T1563 Elastic Security · Elastic

Detect Remote Service Session Hijacking in Elastic Security

This detection identifies adversaries commandeering existing remote service sessions to move laterally without creating new authenticated connections. Key indicators include use of tscon.exe to hijack disconnected RDP sessions (often from SYSTEM context), SSH agent socket manipulation via SSH_AUTH_SOCK environment variable abuse, SSH ControlMaster/ControlPath multiplexing attacks, and suspicious processes accessing other users' TTY devices or SSH agent sockets in /tmp. Unlike standard remote service use, session hijacking leaves minimal authentication artifacts because no new credential exchange occurs — making it a high-fidelity signal when detected.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1563 Remote Service Session Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1563/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where event.category == "process" and (
  /* RDP tscon hijack */
  process.name : "tscon.exe"
  or (process.name : ("cmd.exe", "powershell.exe") and process.args : "*tscon*")
  or /* SSH agent socket abuse */
  (
    process.args : ("*SSH_AUTH_SOCK*", "*/tmp/ssh-*", "*ssh-agent*")
    and process.args : ("*export*", "*env*", "*printenv*", "*cat /proc*")
    and not process.name : ("sshd", "ssh-agent")
  )
  or /* SSH ControlMaster abuse */
  (
    process.name : "ssh"
    and process.args : ("*ControlMaster*", "*ControlPath*", "*-o ControlMaster*", "*-S /tmp*")
    and not process.parent.name : ("sshd", "ansible", "fabric")
  )
  or /* TTY/fd hijack */
  (
    process.args : ("/proc/*/fd", "*/dev/pts/*", "*reptyr*", "*injcode*")
    and process.args : ("/proc/[0-9]*/fd")
  )
)
high severity high confidence

Detects remote service session hijacking via RDP tscon.exe abuse, SSH agent socket manipulation, SSH ControlMaster/ControlPath multiplexing attacks, and TTY file descriptor hijacking targeting other users' remote sessions.

Data Sources

Elastic Endpoint SecurityAuditbeatFilebeat (Sysmon module)

Required Tables

logs-endpoint.events.process-*winlogbeat-*filebeat-*

False Positives & Tuning

  • System administrators legitimately using tscon.exe to reconnect their own disconnected RDP sessions for maintenance
  • Ansible, Fabric, or other automation tools that use SSH ControlMaster multiplexing for connection efficiency
  • Security tools or session recording software that reads /proc filesystem entries or uses reptyr for legitimate terminal capture
Download portable Sigma rule (.yml)

Other platforms for T1563

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RDP Session Hijacking via tscon.exe from SYSTEM context

    Expected signal: Sysmon Event ID 1 for tscon.exe with parent process chain including psexec/sc.exe. Windows Security Event 4778 (session reconnected) immediately after. Security Event 4688 for tscon.exe with SYSTEM account. Query.exe or qwinsta.exe execution preceding tscon.exe within minutes.

  2. Test 2SSH Agent Socket Hijacking

    Expected signal: Auditd records showing open() syscall on /tmp/ssh-*/agent.* socket by a process not owned by the socket's owner. /var/log/auth.log entries showing SSH connection authenticated via agent forwarding with unexpected source process context. Linux Sysmon (if deployed) Event ID 1 for ssh process with SSH_AUTH_SOCK in environment.

  3. Test 3SSH ControlMaster Multiplexing Session Hijack

    Expected signal: Sysmon (Linux) Event ID 1 for ssh process with -S flag and ControlMaster=no in command line. Process events showing ssh invoked with control socket path. Auth.log showing multiple SSH authentications to same host with same session multiplexed. Network events showing SSH connections reusing existing TCP connection.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1563 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1021.001Remote Desktop ProtocolT1021.004SSHT1550Use Alternate Authentication MaterialT1078Valid AccountsT1134Access Token ManipulationT1563.001SSH HijackingT1563.002RDP Hijacking

Same Tactic: Lateral Movement

Popular Detections