Detect Remote Service Session Hijacking in IBM QRadar
This detection identifies adversaries commandeering existing remote service sessions to move laterally without creating new authenticated connections. Key indicators include use of tscon.exe to hijack disconnected RDP sessions (often from SYSTEM context), SSH agent socket manipulation via SSH_AUTH_SOCK environment variable abuse, SSH ControlMaster/ControlPath multiplexing attacks, and suspicious processes accessing other users' TTY devices or SSH agent sockets in /tmp. Unlike standard remote service use, session hijacking leaves minimal authentication artifacts because no new credential exchange occurs — making it a high-fidelity signal when detected.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1563 Remote Service Session Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1563/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
username,
"Process Name",
"Command" AS command_line,
"Parent Process Name",
CASE
WHEN LOWER("Process Name") LIKE '%tscon.exe%' THEN 'RDP_Session_Hijack_tscon'
WHEN (LOWER("Process Name") LIKE '%cmd.exe%' OR LOWER("Process Name") LIKE '%powershell.exe%')
AND LOWER("Command") LIKE '%tscon%' THEN 'RDP_Session_Hijack_indirect'
WHEN LOWER("Command") LIKE '%SSH_AUTH_SOCK%'
AND LOWER("Process Name") NOT LIKE '%sshd%'
AND LOWER("Process Name") NOT LIKE '%ssh-agent%' THEN 'SSH_Agent_Socket_Access'
WHEN LOWER("Process Name") LIKE '%/ssh' OR LOWER("Process Name") LIKE '%\\ssh.exe'
AND (LOWER("Command") LIKE '%controlmaster%' OR LOWER("Command") LIKE '%controlpath%') THEN 'SSH_ControlMaster_Hijack'
WHEN LOWER("Command") LIKE '%/proc/%/fd%'
OR LOWER("Command") LIKE '%reptyr%'
OR LOWER("Command") LIKE '%injcode%' THEN 'TTY_FD_Hijack'
END AS hijack_indicator,
CASE
WHEN LOWER("Process Name") LIKE '%tscon.exe%' AND LOWER(username) LIKE '%system%' THEN 90
WHEN LOWER("Process Name") LIKE '%tscon.exe%' THEN 75
WHEN LOWER("Command") LIKE '%SSH_AUTH_SOCK%' THEN 70
WHEN LOWER("Command") LIKE '%controlmaster%' THEN 65
WHEN LOWER("Command") LIKE '%/proc/%/fd%' OR LOWER("Command") LIKE '%reptyr%' THEN 80
ELSE 60
END AS risk_score,
sourceip
FROM events
WHERE
LOGSOURCETYPEID IN (12, 13, 15, 100, 101, 143)
AND (
LOWER("Process Name") LIKE '%tscon.exe%'
OR (LOWER("Command") LIKE '%tscon%' AND (LOWER("Process Name") LIKE '%cmd.exe%' OR LOWER("Process Name") LIKE '%powershell.exe%'))
OR (LOWER("Command") LIKE '%SSH_AUTH_SOCK%' AND LOWER("Process Name") NOT LIKE '%sshd%' AND LOWER("Process Name") NOT LIKE '%ssh-agent%')
OR ((LOWER("Command") LIKE '%controlmaster%' OR LOWER("Command") LIKE '%controlpath%') AND (LOWER("Process Name") LIKE '%/ssh' OR LOWER("Process Name") LIKE '%\\ssh.exe'))
OR LOWER("Command") LIKE '%/proc/%/fd%'
OR LOWER("Command") LIKE '%reptyr%'
OR LOWER("Command") LIKE '%injcode%'
)
ORDER BY risk_score DESC, event_time DESC
LAST 24 HOURSQRadar AQL query detecting remote service session hijacking patterns including RDP tscon abuse, SSH agent socket access, SSH ControlMaster/ControlPath multiplexing, and TTY file descriptor hijacking. Assigns risk scores based on indicator type and user context.
Data Sources
Required Tables
False Positives & Tuning
- IT helpdesk staff using tscon.exe to reconnect users to their own disconnected sessions during remote support
- DevOps pipelines using SSH ControlMaster for connection multiplexing to reduce authentication overhead
- Legitimate debugging sessions where developers use reptyr to capture output from daemonized processes
Other platforms for T1563
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RDP Session Hijacking via tscon.exe from SYSTEM context
Expected signal: Sysmon Event ID 1 for tscon.exe with parent process chain including psexec/sc.exe. Windows Security Event 4778 (session reconnected) immediately after. Security Event 4688 for tscon.exe with SYSTEM account. Query.exe or qwinsta.exe execution preceding tscon.exe within minutes.
- Test 2SSH Agent Socket Hijacking
Expected signal: Auditd records showing open() syscall on /tmp/ssh-*/agent.* socket by a process not owned by the socket's owner. /var/log/auth.log entries showing SSH connection authenticated via agent forwarding with unexpected source process context. Linux Sysmon (if deployed) Event ID 1 for ssh process with SSH_AUTH_SOCK in environment.
- Test 3SSH ControlMaster Multiplexing Session Hijack
Expected signal: Sysmon (Linux) Event ID 1 for ssh process with -S flag and ControlMaster=no in command line. Process events showing ssh invoked with control socket path. Auth.log showing multiple SSH authentications to same host with same session multiplexed. Network events showing SSH connections reusing existing TCP connection.
References (7)
- https://attack.mitre.org/techniques/T1563/
- https://attack.mitre.org/techniques/T1563/001/
- https://attack.mitre.org/techniques/T1563/002/
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remote-mstsc-sessions-transparently-2d941099b086
- https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remote-mstsc-sessions-transparently-2d941099b086
- https://www.netspi.com/blog/technical/network-penetration-testing/hijacking-ssh-sessions-with-screen-and-command-injection/
- https://xorl.wordpress.com/2022/02/09/ssh-session-hijacking/
Unlock Pro Content
Get the full detection package for T1563 including response playbook, investigation guide, and atomic red team tests.