T1563 Splunk · SPL

Detect Remote Service Session Hijacking in Splunk

This detection identifies adversaries commandeering existing remote service sessions to move laterally without creating new authenticated connections. Key indicators include use of tscon.exe to hijack disconnected RDP sessions (often from SYSTEM context), SSH agent socket manipulation via SSH_AUTH_SOCK environment variable abuse, SSH ControlMaster/ControlPath multiplexing attacks, and suspicious processes accessing other users' TTY devices or SSH agent sockets in /tmp. Unlike standard remote service use, session hijacking leaves minimal authentication artifacts because no new credential exchange occurs — making it a high-fidelity signal when detected.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1563 Remote Service Session Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1563/

SPL Detection Query

Splunk (SPL)
spl 
index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval proc=coalesce(Image, NewProcessName), cmdline=coalesce(CommandLine, ProcessCommandLine), parent=coalesce(ParentImage, ParentProcessName), user=coalesce(User, SubjectUserName), host=coalesce(Computer, ComputerName)
| eval hijack_indicator=case(
    match(proc, "(?i)tscon\.exe"), "RDP_Session_Hijack_tscon",
    match(proc, "(?i)(cmd|powershell)\.exe") AND match(cmdline, "(?i)tscon"), "RDP_Session_Hijack_indirect",
    match(cmdline, "SSH_AUTH_SOCK") AND NOT match(proc, "(?i)(sshd|ssh-agent)\.?"), "SSH_Agent_Socket_Access",
    match(cmdline, "(?i)(ControlMaster|ControlPath)") AND match(proc, "(?i)ssh$"), "SSH_ControlMaster_Hijack",
    match(cmdline, "/proc/\d+/fd|reptyr|injcode"), "TTY_FD_Hijack",
    true(), null())
| where isnotnull(hijack_indicator)
| eval risk_score=case(
    hijack_indicator="RDP_Session_Hijack_tscon" AND match(user, "(?i)system"), 90,
    hijack_indicator="RDP_Session_Hijack_tscon", 75,
    hijack_indicator="SSH_Agent_Socket_Access", 70,
    hijack_indicator="SSH_ControlMaster_Hijack", 65,
    hijack_indicator="TTY_FD_Hijack", 80,
    true(), 60)
| table _time, host, user, proc, cmdline, parent, hijack_indicator, risk_score
| sort - risk_score, _time
high severity medium confidence

Correlates Sysmon process creation (Event ID 1) and Security audit events (4688) to identify session hijacking patterns across RDP (tscon.exe), SSH agent socket abuse, SSH ControlMaster multiplexing, and TTY file descriptor hijacking. Risk scoring prioritizes SYSTEM-context tscon invocations and direct TTY hijacking tools like reptyr.

Data Sources

SysmonWindows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Authorized helpdesk or IT staff using tscon.exe to reconnect disconnected user sessions for troubleshooting
  • Infrastructure automation frameworks (Ansible, Capistrano, Fabric) using SSH ControlMaster for connection efficiency
  • Penetration testers or red team exercises conducting authorized lateral movement testing
Download portable Sigma rule (.yml)

Other platforms for T1563

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RDP Session Hijacking via tscon.exe from SYSTEM context

    Expected signal: Sysmon Event ID 1 for tscon.exe with parent process chain including psexec/sc.exe. Windows Security Event 4778 (session reconnected) immediately after. Security Event 4688 for tscon.exe with SYSTEM account. Query.exe or qwinsta.exe execution preceding tscon.exe within minutes.

  2. Test 2SSH Agent Socket Hijacking

    Expected signal: Auditd records showing open() syscall on /tmp/ssh-*/agent.* socket by a process not owned by the socket's owner. /var/log/auth.log entries showing SSH connection authenticated via agent forwarding with unexpected source process context. Linux Sysmon (if deployed) Event ID 1 for ssh process with SSH_AUTH_SOCK in environment.

  3. Test 3SSH ControlMaster Multiplexing Session Hijack

    Expected signal: Sysmon (Linux) Event ID 1 for ssh process with -S flag and ControlMaster=no in command line. Process events showing ssh invoked with control socket path. Auth.log showing multiple SSH authentications to same host with same session multiplexed. Network events showing SSH connections reusing existing TCP connection.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1563 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1021.001Remote Desktop ProtocolT1021.004SSHT1550Use Alternate Authentication MaterialT1078Valid AccountsT1134Access Token ManipulationT1563.001SSH HijackingT1563.002RDP Hijacking

Same Tactic: Lateral Movement

Popular Detections