Detect Cloud Services in Microsoft Sentinel
Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. Many enterprises federate user identities to cloud services (Azure AD/Entra ID, AWS, GCP, M365), allowing adversaries with compromised on-premises credentials to move laterally into cloud control planes. APT29 leveraged synced high-privileged accounts to move into Office 365/Azure. Storm-0501 abused Entra Connect Sync Server for hybrid lateral movement. Scattered Spider used existing AWS EC2 instances for lateral movement. Methods include cloud CLI tools (Connect-AZAccount, gcloud auth, aws configure), web console access, and Application Access Tokens.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.007 Cloud Services
- Canonical reference
- https://attack.mitre.org/techniques/T1021/007/
KQL Detection Query
// Detect suspicious cloud service lateral movement from on-premises to cloud
// Pattern 1: Azure/M365 CLI authentication from suspicious processes
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
"Connect-AzAccount", "Connect-MgGraph", "Connect-ExchangeOnline",
"az login", "az account", "aws configure", "aws sts",
"gcloud auth login", "gcloud auth print-access-token"
)
| extend CloudPlatform = case(
ProcessCommandLine has_any ("Connect-Az", "Connect-Mg", "az login", "az account"), "Azure",
ProcessCommandLine has_any ("aws configure", "aws sts", "aws cli"), "AWS",
ProcessCommandLine has_any ("gcloud"), "GCP",
"Unknown"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, CloudPlatform
| union (
// Pattern 2: Sign-in from new location or impossible travel in Entra ID
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == "0" // Successful signin
| extend AppName = tostring(AppDisplayName)
| extend Location = tostring(LocationDetails)
| extend IsRisky = RiskLevelDuringSignIn in ("medium", "high")
| where IsRisky == true or NetworkLocationDetails has "anonymizedIPAddress"
| project TimeGenerated, UserPrincipalName, AppName, IPAddress, Location,
RiskLevelDuringSignIn, ConditionalAccessStatus
)
| sort by TimeGenerated descDetects cloud service lateral movement via two patterns: on-premises process execution of cloud CLI authentication commands (Azure CLI, AWS CLI, GCP CLI, PowerShell Azure modules) indicating an adversary authenticating to cloud services from a compromised endpoint; and Entra ID sign-in logs showing risky or anonymized-IP sign-ins to cloud services. Uses DeviceProcessEvents and SigninLogs.
Data Sources
Required Tables
False Positives & Tuning
- Developers and DevOps engineers legitimately using cloud CLI tools (az, aws, gcloud) from their workstations
- CI/CD pipeline agents authenticating to cloud services for deployment automation
- Cloud administrators performing routine management via cloud CLI from authorized workstations
- Multi-cloud monitoring tools that authenticate to multiple cloud platforms to collect metrics
- Azure Arc and hybrid management services that sync identities between on-premises and cloud environments
Other platforms for T1021.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Authenticate to Azure via Azure CLI from Compromised Endpoint
Expected signal: Sysmon Event ID 1: az.cmd (or az) process creation with 'login' in command line. Sysmon Event ID 3: outbound HTTPS connections to login.microsoftonline.com. Azure AD SigninLogs entry for the authenticated user from the endpoint's IP address.
- Test 2Authenticate to Azure PowerShell (Connect-AzAccount)
Expected signal: Sysmon Event ID 1: powershell.exe with Connect-AzAccount in command line. Sysmon Event ID 3: HTTPS connections to login.microsoftonline.com, management.azure.com. Azure AD SigninLogs showing PowerShell client sign-in.
- Test 3Configure AWS CLI with Stolen Credentials
Expected signal: Linux auditd EXECVE for aws CLI binary. File creation/modification of ~/.aws/credentials. HTTPS connection to sts.amazonaws.com. AWS CloudTrail event for GetCallerIdentity API call from the source IP.
- Test 4List and Access Cloud Resources After Authentication
Expected signal: Sysmon Event ID 1 for each az command execution. HTTPS connections to management.azure.com API. Azure Activity Log: List operations for subscriptions, resources, and key vaults. Entra ID audit log for authenticated session activities.
References (8)
- https://attack.mitre.org/techniques/T1021/007/
- https://learn.microsoft.com/en-us/cli/azure/
- https://learn.microsoft.com/en-us/powershell/azure/
- https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.007/T1021.007.md
- https://www.mandiant.com/resources/blog/remediation-hardening-strategies-microsoft-365
- https://www.microsoft.com/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
- https://specterops.io/blog/credential-storage/
Unlock Pro Content
Get the full detection package for T1021.007 including response playbook, investigation guide, and atomic red team tests.