Detect Remote Service Session Hijacking in Google Chronicle
This detection identifies adversaries commandeering existing remote service sessions to move laterally without creating new authenticated connections. Key indicators include use of tscon.exe to hijack disconnected RDP sessions (often from SYSTEM context), SSH agent socket manipulation via SSH_AUTH_SOCK environment variable abuse, SSH ControlMaster/ControlPath multiplexing attacks, and suspicious processes accessing other users' TTY devices or SSH agent sockets in /tmp. Unlike standard remote service use, session hijacking leaves minimal authentication artifacts because no new credential exchange occurs — making it a high-fidelity signal when detected.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1563 Remote Service Session Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1563/
YARA-L Detection Query
rule t1563_remote_service_session_hijacking {
meta:
author = "Argus Detection Engineering"
description = "Detects remote service session hijacking via RDP tscon abuse, SSH agent socket manipulation, SSH ControlMaster/ControlPath attacks, and TTY file descriptor hijacking"
reference = "https://attack.mitre.org/techniques/T1563/"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Lateral Movement"
mitre_attack_technique = "T1563"
mitre_attack_sub_technique = "T1563.001, T1563.002"
created = "2026-04-21"
version = "1.0"
events:
(
/* RDP tscon hijack - direct execution */
($e.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e.target.process.file.full_path, `(?i).*tscon\.exe$`))
or
/* RDP tscon hijack - via cmd/powershell */
($e.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e.target.process.file.full_path, `(?i).*(cmd|powershell)\.exe$`)
and re.regex($e.target.process.command_line, `(?i).*tscon.*`))
or
/* SSH agent socket abuse */
($e.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e.target.process.command_line, `.*SSH_AUTH_SOCK.*`)
and re.regex($e.target.process.command_line, `.*(export|env|printenv|cat /proc).*`)
and not re.regex($e.target.process.file.full_path, `(?i).*(sshd|ssh-agent)$`))
or
/* SSH ControlMaster/ControlPath multiplexing abuse */
($e.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e.target.process.file.full_path, `(?i).*[/\\]ssh(\.exe)?$`)
and re.regex($e.target.process.command_line, `(?i).*(ControlMaster|ControlPath|-S /tmp).*`)
and not re.regex($e.principal.process.file.full_path, `(?i).*(sshd|ansible|fabric).*`))
or
/* TTY/fd hijack via /proc or known tools */
($e.metadata.event_type = "PROCESS_LAUNCH"
and (
re.regex($e.target.process.command_line, `.*/proc/[0-9]+/fd.*`)
or re.regex($e.target.process.command_line, `(?i).*(reptyr|injcode).*`)
or re.regex($e.target.process.command_line, `.*/dev/pts/.*`)
))
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1563 Remote Service Session Hijacking across four attack patterns: RDP tscon session hijacking (direct and indirect), SSH agent socket abuse via SSH_AUTH_SOCK, SSH ControlMaster/ControlPath multiplexing attacks, and TTY file descriptor hijacking using /proc/pid/fd, reptyr, or injcode.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate system administrators using tscon.exe from SYSTEM context during scheduled maintenance windows on terminal server environments
- CI/CD pipeline agents using SSH ControlMaster multiplexing for efficient deployment operations across multiple target hosts
- Authorized red team exercises or penetration testing activities involving session hijacking techniques within scope of engagement
Other platforms for T1563
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RDP Session Hijacking via tscon.exe from SYSTEM context
Expected signal: Sysmon Event ID 1 for tscon.exe with parent process chain including psexec/sc.exe. Windows Security Event 4778 (session reconnected) immediately after. Security Event 4688 for tscon.exe with SYSTEM account. Query.exe or qwinsta.exe execution preceding tscon.exe within minutes.
- Test 2SSH Agent Socket Hijacking
Expected signal: Auditd records showing open() syscall on /tmp/ssh-*/agent.* socket by a process not owned by the socket's owner. /var/log/auth.log entries showing SSH connection authenticated via agent forwarding with unexpected source process context. Linux Sysmon (if deployed) Event ID 1 for ssh process with SSH_AUTH_SOCK in environment.
- Test 3SSH ControlMaster Multiplexing Session Hijack
Expected signal: Sysmon (Linux) Event ID 1 for ssh process with -S flag and ControlMaster=no in command line. Process events showing ssh invoked with control socket path. Auth.log showing multiple SSH authentications to same host with same session multiplexed. Network events showing SSH connections reusing existing TCP connection.
References (7)
- https://attack.mitre.org/techniques/T1563/
- https://attack.mitre.org/techniques/T1563/001/
- https://attack.mitre.org/techniques/T1563/002/
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remote-mstsc-sessions-transparently-2d941099b086
- https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remote-mstsc-sessions-transparently-2d941099b086
- https://www.netspi.com/blog/technical/network-penetration-testing/hijacking-ssh-sessions-with-screen-and-command-injection/
- https://xorl.wordpress.com/2022/02/09/ssh-session-hijacking/
Unlock Pro Content
Get the full detection package for T1563 including response playbook, investigation guide, and atomic red team tests.