Detect Cloud Services in Elastic Security
Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. Many enterprises federate user identities to cloud services (Azure AD/Entra ID, AWS, GCP, M365), allowing adversaries with compromised on-premises credentials to move laterally into cloud control planes. APT29 leveraged synced high-privileged accounts to move into Office 365/Azure. Storm-0501 abused Entra Connect Sync Server for hybrid lateral movement. Scattered Spider used existing AWS EC2 instances for lateral movement. Methods include cloud CLI tools (Connect-AZAccount, gcloud auth, aws configure), web console access, and Application Access Tokens.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.007 Cloud Services
- Canonical reference
- https://attack.mitre.org/techniques/T1021/007/
Elastic Detection Query
any where
// Pattern 1: Cloud CLI tool execution on endpoints
(
event.category == "process" and event.type == "start" and
process.command_line : (
"*Connect-AzAccount*", "*Connect-MgGraph*", "*Connect-ExchangeOnline*",
"*az login*", "*az account set*", "*aws configure*", "*aws sts*",
"*gcloud auth login*", "*gcloud auth print-access-token*",
"*gcloud auth application-default*"
)
) or
// Pattern 2: Risky Azure AD sign-in (via Filebeat azure module)
(
event.dataset == "azure.signinlogs" and
azure.signinlogs.properties.status.error_code == 0 and
(
azure.signinlogs.properties.risk_level_during_sign_in in ("medium", "high") or
azure.signinlogs.properties.network_location_details : "*anonymizedIP*"
)
) or
// Pattern 3: AWS Console login without MFA (via Filebeat aws module)
(
event.dataset == "aws.cloudtrail" and
event.action == "ConsoleLogin" and
aws.cloudtrail.flattened.response_elements.ConsoleLogin == "Success" and
aws.cloudtrail.console_login.additional_event_data.mfa_used == "No"
)Detects T1021.007 cloud lateral movement via three patterns: (1) cloud CLI tool invocations (Azure PowerShell/CLI, AWS CLI, GCP CLI) from endpoint process telemetry via Elastic Endpoint agent or Winlogbeat, (2) medium/high risk Azure AD sign-ins with anonymized IP indicators from Filebeat azure module, and (3) AWS Console logins without MFA from CloudTrail via Filebeat aws module. The `any where` EQL construct allows firing on any of the three independent event patterns.
Data Sources
Required Tables
False Positives & Tuning
- Cloud engineers and DevOps teams routinely invoke az login, aws configure, and gcloud auth on managed workstations as part of daily development and deployment operations
- Automated CI/CD agents (GitHub Actions runners, Jenkins build agents, Azure DevOps pipeline agents) execute cloud CLI authentication during scheduled build and release jobs
- Azure AD Identity Protection risk scoring may flag legitimate users accessing from shared corporate VPN exit nodes, hotel Wi-Fi, or after travel to new geographic regions as medium risk
Other platforms for T1021.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Authenticate to Azure via Azure CLI from Compromised Endpoint
Expected signal: Sysmon Event ID 1: az.cmd (or az) process creation with 'login' in command line. Sysmon Event ID 3: outbound HTTPS connections to login.microsoftonline.com. Azure AD SigninLogs entry for the authenticated user from the endpoint's IP address.
- Test 2Authenticate to Azure PowerShell (Connect-AzAccount)
Expected signal: Sysmon Event ID 1: powershell.exe with Connect-AzAccount in command line. Sysmon Event ID 3: HTTPS connections to login.microsoftonline.com, management.azure.com. Azure AD SigninLogs showing PowerShell client sign-in.
- Test 3Configure AWS CLI with Stolen Credentials
Expected signal: Linux auditd EXECVE for aws CLI binary. File creation/modification of ~/.aws/credentials. HTTPS connection to sts.amazonaws.com. AWS CloudTrail event for GetCallerIdentity API call from the source IP.
- Test 4List and Access Cloud Resources After Authentication
Expected signal: Sysmon Event ID 1 for each az command execution. HTTPS connections to management.azure.com API. Azure Activity Log: List operations for subscriptions, resources, and key vaults. Entra ID audit log for authenticated session activities.
References (8)
- https://attack.mitre.org/techniques/T1021/007/
- https://learn.microsoft.com/en-us/cli/azure/
- https://learn.microsoft.com/en-us/powershell/azure/
- https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.007/T1021.007.md
- https://www.mandiant.com/resources/blog/remediation-hardening-strategies-microsoft-365
- https://www.microsoft.com/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
- https://specterops.io/blog/credential-storage/
Unlock Pro Content
Get the full detection package for T1021.007 including response playbook, investigation guide, and atomic red team tests.