title: Remote Service Session Hijacking (T1563)
id: df00tech-t1563
status: experimental
description: "This detection identifies adversaries commandeering existing remote service sessions to move laterally without creating new authenticated connections. Key indicators include use of tscon.exe to hijack disconnected RDP sessions (often from SYSTEM context), SSH agent socket manipulation via SSH_AUTH_SOCK environment variable abuse, SSH ControlMaster/ControlPath multiplexing attacks, and suspicious processes accessing other users' TTY devices or SSH agent sockets in /tmp. Unlike standard remote service use, session hijacking leaves minimal authentication artifacts because no new credential exchange occurs — making it a high-fidelity signal when detected."
references:
  - https://attack.mitre.org/techniques/T1563/
  - https://df00tech.com/detections/T1563
author: df00tech
date: 2026/04/21
tags:
  - attack.t1563
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate IT administrators using tscon.exe for authorized session management or helpdesk reconnection workflows
  - "Ansible, Fabric, or other automation tools that legitimately use SSH ControlMaster for connection multiplexing to improve performance"
  - SSH agent forwarding used by developers or DevOps engineers for legitimate key forwarding across jump hosts
level: high