T1021.007 Splunk · SPL

Detect Cloud Services in Splunk

Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. Many enterprises federate user identities to cloud services (Azure AD/Entra ID, AWS, GCP, M365), allowing adversaries with compromised on-premises credentials to move laterally into cloud control planes. APT29 leveraged synced high-privileged accounts to move into Office 365/Azure. Storm-0501 abused Entra Connect Sync Server for hybrid lateral movement. Scattered Spider used existing AWS EC2 instances for lateral movement. Methods include cloud CLI tools (Connect-AZAccount, gcloud auth, aws configure), web console access, and Application Access Tokens.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.007 Cloud Services
Canonical reference
https://attack.mitre.org/techniques/T1021/007/

SPL Detection Query

Splunk (SPL)
spl 
index=o365 OR index=azure OR index=aws (sourcetype="o365:management:activity" OR sourcetype="azure:monitor:aad:signin" OR sourcetype="aws:cloudtrail")
(
  sourcetype="azure:monitor:aad:signin"
  properties.status.errorCode=0
| eval UserUPN='properties.userPrincipalName'
| eval AppName='properties.appDisplayName'
| eval SourceIP='properties.ipAddress'
| eval RiskLevel='properties.riskLevelDuringSignIn'
| eval IsAnon=if(match('properties.networkLocationDetails', "anonymizedIP"), 1, 0)
| where RiskLevel IN ("medium", "high") OR IsAnon=1
| eval AlertType="AzureRiskySignin"
| table _time, UserUPN, AppName, SourceIP, RiskLevel, IsAnon, AlertType
)
OR
(
  sourcetype="o365:management:activity" Operation="UserLoggedIn"
  ResultStatus="Success"
| eval UserUPN=UserId
| eval ClientIP='ClientIP'
| eval AppName='ApplicationName'
| eval Country=mvindex(split('ClientInfoString', ";"), 0)
| stats dc(ClientIP) as UniqueIPs, values(ClientIP) as IPs by UserUPN, AppName
| where UniqueIPs >= 3
| eval AlertType="O365MultiIPLogin"
| table UserUPN, AppName, UniqueIPs, IPs, AlertType
)
OR
(
  sourcetype="aws:cloudtrail" eventName="ConsoleLogin" responseElements.ConsoleLogin="Success"
| eval UserArn='userIdentity.arn'
| eval SourceIP='sourceIPAddress'
| eval MFA='additionalEventData.MFAUsed'
| where MFA="No"
| eval AlertType="AWSConsoleLoginNoMFA"
| table _time, UserArn, SourceIP, MFA, AlertType
)
high severity medium confidence

Detects cloud service lateral movement using three log sources: Azure AD sign-in logs for risky or anonymized-IP sign-ins, Office 365 audit logs for users logging in from 3+ unique IPs (potential credential sharing/token theft), and AWS CloudTrail for console logins without MFA (higher risk indicator of unauthorized access). The AlertType field identifies the detection source.

Data Sources

Cloud Service: Cloud Service AuthenticationAzure AD Sign-in LogsOffice 365 Audit LogsAWS CloudTrail

Required Sourcetypes

azure:monitor:aad:signino365:management:activityaws:cloudtrail

False Positives & Tuning

  • Developers using cloud CLI tools from their workstations
  • CI/CD pipeline agents authenticating to cloud services for deployment
  • Cloud administrators performing routine management via cloud CLI
  • Multi-cloud monitoring tools authenticating to multiple platforms
  • Legitimate travel causing geographic sign-in anomalies
Download portable Sigma rule (.yml)

Other platforms for T1021.007

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Authenticate to Azure via Azure CLI from Compromised Endpoint

    Expected signal: Sysmon Event ID 1: az.cmd (or az) process creation with 'login' in command line. Sysmon Event ID 3: outbound HTTPS connections to login.microsoftonline.com. Azure AD SigninLogs entry for the authenticated user from the endpoint's IP address.

  2. Test 2Authenticate to Azure PowerShell (Connect-AzAccount)

    Expected signal: Sysmon Event ID 1: powershell.exe with Connect-AzAccount in command line. Sysmon Event ID 3: HTTPS connections to login.microsoftonline.com, management.azure.com. Azure AD SigninLogs showing PowerShell client sign-in.

  3. Test 3Configure AWS CLI with Stolen Credentials

    Expected signal: Linux auditd EXECVE for aws CLI binary. File creation/modification of ~/.aws/credentials. HTTPS connection to sts.amazonaws.com. AWS CloudTrail event for GetCallerIdentity API call from the source IP.

  4. Test 4List and Access Cloud Resources After Authentication

    Expected signal: Sysmon Event ID 1 for each az command execution. HTTPS connections to management.azure.com API. Azure Activity Log: List operations for subscriptions, resources, and key vaults. Entra ID audit log for authenticated session activities.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1021.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.003Distributed Component Object ModelT1021.004SSHT1021.005VNCT1021.006Windows Remote ManagementT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1078.004Cloud AccountsT1550.001Application Access TokenT1528Steal Application Access TokenT1539Steal Web Session CookieT1059.009Cloud APIT1580Cloud Infrastructure DiscoveryT1530Data from Cloud Storage

Same Tactic: Lateral Movement

Popular Detections