T1563 Microsoft Sentinel · KQL

Detect Remote Service Session Hijacking in Microsoft Sentinel

This detection identifies adversaries commandeering existing remote service sessions to move laterally without creating new authenticated connections. Key indicators include use of tscon.exe to hijack disconnected RDP sessions (often from SYSTEM context), SSH agent socket manipulation via SSH_AUTH_SOCK environment variable abuse, SSH ControlMaster/ControlPath multiplexing attacks, and suspicious processes accessing other users' TTY devices or SSH agent sockets in /tmp. Unlike standard remote service use, session hijacking leaves minimal authentication artifacts because no new credential exchange occurs — making it a high-fidelity signal when detected.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1563 Remote Service Session Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1563/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let RDPHijack = DeviceProcessEvents
| where FileName =~ "tscon.exe"
    or (FileName in~ ("cmd.exe", "powershell.exe") and ProcessCommandLine has "tscon")
| extend HijackType = "RDP_tscon"
| extend RiskDetail = strcat("tscon invoked by: ", InitiatingProcessFileName, " as ", AccountName);
let SSHAgentHijack = DeviceProcessEvents
| where ProcessCommandLine has_any ("SSH_AUTH_SOCK", "/tmp/ssh-", "ssh-agent")
    and ProcessCommandLine has_any ("export", "env", "printenv", "cat /proc")
    and not (FileName in~ ("sshd", "ssh-agent"))
| extend HijackType = "SSH_Agent_Hijack"
| extend RiskDetail = strcat("SSH_AUTH_SOCK access by non-ssh process: ", FileName);
let SSHControlMaster = DeviceProcessEvents
| where FileName =~ "ssh"
    and ProcessCommandLine has_any ("ControlMaster", "ControlPath", "-o ControlMaster", "-S /tmp")
    and not (InitiatingProcessFileName in~ ("sshd", "ansible", "fabric"))
| extend HijackType = "SSH_ControlMaster_Abuse"
| extend RiskDetail = strcat("SSH multiplexing hijack attempt from: ", InitiatingProcessFileName);
let TTYHijack = DeviceProcessEvents
| where ProcessCommandLine has_any ("/proc/", "/dev/pts/", "reptyr", "injcode")
    and ProcessCommandLine matches regex @"/proc/\d+/fd"
| extend HijackType = "TTY_Hijack"
| extend RiskDetail = "Process fd hijack targeting remote session TTY";
union RDPHijack, SSHAgentHijack, SSHControlMaster, TTYHijack
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    HijackType,
    RiskDetail,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessAccountName,
    FolderPath
| order by TimeGenerated desc
high severity medium confidence

Detects four patterns of remote service session hijacking: (1) tscon.exe used to redirect RDP sessions, often from SYSTEM context to hijack disconnected sessions without credentials; (2) non-SSH processes accessing SSH_AUTH_SOCK for agent forwarding abuse; (3) SSH ControlMaster/ControlPath multiplexing abuse to piggyback on existing authenticated connections; (4) /proc/pid/fd TTY descriptor hijacking targeting active terminal sessions.

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate IT administrators using tscon.exe for authorized session management or helpdesk reconnection workflows
  • Ansible, Fabric, or other automation tools that legitimately use SSH ControlMaster for connection multiplexing to improve performance
  • SSH agent forwarding used by developers or DevOps engineers for legitimate key forwarding across jump hosts
Download portable Sigma rule (.yml)

Other platforms for T1563

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RDP Session Hijacking via tscon.exe from SYSTEM context

    Expected signal: Sysmon Event ID 1 for tscon.exe with parent process chain including psexec/sc.exe. Windows Security Event 4778 (session reconnected) immediately after. Security Event 4688 for tscon.exe with SYSTEM account. Query.exe or qwinsta.exe execution preceding tscon.exe within minutes.

  2. Test 2SSH Agent Socket Hijacking

    Expected signal: Auditd records showing open() syscall on /tmp/ssh-*/agent.* socket by a process not owned by the socket's owner. /var/log/auth.log entries showing SSH connection authenticated via agent forwarding with unexpected source process context. Linux Sysmon (if deployed) Event ID 1 for ssh process with SSH_AUTH_SOCK in environment.

  3. Test 3SSH ControlMaster Multiplexing Session Hijack

    Expected signal: Sysmon (Linux) Event ID 1 for ssh process with -S flag and ControlMaster=no in command line. Process events showing ssh invoked with control socket path. Auth.log showing multiple SSH authentications to same host with same session multiplexed. Network events showing SSH connections reusing existing TCP connection.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1563 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1021.001Remote Desktop ProtocolT1021.004SSHT1550Use Alternate Authentication MaterialT1078Valid AccountsT1134Access Token ManipulationT1563.001SSH HijackingT1563.002RDP Hijacking

Same Tactic: Lateral Movement

Popular Detections