Detect Remote Service Session Hijacking in CrowdStrike LogScale
This detection identifies adversaries commandeering existing remote service sessions to move laterally without creating new authenticated connections. Key indicators include use of tscon.exe to hijack disconnected RDP sessions (often from SYSTEM context), SSH agent socket manipulation via SSH_AUTH_SOCK environment variable abuse, SSH ControlMaster/ControlPath multiplexing attacks, and suspicious processes accessing other users' TTY devices or SSH agent sockets in /tmp. Unlike standard remote service use, session hijacking leaves minimal authentication artifacts because no new credential exchange occurs — making it a high-fidelity signal when detected.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1563 Remote Service Session Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1563/
LogScale Detection Query
// T1563 Remote Service Session Hijacking Detection
// Covers: RDP tscon abuse, SSH agent socket manipulation, SSH ControlMaster attacks, TTY fd hijacking
#event_simpleName=ProcessRollup2
| eval hijack_type = case(
// RDP tscon direct execution
match(field=ImageFileName, regex="(?i).*tscon\.exe$"), "RDP_tscon_Hijack",
// RDP tscon via cmd or powershell
match(field=ImageFileName, regex="(?i).*(cmd|powershell)\.exe$") AND match(field=CommandLine, regex="(?i).*tscon.*"), "RDP_tscon_Indirect",
// SSH agent socket access by non-ssh process
match(field=CommandLine, regex=".*SSH_AUTH_SOCK.*") AND NOT match(field=ImageFileName, regex="(?i).*(sshd|ssh-agent)$"), "SSH_Agent_Socket_Abuse",
// SSH ControlMaster multiplexing abuse
match(field=ImageFileName, regex="(?i).*[/\\\\]ssh(\.exe)?$") AND match(field=CommandLine, regex="(?i).*(ControlMaster|ControlPath|-S /tmp).*"), "SSH_ControlMaster_Hijack",
// TTY/fd hijacking
match(field=CommandLine, regex=".*/proc/[0-9]+/fd.*") OR match(field=CommandLine, regex="(?i).*(reptyr|injcode).*"), "TTY_FD_Hijack",
// Default: no match
*=""
)
| where hijack_type != ""
| eval risk_score = case(
hijack_type = "RDP_tscon_Hijack" AND match(field=UserName, regex="(?i).*SYSTEM.*"), "90",
hijack_type = "RDP_tscon_Hijack", "75",
hijack_type = "SSH_Agent_Socket_Abuse", "70",
hijack_type = "SSH_ControlMaster_Hijack", "65",
hijack_type = "TTY_FD_Hijack", "80",
*="60"
)
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, hijack_type, risk_score, TargetProcessId, ContextProcessId])
| sort(field=risk_score, order=desc)
| sort(field=timestamp, order=desc)CrowdStrike LogScale (Falcon) CQL query detecting T1563 Remote Service Session Hijacking using ProcessRollup2 events. Identifies RDP tscon session hijacking from SYSTEM context, SSH agent socket abuse, SSH ControlMaster multiplexing attacks, and TTY process file descriptor hijacking with risk scoring.
Data Sources
Required Tables
False Positives & Tuning
- System administrators running tscon.exe from SYSTEM-level scheduled tasks to reconnect hung RDP sessions during automated maintenance
- SSH multiplexing configured in ~/.ssh/config with ControlMaster=auto for shared development environments or jump hosts, triggering on every connection attempt
- Security researchers or pentest teams running reptyr or process injection tools during authorized engagements on test systems enrolled in the same Falcon tenant
Other platforms for T1563
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RDP Session Hijacking via tscon.exe from SYSTEM context
Expected signal: Sysmon Event ID 1 for tscon.exe with parent process chain including psexec/sc.exe. Windows Security Event 4778 (session reconnected) immediately after. Security Event 4688 for tscon.exe with SYSTEM account. Query.exe or qwinsta.exe execution preceding tscon.exe within minutes.
- Test 2SSH Agent Socket Hijacking
Expected signal: Auditd records showing open() syscall on /tmp/ssh-*/agent.* socket by a process not owned by the socket's owner. /var/log/auth.log entries showing SSH connection authenticated via agent forwarding with unexpected source process context. Linux Sysmon (if deployed) Event ID 1 for ssh process with SSH_AUTH_SOCK in environment.
- Test 3SSH ControlMaster Multiplexing Session Hijack
Expected signal: Sysmon (Linux) Event ID 1 for ssh process with -S flag and ControlMaster=no in command line. Process events showing ssh invoked with control socket path. Auth.log showing multiple SSH authentications to same host with same session multiplexed. Network events showing SSH connections reusing existing TCP connection.
References (7)
- https://attack.mitre.org/techniques/T1563/
- https://attack.mitre.org/techniques/T1563/001/
- https://attack.mitre.org/techniques/T1563/002/
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remote-mstsc-sessions-transparently-2d941099b086
- https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remote-mstsc-sessions-transparently-2d941099b086
- https://www.netspi.com/blog/technical/network-penetration-testing/hijacking-ssh-sessions-with-screen-and-command-injection/
- https://xorl.wordpress.com/2022/02/09/ssh-session-hijacking/
Unlock Pro Content
Get the full detection package for T1563 including response playbook, investigation guide, and atomic red team tests.