Detect Cloud Services in CrowdStrike LogScale
Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. Many enterprises federate user identities to cloud services (Azure AD/Entra ID, AWS, GCP, M365), allowing adversaries with compromised on-premises credentials to move laterally into cloud control planes. APT29 leveraged synced high-privileged accounts to move into Office 365/Azure. Storm-0501 abused Entra Connect Sync Server for hybrid lateral movement. Scattered Spider used existing AWS EC2 instances for lateral movement. Methods include cloud CLI tools (Connect-AZAccount, gcloud auth, aws configure), web console access, and Application Access Tokens.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.007 Cloud Services
- Canonical reference
- https://attack.mitre.org/techniques/T1021/007/
LogScale Detection Query
// T1021.007 — Cloud Service Lateral Movement
// Requires: Full Command Line telemetry policy enabled in Falcon sensor config
#event_simpleName = ProcessRollup2
| regex(
field=CommandLine,
regex="(?i)(Connect-AzAccount|Connect-MgGraph|Connect-ExchangeOnline|az\\s+login|az\\s+account|aws\\s+configure|aws\\s+sts\\s+get-caller-identity|aws\\s+sts\\s+assume-role|gcloud\\s+auth\\s+login|gcloud\\s+auth\\s+print-access-token|gcloud\\s+auth\\s+application-default)"
)
| CloudPlatform := case {
CommandLine = /(?i)(Connect-Az|Connect-Mg|Connect-Exchange|az\s+login|az\s+account)/ => "Azure";
CommandLine = /(?i)(aws\s+configure|aws\s+sts|aws\s+cli)/ => "AWS";
CommandLine = /(?i)(gcloud)/ => "GCP";
* => "Unknown"
}
| ParentProcess := ParentBaseFileName
| SuspiciousParent := if(
ParentBaseFileName = /(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)/i,
"true", "false"
)
| groupBy(
[ComputerName, UserName, FileName, CommandLine, CloudPlatform, ParentProcess, SuspiciousParent],
function=count(as=ExecutionCount)
)
| sort(field=ExecutionCount, order=desc)Detects T1021.007 cloud lateral movement using CrowdStrike Falcon ProcessRollup2 endpoint telemetry. Identifies execution of Azure PowerShell (Connect-AzAccount, Connect-MgGraph, Connect-ExchangeOnline), Azure CLI (az login, az account), AWS CLI (aws configure, aws sts), and GCP CLI (gcloud auth) authentication commands. Enriches matches with parent process context and flags executions spawned from suspicious parents (cmd.exe, wscript.exe, mshta.exe, rundll32.exe) as higher fidelity indicators. For cloud-side sign-in anomalies (risky Azure AD logins, AWS Console without MFA), supplement with Falcon Discover or Falcon Horizon CSPM telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Cloud platform engineers and DevOps teams run Azure CLI, AWS CLI, and gcloud toolchains on Falcon-monitored workstations as part of infrastructure-as-code workflows and routine cloud operations
- Developer workstations enrolled in cloud SDK auto-authentication programs (AWS credential_process helpers, gcloud application-default login flows, Azure CLI token cache refresh) may generate repeated CLI process events
- Security operations tooling, threat intelligence platforms, and CSPM agents that programmatically call cloud provider APIs may internally invoke CLI authentication against cloud control planes, particularly on server-class endpoints
Other platforms for T1021.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Authenticate to Azure via Azure CLI from Compromised Endpoint
Expected signal: Sysmon Event ID 1: az.cmd (or az) process creation with 'login' in command line. Sysmon Event ID 3: outbound HTTPS connections to login.microsoftonline.com. Azure AD SigninLogs entry for the authenticated user from the endpoint's IP address.
- Test 2Authenticate to Azure PowerShell (Connect-AzAccount)
Expected signal: Sysmon Event ID 1: powershell.exe with Connect-AzAccount in command line. Sysmon Event ID 3: HTTPS connections to login.microsoftonline.com, management.azure.com. Azure AD SigninLogs showing PowerShell client sign-in.
- Test 3Configure AWS CLI with Stolen Credentials
Expected signal: Linux auditd EXECVE for aws CLI binary. File creation/modification of ~/.aws/credentials. HTTPS connection to sts.amazonaws.com. AWS CloudTrail event for GetCallerIdentity API call from the source IP.
- Test 4List and Access Cloud Resources After Authentication
Expected signal: Sysmon Event ID 1 for each az command execution. HTTPS connections to management.azure.com API. Azure Activity Log: List operations for subscriptions, resources, and key vaults. Entra ID audit log for authenticated session activities.
References (8)
- https://attack.mitre.org/techniques/T1021/007/
- https://learn.microsoft.com/en-us/cli/azure/
- https://learn.microsoft.com/en-us/powershell/azure/
- https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.007/T1021.007.md
- https://www.mandiant.com/resources/blog/remediation-hardening-strategies-microsoft-365
- https://www.microsoft.com/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
- https://specterops.io/blog/credential-storage/
Unlock Pro Content
Get the full detection package for T1021.007 including response playbook, investigation guide, and atomic red team tests.