Detect Remote Service Session Hijacking in Sumo Logic CSE
This detection identifies adversaries commandeering existing remote service sessions to move laterally without creating new authenticated connections. Key indicators include use of tscon.exe to hijack disconnected RDP sessions (often from SYSTEM context), SSH agent socket manipulation via SSH_AUTH_SOCK environment variable abuse, SSH ControlMaster/ControlPath multiplexing attacks, and suspicious processes accessing other users' TTY devices or SSH agent sockets in /tmp. Unlike standard remote service use, session hijacking leaves minimal authentication artifacts because no new credential exchange occurs — making it a high-fidelity signal when detected.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1563 Remote Service Session Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1563/
Sumo Detection Query
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*linux* OR _sourceCategory=*endpoint*
| parse field=_raw "*" as raw_event
| if (sourcetype matches "*Sysmon*" OR sourcetype matches "*Security*", "windows", "linux") as os_type
| fields EventID, CommandLine, Image, ParentImage, User, Computer, _sourceCategory
| eval proc = if(Image != "", Image, "")
| eval cmdline = if(CommandLine != "", CommandLine, "")
| eval parent = if(ParentImage != "", ParentImage, "")
| where (
(proc matches "(?i).*tscon\.exe.*")
or (proc matches "(?i).*(cmd|powershell)\.exe.*" and cmdline matches "(?i).*tscon.*")
or (cmdline matches ".*SSH_AUTH_SOCK.*" and !(proc matches "(?i).*(sshd|ssh-agent).*"))
or (cmdline matches "(?i).*(ControlMaster|ControlPath).*" and proc matches "(?i).*[/\\\\]ssh(\.exe)?$")
or (cmdline matches ".*/proc/[0-9]+/fd.*" or cmdline matches "(?i).*(reptyr|injcode).*")
)
| eval hijack_type = if(proc matches "(?i).*tscon\.exe.*", "RDP_tscon_Hijack",
if(proc matches "(?i).*(cmd|powershell)\.exe.*" and cmdline matches "(?i).*tscon.*", "RDP_tscon_Indirect",
if(cmdline matches ".*SSH_AUTH_SOCK.*", "SSH_Agent_Socket_Abuse",
if(cmdline matches "(?i).*(ControlMaster|ControlPath).*", "SSH_ControlMaster_Hijack",
if(cmdline matches ".*/proc/[0-9]+/fd.*" or cmdline matches "(?i).*(reptyr|injcode).*", "TTY_FD_Hijack",
"Unknown")))))
| eval risk_score = if(hijack_type = "RDP_tscon_Hijack" and User matches "(?i).*SYSTEM.*", 90,
if(hijack_type = "RDP_tscon_Hijack", 75,
if(hijack_type = "SSH_Agent_Socket_Abuse", 70,
if(hijack_type = "SSH_ControlMaster_Hijack", 65,
if(hijack_type = "TTY_FD_Hijack", 80, 60)))))
| fields _messageTime, Computer, User, proc, cmdline, parent, hijack_type, risk_score
| sort by risk_score desc, _messageTime descSumo Logic query detecting T1563 Remote Service Session Hijacking across Windows and Linux hosts. Identifies RDP tscon abuse, SSH agent socket manipulation, ControlMaster multiplexing attacks, and TTY file descriptor hijacking with risk-based scoring.
Data Sources
Required Tables
False Positives & Tuning
- Windows administrators legitimately using tscon to reconnect their own disconnected terminal server sessions
- SSH-based deployment tools like Ansible or Capistrano that use ControlMaster for performance during multi-host deployments
- Penetration testing teams or red team exercises performing authorized lateral movement simulations
Other platforms for T1563
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RDP Session Hijacking via tscon.exe from SYSTEM context
Expected signal: Sysmon Event ID 1 for tscon.exe with parent process chain including psexec/sc.exe. Windows Security Event 4778 (session reconnected) immediately after. Security Event 4688 for tscon.exe with SYSTEM account. Query.exe or qwinsta.exe execution preceding tscon.exe within minutes.
- Test 2SSH Agent Socket Hijacking
Expected signal: Auditd records showing open() syscall on /tmp/ssh-*/agent.* socket by a process not owned by the socket's owner. /var/log/auth.log entries showing SSH connection authenticated via agent forwarding with unexpected source process context. Linux Sysmon (if deployed) Event ID 1 for ssh process with SSH_AUTH_SOCK in environment.
- Test 3SSH ControlMaster Multiplexing Session Hijack
Expected signal: Sysmon (Linux) Event ID 1 for ssh process with -S flag and ControlMaster=no in command line. Process events showing ssh invoked with control socket path. Auth.log showing multiple SSH authentications to same host with same session multiplexed. Network events showing SSH connections reusing existing TCP connection.
References (7)
- https://attack.mitre.org/techniques/T1563/
- https://attack.mitre.org/techniques/T1563/001/
- https://attack.mitre.org/techniques/T1563/002/
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remote-mstsc-sessions-transparently-2d941099b086
- https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remote-mstsc-sessions-transparently-2d941099b086
- https://www.netspi.com/blog/technical/network-penetration-testing/hijacking-ssh-sessions-with-screen-and-command-injection/
- https://xorl.wordpress.com/2022/02/09/ssh-session-hijacking/
Unlock Pro Content
Get the full detection package for T1563 including response playbook, investigation guide, and atomic red team tests.