDP tscon abuse, SSH agent socket manipulation, SSH ControlMaster attacks, TTY fd hijacking

#event_simpleName=ProcessRollup2
| eval hijack_type = case(
    // RDP tscon direct execution
    match(field=ImageFileName, regex="(?i).*tscon\.exe$"), "RDP_tscon_Hijack",
    // RDP tscon via cmd or powershell
    match(field=ImageFileName, regex="(?i).*(cmd|powershell)\.exe$") AND match(field=CommandLine, regex="(?i).*tscon.*"), "RDP_tscon_Indirect",
    // SSH agent socket access by non-ssh process
    match(field=CommandLine, regex=".*SSH_AUTH_SOCK.*") AND NOT match(field=ImageFileName, regex="(?i).*(sshd|ssh-agent)$"), "SSH_Agent_Socket_Abuse",
    // SSH ControlMaster multiplexing abuse
    match(field=ImageFileName, regex="(?i).*[/\\\\]ssh(\.exe)?$") AND match(field=CommandLine, regex="(?i).*(ControlMaster|ControlPath|-S /tmp).*"), "SSH_ControlMaster_Hijack",
    // TTY/fd hijacking
    match(field=CommandLine, regex=".*/proc/[0-9]+/fd.*") OR match(field=CommandLine, regex="(?i).*(reptyr|injcode).*"), "TTY_FD_Hijack",
    // Default: no match
    *=""
  )
| where hijack_type != ""
| eval risk_score = case(
    hijack_type = "RDP_tscon_Hijack" AND match(field=UserName, regex="(?i).*SYSTEM.*"), "90",
    hijack_type = "RDP_tscon_Hijack", "75",
    hijack_type = "SSH_Agent_Socket_Abuse", "70",
    hijack_type = "SSH_ControlMaster_Hijack", "65",
    hijack_type = "TTY_FD_Hijack", "80",
    *="60"
  )
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, hijack_type, risk_score, TargetProcessId, ContextProcessId])
| sort(field=risk_score, order=desc)
| sort(field=timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Prevent/Insight EDR Falcon ProcessRollup2 telemetry Falcon sensor on Windows and Linux endpoints

Required Tables

ProcessRollup2

False Positives

System administrators running tscon.exe from SYSTEM-level scheduled tasks to reconnect hung RDP sessions during automated maintenance
SSH multiplexing configured in ~/.ssh/config with ControlMaster=auto for shared development environments or jump hosts, triggering on every connection attempt
Security researchers or pentest teams running reptyr or process injection tools during authorized engagements on test systems enrolled in the same Falcon tenant

Remote Service Session Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Lateral Movement

Popular Detections