Detect Cloud Services in Google Chronicle
Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. Many enterprises federate user identities to cloud services (Azure AD/Entra ID, AWS, GCP, M365), allowing adversaries with compromised on-premises credentials to move laterally into cloud control planes. APT29 leveraged synced high-privileged accounts to move into Office 365/Azure. Storm-0501 abused Entra Connect Sync Server for hybrid lateral movement. Scattered Spider used existing AWS EC2 instances for lateral movement. Methods include cloud CLI tools (Connect-AZAccount, gcloud auth, aws configure), web console access, and Application Access Tokens.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.007 Cloud Services
- Canonical reference
- https://attack.mitre.org/techniques/T1021/007/
YARA-L Detection Query
rule t1021_007_cloud_service_lateral_movement {
meta:
author = "Argus Detection Engineering"
description = "Detects T1021.007 cloud lateral movement: endpoint CLI tool execution (Azure/AWS/GCP), risky Azure AD sign-ins, or AWS Console login without MFA"
mitre_attack_tactic = "Lateral Movement"
mitre_attack_technique = "T1021.007"
severity = "HIGH"
confidence = "MEDIUM"
reference = "https://attack.mitre.org/techniques/T1021/007/"
platforms = "Windows, Linux, Azure, AWS, GCP"
version = "1.0"
events:
// Pattern 1: Cloud CLI tool execution on monitored endpoint
$cli_exec.metadata.event_type = "PROCESS_LAUNCH"
re.regex(
$cli_exec.target.process.command_line,
`(?i)(Connect-AzAccount|Connect-MgGraph|Connect-ExchangeOnline|az\s+login|az\s+account\s+set|aws\s+configure|aws\s+sts|gcloud\s+auth\s+login|gcloud\s+auth\s+print-access-token|gcloud\s+auth\s+application-default)`
)
// Pattern 2: Risky Azure AD successful sign-in
$risky_signin.metadata.event_type = "USER_LOGIN"
$risky_signin.metadata.vendor_name = "Microsoft"
$risky_signin.security_result.action = "ALLOW"
$risky_signin.security_result.risk_score >= 50
// Pattern 3: AWS Console login without MFA
$aws_signin.metadata.event_type = "USER_LOGIN"
$aws_signin.metadata.product_name = "AWS CloudTrail"
$aws_signin.security_result.action = "ALLOW"
not re.regex(
$aws_signin.extensions.auth.auth_details,
`(?i)MFAUsed.*Yes|mfa_used.*true`
)
condition:
$cli_exec or $risky_signin or $aws_signin
}Chronicle YARA-L 2.0 rule detecting T1021.007 across three independent UDM event patterns: (1) PROCESS_LAUNCH events matching cloud CLI authentication commands via RE2 regex against target.process.command_line, (2) USER_LOGIN events from Microsoft Azure AD with ALLOW action and risk_score >= 50 indicating medium/high risk sign-in, and (3) USER_LOGIN events from AWS CloudTrail with ALLOW action where MFA was not used. Each event variable is independent — the rule fires if any single pattern matches. Requires Chronicle feeds configured for endpoint telemetry, Azure AD, and AWS CloudTrail.
Data Sources
Required Tables
False Positives & Tuning
- Cloud-native development teams and DevOps engineers legitimately run Connect-AzAccount, az login, aws configure, and gcloud auth daily on managed corporate endpoints enrolled in Chronicle telemetry
- Azure Identity Protection assigns risk scores based on behavioral baselines; users returning from travel, working remotely for the first time, or enrolling new devices may receive risk_score >= 50
- AWS IAM instance profile credentials attached to EC2 instances or Lambda functions may generate ConsoleLogin events lacking explicit MFA attestation when accessed via instance metadata service
Other platforms for T1021.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Authenticate to Azure via Azure CLI from Compromised Endpoint
Expected signal: Sysmon Event ID 1: az.cmd (or az) process creation with 'login' in command line. Sysmon Event ID 3: outbound HTTPS connections to login.microsoftonline.com. Azure AD SigninLogs entry for the authenticated user from the endpoint's IP address.
- Test 2Authenticate to Azure PowerShell (Connect-AzAccount)
Expected signal: Sysmon Event ID 1: powershell.exe with Connect-AzAccount in command line. Sysmon Event ID 3: HTTPS connections to login.microsoftonline.com, management.azure.com. Azure AD SigninLogs showing PowerShell client sign-in.
- Test 3Configure AWS CLI with Stolen Credentials
Expected signal: Linux auditd EXECVE for aws CLI binary. File creation/modification of ~/.aws/credentials. HTTPS connection to sts.amazonaws.com. AWS CloudTrail event for GetCallerIdentity API call from the source IP.
- Test 4List and Access Cloud Resources After Authentication
Expected signal: Sysmon Event ID 1 for each az command execution. HTTPS connections to management.azure.com API. Azure Activity Log: List operations for subscriptions, resources, and key vaults. Entra ID audit log for authenticated session activities.
References (8)
- https://attack.mitre.org/techniques/T1021/007/
- https://learn.microsoft.com/en-us/cli/azure/
- https://learn.microsoft.com/en-us/powershell/azure/
- https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.007/T1021.007.md
- https://www.mandiant.com/resources/blog/remediation-hardening-strategies-microsoft-365
- https://www.microsoft.com/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
- https://specterops.io/blog/credential-storage/
Unlock Pro Content
Get the full detection package for T1021.007 including response playbook, investigation guide, and atomic red team tests.