[T1021.008 ] Remote Services: Direct Cloud VM Connections β Adversaries can use valid credentials or stolen keys to connect directly to cloud-hosted virtual machines using provider-native consoles and APIs, gaining interactive root or SYSTEM access to pivot and persist. Protecting cloud access paths and monitoring session activity are critical. #CloudSecurity #LateralMovement
Keypoints
- Attackers use valid accounts or keys to access cloud VMs via native consoles like Azure Serial Console or AWS EC2 Instance Connect.
- Connections often provide interactive console access with SYSTEM/root privileges by default.
- Authentication vectors include passwords, application tokens, and SSH keys, which can be stolen or abused.
- Monitor cloud API calls, session creation logs, and privileged session activity for detection.
- Harden access with MFA, least privilege, key rotation, session recording, and strict IAM policies.
Description:
- Like opening a buildingβs master control room through a backdoor, direct cloud VM connections give someone immediate, hands-on control of a virtual host as if they were at the console.
- This technique uses cloud-native interactive methods (console/API) to log directly into VMs with valid credentials or keys, enabling adversaries to execute commands interactively, obtain privileged access, move laterally, and persist; it matters because these connections often bypass host-level protections and leave limited local audit trails.
Detection:
- Collect and monitor cloud API, management plane, and instance connection logs (e.g., AWS CloudTrail, AWS Systems Manager Session Manager logs, Azure Activity Logs, Azure Serial Console access logs). Watch for uncommon session initiation events.
- Alert on interactive console/session creation from unusual sources, new geographic locations, or times inconsistent with normal operations. Correlate with user risk scores and recent credential-related alerts.
- Inspect authentication types in logs. Flag session starts using SSH keys or access tokens that were recently created, rotated, or used from different principals than usual.
- Enable and analyze host-level authentication and session logs (guest OS auth, sudo/su usage, auth.log, Windows Security Event Log Event ID 4624) to correlate cloud console sessions with local logon sessions and suspicious privilege escalation.
- Use session recording and command logging where available (Systems Manager Session Manager, Azure Bastion / AD-enabled access) to review executed commands and detect malicious activity. Retain recordings for forensic analysis.
- Watch for indicators of credential compromise before and during sessions: password reset requests, MFA failures, anomalous token exchange, or IAM policy changes granting elevated permissions. Combine with SIEM UEBA to reduce false positives.
- Deploy anomaly detection for rare instance access patterns, such as console connections to ephemeral or sensitive VMs, reuse of service account credentials, or connections from automation roles. Tune rules to ignore legitimate automation and document exceptions to reduce alert fatigue.
Tactics:
Lateral Movement
Platforms:
IaaS
Data Sources:
Logon Session: Logon Session Creation
Relationship Citations:
,