T1021.007

Cloud Services

Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. Many enterprises federate user identities to cloud services (Azure AD/Entra ID, AWS, GCP, M365), allowing adversaries with compromised on-premises credentials to move laterally into cloud control planes. APT29 leveraged synced high-privileged accounts to move into Office 365/Azure. Storm-0501 abused Entra Connect Sync Server for hybrid lateral movement. Scattered Spider used existing AWS EC2 instances for lateral movement. Methods include cloud CLI tools (Connect-AZAccount, gcloud auth, aws configure), web console access, and Application Access Tokens.

Microsoft Sentinel / Defender

kusto

// Detect suspicious cloud service lateral movement from on-premises to cloud
// Pattern 1: Azure/M365 CLI authentication from suspicious processes
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "Connect-AzAccount", "Connect-MgGraph", "Connect-ExchangeOnline",
    "az login", "az account", "aws configure", "aws sts",
    "gcloud auth login", "gcloud auth print-access-token"
  )
| extend CloudPlatform = case(
    ProcessCommandLine has_any ("Connect-Az", "Connect-Mg", "az login", "az account"), "Azure",
    ProcessCommandLine has_any ("aws configure", "aws sts", "aws cli"), "AWS",
    ProcessCommandLine has_any ("gcloud"), "GCP",
    "Unknown"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, CloudPlatform
| union (
    // Pattern 2: Sign-in from new location or impossible travel in Entra ID
    SigninLogs
    | where TimeGenerated > ago(24h)
    | where ResultType == "0"  // Successful signin
    | extend AppName = tostring(AppDisplayName)
    | extend Location = tostring(LocationDetails)
    | extend IsRisky = RiskLevelDuringSignIn in ("medium", "high")
    | where IsRisky == true or NetworkLocationDetails has "anonymizedIPAddress"
    | project TimeGenerated, UserPrincipalName, AppName, IPAddress, Location,
             RiskLevelDuringSignIn, ConditionalAccessStatus
)
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Logon Session: Logon Session Creation Cloud Service: Cloud Service Authentication Azure Active Directory: Entra ID Sign-in Logs

Required Tables

DeviceProcessEvents SigninLogs AuditLogs

False Positives

Developers and DevOps engineers legitimately using cloud CLI tools (az, aws, gcloud) from their workstations
CI/CD pipeline agents authenticating to cloud services for deployment automation
Cloud administrators performing routine management via cloud CLI from authorized workstations
Multi-cloud monitoring tools that authenticate to multiple cloud platforms to collect metrics
Azure Arc and hybrid management services that sync identities between on-premises and cloud environments

Splunk

spl

index=o365 OR index=azure OR index=aws (sourcetype="o365:management:activity" OR sourcetype="azure:monitor:aad:signin" OR sourcetype="aws:cloudtrail")
(
  sourcetype="azure:monitor:aad:signin"
  properties.status.errorCode=0
| eval UserUPN='properties.userPrincipalName'
| eval AppName='properties.appDisplayName'
| eval SourceIP='properties.ipAddress'
| eval RiskLevel='properties.riskLevelDuringSignIn'
| eval IsAnon=if(match('properties.networkLocationDetails', "anonymizedIP"), 1, 0)
| where RiskLevel IN ("medium", "high") OR IsAnon=1
| eval AlertType="AzureRiskySignin"
| table _time, UserUPN, AppName, SourceIP, RiskLevel, IsAnon, AlertType
)
OR
(
  sourcetype="o365:management:activity" Operation="UserLoggedIn"
  ResultStatus="Success"
| eval UserUPN=UserId
| eval ClientIP='ClientIP'
| eval AppName='ApplicationName'
| eval Country=mvindex(split('ClientInfoString', ";"), 0)
| stats dc(ClientIP) as UniqueIPs, values(ClientIP) as IPs by UserUPN, AppName
| where UniqueIPs >= 3
| eval AlertType="O365MultiIPLogin"
| table UserUPN, AppName, UniqueIPs, IPs, AlertType
)
OR
(
  sourcetype="aws:cloudtrail" eventName="ConsoleLogin" responseElements.ConsoleLogin="Success"
| eval UserArn='userIdentity.arn'
| eval SourceIP='sourceIPAddress'
| eval MFA='additionalEventData.MFAUsed'
| where MFA="No"
| eval AlertType="AWSConsoleLoginNoMFA"
| table _time, UserArn, SourceIP, MFA, AlertType
)

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Authentication Azure AD Sign-in Logs Office 365 Audit Logs AWS CloudTrail

Required Sourcetypes

azure:monitor:aad:signin o365:management:activity aws:cloudtrail

False Positives

Developers using cloud CLI tools from their workstations
CI/CD pipeline agents authenticating to cloud services for deployment
Cloud administrators performing routine management via cloud CLI
Multi-cloud monitoring tools authenticating to multiple platforms
Legitimate travel causing geographic sign-in anomalies

Elastic Security (EQL)

eql

any where
  // Pattern 1: Cloud CLI tool execution on endpoints
  (
    event.category == "process" and event.type == "start" and
    process.command_line : (
      "*Connect-AzAccount*", "*Connect-MgGraph*", "*Connect-ExchangeOnline*",
      "*az login*", "*az account set*", "*aws configure*", "*aws sts*",
      "*gcloud auth login*", "*gcloud auth print-access-token*",
      "*gcloud auth application-default*"
    )
  ) or
  // Pattern 2: Risky Azure AD sign-in (via Filebeat azure module)
  (
    event.dataset == "azure.signinlogs" and
    azure.signinlogs.properties.status.error_code == 0 and
    (
      azure.signinlogs.properties.risk_level_during_sign_in in ("medium", "high") or
      azure.signinlogs.properties.network_location_details : "*anonymizedIP*"
    )
  ) or
  // Pattern 3: AWS Console login without MFA (via Filebeat aws module)
  (
    event.dataset == "aws.cloudtrail" and
    event.action == "ConsoleLogin" and
    aws.cloudtrail.flattened.response_elements.ConsoleLogin == "Success" and
    aws.cloudtrail.console_login.additional_event_data.mfa_used == "No"
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security agent (process events via logs-endpoint.events.process-*) Winlogbeat (Windows Security Event 4688 or Sysmon Event ID 1 via winlogbeat-*) Filebeat azure module (SigninLogs via filebeat-*-azure.signinlogs) Filebeat aws module (CloudTrail via filebeat-*-aws.cloudtrail)

Required Tables

logs-endpoint.events.process-* winlogbeat-* filebeat-*

False Positives

Cloud engineers and DevOps teams routinely invoke az login, aws configure, and gcloud auth on managed workstations as part of daily development and deployment operations
Automated CI/CD agents (GitHub Actions runners, Jenkins build agents, Azure DevOps pipeline agents) execute cloud CLI authentication during scheduled build and release jobs
Azure AD Identity Protection risk scoring may flag legitimate users accessing from shared corporate VPN exit nodes, hotel Wi-Fi, or after travel to new geographic regions as medium risk

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username,
  sourceip,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(category) AS EventCategory,
  "ProcessCommandLine",
  "CloudPlatform",
  "DetectionType"
FROM (
  -- Pattern 1: Cloud CLI tool execution from Windows Security or Sysmon process events
  SELECT starttime, logsourceid, username, sourceip, qid, category,
    "CommandLine" AS "ProcessCommandLine",
    CASE
      WHEN LOWER("CommandLine") ILIKE '%connect-azaccount%'
        OR LOWER("CommandLine") ILIKE '%connect-mggraph%'
        OR LOWER("CommandLine") ILIKE '%az login%'
        OR LOWER("CommandLine") ILIKE '%az account%' THEN 'Azure'
      WHEN LOWER("CommandLine") ILIKE '%aws configure%'
        OR LOWER("CommandLine") ILIKE '%aws sts%' THEN 'AWS'
      WHEN LOWER("CommandLine") ILIKE '%gcloud auth%' THEN 'GCP'
      ELSE 'Unknown'
    END AS "CloudPlatform",
    'CloudCLI_Execution' AS "DetectionType"
  FROM events
  WHERE LOGSOURCETYPEID IN (12, 13)
    AND (
      LOWER("CommandLine") ILIKE '%connect-azaccount%'
      OR LOWER("CommandLine") ILIKE '%connect-mggraph%'
      OR LOWER("CommandLine") ILIKE '%connect-exchangeonline%'
      OR LOWER("CommandLine") ILIKE '%az login%'
      OR LOWER("CommandLine") ILIKE '%aws configure%'
      OR LOWER("CommandLine") ILIKE '%aws sts%'
      OR LOWER("CommandLine") ILIKE '%gcloud auth%'
    )
    AND starttime > NOW() - 86400000
  UNION ALL
  -- Pattern 2: Risky Azure AD successful sign-in
  SELECT starttime, logsourceid, username, sourceip, qid, category,
    'AzureAD_Signin' AS "ProcessCommandLine",
    'Azure' AS "CloudPlatform",
    'RiskyAzureSignin' AS "DetectionType"
  FROM events
  WHERE LOGSOURCETYPEID = 397
    AND (
      "RiskLevelDuringSignIn" IN ('medium', 'high')
      OR "NetworkLocationDetails" ILIKE '%anonymizedIP%'
    )
    AND "ErrorCode" = '0'
    AND starttime > NOW() - 86400000
  UNION ALL
  -- Pattern 3: AWS Console login without MFA
  SELECT starttime, logsourceid, username, sourceip, qid, category,
    'AWSConsole_Login' AS "ProcessCommandLine",
    'AWS' AS "CloudPlatform",
    'AWSConsoleLoginNoMFA' AS "DetectionType"
  FROM events
  WHERE LOGSOURCETYPEID = 352
    AND QIDNAME(qid) ILIKE '%ConsoleLogin%'
    AND "responseElements" ILIKE '%"ConsoleLogin":"Success"%'
    AND "additionalEventData" NOT ILIKE '%"MFAUsed":"Yes"%'
    AND starttime > NOW() - 86400000
) combined
ORDER BY EventTime DESC

high severity medium confidence

Data Sources

Windows Security Event Log (Event ID 4688 - Process Creation, LOGSOURCETYPEID 12) Microsoft Windows Sysmon (Event ID 1 - Process Create, LOGSOURCETYPEID 13) Microsoft Azure Active Directory Sign-in Logs (LOGSOURCETYPEID 397) Amazon AWS CloudTrail (LOGSOURCETYPEID 352)

Required Tables

events (QRadar unified event table with LOGSOURCETYPEID 12 - Windows Security) events (LOGSOURCETYPEID 13 - Sysmon) events (LOGSOURCETYPEID 397 - Microsoft Azure Active Directory) events (LOGSOURCETYPEID 352 - Amazon AWS CloudTrail)

False Positives

Software development and DevOps teams perform cloud authentication daily via CLI tools as part of standard engineering workflows on managed endpoints
Automated ITSM, Terraform provisioning, and runbook scripts execute AWS CLI or Azure CLI commands during infrastructure management and maintenance windows
Corporate shared egress IPs or hub-and-spoke VPN architectures may cause risk-scored Azure AD sign-ins for multiple legitimate users sharing an exit node

Sumo Logic CSE

sql

(_sourceCategory=*Windows/Sysmon* OR _sourceCategory=*Windows/Security* OR _sourceCategory=*Azure/SignIn* OR _sourceCategory=*AWS/CloudTrail*)
| json auto maxdepth 5 nodrop
// Normalize command line field across log sources
| if (!isBlank(CommandLine), CommandLine,
    if (!isBlank(command_line), command_line,
      if (!isBlank(process.command_line), process.command_line, "")
    )
  ) as cmd_line
// Normalize actor field across log sources
| if (!isBlank(SubjectUserName), SubjectUserName,
    if (!isBlank(properties.userPrincipalName), properties.userPrincipalName,
      if (!isBlank(userIdentity.arn), userIdentity.arn, "-")
    )
  ) as actor
// Normalize source IP across log sources
| if (!isBlank(IpAddress), IpAddress,
    if (!isBlank(properties.ipAddress), properties.ipAddress,
      if (!isBlank(sourceIPAddress), sourceIPAddress, "-")
    )
  ) as src_ip
// Detection filter
| where
  // Pattern 1: Cloud CLI execution
  (
    cmd_line matches "*Connect-AzAccount*"
    OR cmd_line matches "*Connect-MgGraph*"
    OR cmd_line matches "*Connect-ExchangeOnline*"
    OR cmd_line matches "*az login*"
    OR cmd_line matches "*az account*"
    OR cmd_line matches "*aws configure*"
    OR cmd_line matches "*aws sts*"
    OR cmd_line matches "*gcloud auth*"
  )
  // Pattern 2: Risky Azure AD sign-in
  OR (
    !isBlank(properties.riskLevelDuringSignIn)
    AND (properties.riskLevelDuringSignIn = "medium" OR properties.riskLevelDuringSignIn = "high")
    AND properties.status.errorCode = 0
  )
  OR (
    !isBlank(properties.networkLocationDetails)
    AND properties.networkLocationDetails matches "*anonymizedIP*"
    AND properties.status.errorCode = 0
  )
  // Pattern 3: AWS Console login without MFA
  OR (
    eventName = "ConsoleLogin"
    AND responseElements.ConsoleLogin = "Success"
    AND additionalEventData.MFAUsed = "No"
  )
// Classify cloud platform
| if(
    cmd_line matches "*Connect-Az*" OR cmd_line matches "*az login*" OR cmd_line matches "*az account*" OR !isBlank(properties.riskLevelDuringSignIn),
    "Azure",
    if(cmd_line matches "*aws*" OR eventName = "ConsoleLogin", "AWS",
      if(cmd_line matches "*gcloud*", "GCP", "Unknown")
    )
  ) as CloudPlatform
// Classify detection type
| if(!isBlank(cmd_line) AND cmd_line != "", "CloudCLI_Execution",
    if(!isBlank(properties.riskLevelDuringSignIn) OR properties.networkLocationDetails matches "*anonymizedIP*",
      "RiskyAzureSignin", "AWSConsoleNoMFA")
  ) as DetectionType
| count by _sourceCategory, actor, src_ip, CloudPlatform, DetectionType, cmd_line
| sort by _count desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Windows agent (Sysmon Event ID 1, _sourceCategory=*Windows/Sysmon*) Windows Security Event Log via Sumo Logic agent (Event ID 4688, _sourceCategory=*Windows/Security*) Azure Sign-in Logs via Azure Monitor diagnostic settings export to Sumo Logic (_sourceCategory=*Azure/SignIn*) AWS CloudTrail via Sumo Logic AWS S3 integration (_sourceCategory=*AWS/CloudTrail*)

Required Tables

_sourceCategory=*Windows/Sysmon* or *Windows/Security* (endpoint process events) _sourceCategory=*Azure/SignIn* (Azure Monitor SigninLogs JSON) _sourceCategory=*AWS/CloudTrail* (CloudTrail JSON events from S3 or Kinesis)

False Positives

Cloud platform engineering teams and developers authenticate to Azure, AWS, and GCP via CLI tools as part of daily infrastructure and development work on managed corporate endpoints
Automated runbooks, Terraform and Ansible provisioning scripts, and CI/CD pipeline agents authenticate using service principals or IAM roles, frequently without MFA requirements
Azure Identity Protection risk scoring may flag legitimate users traveling internationally, accessing via split-tunnel VPN, or logging in from new devices as medium risk

Google Chronicle / SecOps

yaral

rule t1021_007_cloud_service_lateral_movement {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1021.007 cloud lateral movement: endpoint CLI tool execution (Azure/AWS/GCP), risky Azure AD sign-ins, or AWS Console login without MFA"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1021.007"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1021/007/"
    platforms = "Windows, Linux, Azure, AWS, GCP"
    version = "1.0"

  events:
    // Pattern 1: Cloud CLI tool execution on monitored endpoint
    $cli_exec.metadata.event_type = "PROCESS_LAUNCH"
    re.regex(
      $cli_exec.target.process.command_line,
      `(?i)(Connect-AzAccount|Connect-MgGraph|Connect-ExchangeOnline|az\s+login|az\s+account\s+set|aws\s+configure|aws\s+sts|gcloud\s+auth\s+login|gcloud\s+auth\s+print-access-token|gcloud\s+auth\s+application-default)`
    )

    // Pattern 2: Risky Azure AD successful sign-in
    $risky_signin.metadata.event_type = "USER_LOGIN"
    $risky_signin.metadata.vendor_name = "Microsoft"
    $risky_signin.security_result.action = "ALLOW"
    $risky_signin.security_result.risk_score >= 50

    // Pattern 3: AWS Console login without MFA
    $aws_signin.metadata.event_type = "USER_LOGIN"
    $aws_signin.metadata.product_name = "AWS CloudTrail"
    $aws_signin.security_result.action = "ALLOW"
    not re.regex(
      $aws_signin.extensions.auth.auth_details,
      `(?i)MFAUsed.*Yes|mfa_used.*true`
    )

  condition:
    $cli_exec or $risky_signin or $aws_signin
}

high severity medium confidence

Data Sources

Chronicle Endpoint telemetry via Forwarder or EDR integration (PROCESS_LAUNCH UDM events) Microsoft Azure Active Directory Sign-in Logs via Chronicle Azure AD feed (USER_LOGIN UDM events) Amazon AWS CloudTrail via Chronicle AWS S3 log feed (USER_LOGIN UDM events)

Required Tables

UDM PROCESS_LAUNCH events (target.process.command_line, principal.hostname) UDM USER_LOGIN events from Microsoft vendor (security_result.risk_score, security_result.action) UDM USER_LOGIN events from AWS CloudTrail product (extensions.auth.auth_details, security_result.action)

False Positives

Cloud-native development teams and DevOps engineers legitimately run Connect-AzAccount, az login, aws configure, and gcloud auth daily on managed corporate endpoints enrolled in Chronicle telemetry
Azure Identity Protection assigns risk scores based on behavioral baselines; users returning from travel, working remotely for the first time, or enrolling new devices may receive risk_score >= 50
AWS IAM instance profile credentials attached to EC2 instances or Lambda functions may generate ConsoleLogin events lacking explicit MFA attestation when accessed via instance metadata service

CrowdStrike LogScale (CQL)

cql

// T1021.007 — Cloud Service Lateral Movement
// Requires: Full Command Line telemetry policy enabled in Falcon sensor config
#event_simpleName = ProcessRollup2
| regex(
    field=CommandLine,
    regex="(?i)(Connect-AzAccount|Connect-MgGraph|Connect-ExchangeOnline|az\\s+login|az\\s+account|aws\\s+configure|aws\\s+sts\\s+get-caller-identity|aws\\s+sts\\s+assume-role|gcloud\\s+auth\\s+login|gcloud\\s+auth\\s+print-access-token|gcloud\\s+auth\\s+application-default)"
  )
| CloudPlatform := case {
    CommandLine = /(?i)(Connect-Az|Connect-Mg|Connect-Exchange|az\s+login|az\s+account)/ => "Azure";
    CommandLine = /(?i)(aws\s+configure|aws\s+sts|aws\s+cli)/ => "AWS";
    CommandLine = /(?i)(gcloud)/ => "GCP";
    * => "Unknown"
  }
| ParentProcess := ParentBaseFileName
| SuspiciousParent := if(
    ParentBaseFileName = /(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)/i,
    "true", "false"
  )
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, CloudPlatform, ParentProcess, SuspiciousParent],
    function=count(as=ExecutionCount)
  )
| sort(field=ExecutionCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2 events — requires Full Command Line policy enabled) CrowdStrike Falcon Discover (cloud account inventory and login activity, optional) CrowdStrike Falcon Horizon / CSPM (cloud posture and API activity events, optional)

Required Tables

ProcessRollup2 (#event_simpleName=ProcessRollup2, CommandLine, ParentBaseFileName, UserName, ComputerName, aid) Full Command Line data (Falcon sensor policy: Enable Full Command Line Capture must be ON)

False Positives

Cloud platform engineers and DevOps teams run Azure CLI, AWS CLI, and gcloud toolchains on Falcon-monitored workstations as part of infrastructure-as-code workflows and routine cloud operations
Developer workstations enrolled in cloud SDK auto-authentication programs (AWS credential_process helpers, gcloud application-default login flows, Azure CLI token cache refresh) may generate repeated CLI process events
Security operations tooling, threat intelligence platforms, and CSPM agents that programmatically call cloud provider APIs may internally invoke CLI authentication against cloud control planes, particularly on server-class endpoints

Last updated: 2026-04-13 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1021.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop Protocol T1021.002SMB/Windows Admin Shares T1021.003Distributed Component Object Model T1021.004SSH T1021.005VNC T1021.006Windows Remote Management T1021.008Direct Cloud VM Connections

Cloud Services

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Lateral Movement

Popular Detections