T1021.007 IBM QRadar · QRadar

Detect Cloud Services in IBM QRadar

Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. Many enterprises federate user identities to cloud services (Azure AD/Entra ID, AWS, GCP, M365), allowing adversaries with compromised on-premises credentials to move laterally into cloud control planes. APT29 leveraged synced high-privileged accounts to move into Office 365/Azure. Storm-0501 abused Entra Connect Sync Server for hybrid lateral movement. Scattered Spider used existing AWS EC2 instances for lateral movement. Methods include cloud CLI tools (Connect-AZAccount, gcloud auth, aws configure), web console access, and Application Access Tokens.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.007 Cloud Services
Canonical reference
https://attack.mitre.org/techniques/T1021/007/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username,
  sourceip,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(category) AS EventCategory,
  "ProcessCommandLine",
  "CloudPlatform",
  "DetectionType"
FROM (
  -- Pattern 1: Cloud CLI tool execution from Windows Security or Sysmon process events
  SELECT starttime, logsourceid, username, sourceip, qid, category,
    "CommandLine" AS "ProcessCommandLine",
    CASE
      WHEN LOWER("CommandLine") ILIKE '%connect-azaccount%'
        OR LOWER("CommandLine") ILIKE '%connect-mggraph%'
        OR LOWER("CommandLine") ILIKE '%az login%'
        OR LOWER("CommandLine") ILIKE '%az account%' THEN 'Azure'
      WHEN LOWER("CommandLine") ILIKE '%aws configure%'
        OR LOWER("CommandLine") ILIKE '%aws sts%' THEN 'AWS'
      WHEN LOWER("CommandLine") ILIKE '%gcloud auth%' THEN 'GCP'
      ELSE 'Unknown'
    END AS "CloudPlatform",
    'CloudCLI_Execution' AS "DetectionType"
  FROM events
  WHERE LOGSOURCETYPEID IN (12, 13)
    AND (
      LOWER("CommandLine") ILIKE '%connect-azaccount%'
      OR LOWER("CommandLine") ILIKE '%connect-mggraph%'
      OR LOWER("CommandLine") ILIKE '%connect-exchangeonline%'
      OR LOWER("CommandLine") ILIKE '%az login%'
      OR LOWER("CommandLine") ILIKE '%aws configure%'
      OR LOWER("CommandLine") ILIKE '%aws sts%'
      OR LOWER("CommandLine") ILIKE '%gcloud auth%'
    )
    AND starttime > NOW() - 86400000
  UNION ALL
  -- Pattern 2: Risky Azure AD successful sign-in
  SELECT starttime, logsourceid, username, sourceip, qid, category,
    'AzureAD_Signin' AS "ProcessCommandLine",
    'Azure' AS "CloudPlatform",
    'RiskyAzureSignin' AS "DetectionType"
  FROM events
  WHERE LOGSOURCETYPEID = 397
    AND (
      "RiskLevelDuringSignIn" IN ('medium', 'high')
      OR "NetworkLocationDetails" ILIKE '%anonymizedIP%'
    )
    AND "ErrorCode" = '0'
    AND starttime > NOW() - 86400000
  UNION ALL
  -- Pattern 3: AWS Console login without MFA
  SELECT starttime, logsourceid, username, sourceip, qid, category,
    'AWSConsole_Login' AS "ProcessCommandLine",
    'AWS' AS "CloudPlatform",
    'AWSConsoleLoginNoMFA' AS "DetectionType"
  FROM events
  WHERE LOGSOURCETYPEID = 352
    AND QIDNAME(qid) ILIKE '%ConsoleLogin%'
    AND "responseElements" ILIKE '%"ConsoleLogin":"Success"%'
    AND "additionalEventData" NOT ILIKE '%"MFAUsed":"Yes"%'
    AND starttime > NOW() - 86400000
) combined
ORDER BY EventTime DESC
high severity medium confidence

Detects T1021.007 cloud lateral movement across three QRadar DSM log source types using UNION ALL: Windows Security/Sysmon (LOGSOURCETYPEID 12/13) for cloud CLI process invocations, Microsoft Azure Active Directory (LOGSOURCETYPEID 397) for risky sign-ins, and Amazon AWS CloudTrail (LOGSOURCETYPEID 352) for console logins without MFA. LOGSOURCETYPEID values are standard defaults and may require adjustment for site-specific QRadar DSM configurations.

Data Sources

Windows Security Event Log (Event ID 4688 - Process Creation, LOGSOURCETYPEID 12)Microsoft Windows Sysmon (Event ID 1 - Process Create, LOGSOURCETYPEID 13)Microsoft Azure Active Directory Sign-in Logs (LOGSOURCETYPEID 397)Amazon AWS CloudTrail (LOGSOURCETYPEID 352)

Required Tables

events (QRadar unified event table with LOGSOURCETYPEID 12 - Windows Security)events (LOGSOURCETYPEID 13 - Sysmon)events (LOGSOURCETYPEID 397 - Microsoft Azure Active Directory)events (LOGSOURCETYPEID 352 - Amazon AWS CloudTrail)

False Positives & Tuning

  • Software development and DevOps teams perform cloud authentication daily via CLI tools as part of standard engineering workflows on managed endpoints
  • Automated ITSM, Terraform provisioning, and runbook scripts execute AWS CLI or Azure CLI commands during infrastructure management and maintenance windows
  • Corporate shared egress IPs or hub-and-spoke VPN architectures may cause risk-scored Azure AD sign-ins for multiple legitimate users sharing an exit node
Download portable Sigma rule (.yml)

Other platforms for T1021.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Authenticate to Azure via Azure CLI from Compromised Endpoint

    Expected signal: Sysmon Event ID 1: az.cmd (or az) process creation with 'login' in command line. Sysmon Event ID 3: outbound HTTPS connections to login.microsoftonline.com. Azure AD SigninLogs entry for the authenticated user from the endpoint's IP address.

  2. Test 2Authenticate to Azure PowerShell (Connect-AzAccount)

    Expected signal: Sysmon Event ID 1: powershell.exe with Connect-AzAccount in command line. Sysmon Event ID 3: HTTPS connections to login.microsoftonline.com, management.azure.com. Azure AD SigninLogs showing PowerShell client sign-in.

  3. Test 3Configure AWS CLI with Stolen Credentials

    Expected signal: Linux auditd EXECVE for aws CLI binary. File creation/modification of ~/.aws/credentials. HTTPS connection to sts.amazonaws.com. AWS CloudTrail event for GetCallerIdentity API call from the source IP.

  4. Test 4List and Access Cloud Resources After Authentication

    Expected signal: Sysmon Event ID 1 for each az command execution. HTTPS connections to management.azure.com API. Azure Activity Log: List operations for subscriptions, resources, and key vaults. Entra ID audit log for authenticated session activities.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1021.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.003Distributed Component Object ModelT1021.004SSHT1021.005VNCT1021.006Windows Remote ManagementT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1078.004Cloud AccountsT1550.001Application Access TokenT1528Steal Application Access TokenT1539Steal Web Session CookieT1059.009Cloud APIT1580Cloud Infrastructure DiscoveryT1530Data from Cloud Storage

Same Tactic: Lateral Movement

Popular Detections