T1021.007 Sumo Logic CSE · Sumo

Detect Cloud Services in Sumo Logic CSE

Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. Many enterprises federate user identities to cloud services (Azure AD/Entra ID, AWS, GCP, M365), allowing adversaries with compromised on-premises credentials to move laterally into cloud control planes. APT29 leveraged synced high-privileged accounts to move into Office 365/Azure. Storm-0501 abused Entra Connect Sync Server for hybrid lateral movement. Scattered Spider used existing AWS EC2 instances for lateral movement. Methods include cloud CLI tools (Connect-AZAccount, gcloud auth, aws configure), web console access, and Application Access Tokens.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.007 Cloud Services
Canonical reference
https://attack.mitre.org/techniques/T1021/007/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*Windows/Sysmon* OR _sourceCategory=*Windows/Security* OR _sourceCategory=*Azure/SignIn* OR _sourceCategory=*AWS/CloudTrail*)
| json auto maxdepth 5 nodrop
// Normalize command line field across log sources
| if (!isBlank(CommandLine), CommandLine,
    if (!isBlank(command_line), command_line,
      if (!isBlank(process.command_line), process.command_line, "")
    )
  ) as cmd_line
// Normalize actor field across log sources
| if (!isBlank(SubjectUserName), SubjectUserName,
    if (!isBlank(properties.userPrincipalName), properties.userPrincipalName,
      if (!isBlank(userIdentity.arn), userIdentity.arn, "-")
    )
  ) as actor
// Normalize source IP across log sources
| if (!isBlank(IpAddress), IpAddress,
    if (!isBlank(properties.ipAddress), properties.ipAddress,
      if (!isBlank(sourceIPAddress), sourceIPAddress, "-")
    )
  ) as src_ip
// Detection filter
| where
  // Pattern 1: Cloud CLI execution
  (
    cmd_line matches "*Connect-AzAccount*"
    OR cmd_line matches "*Connect-MgGraph*"
    OR cmd_line matches "*Connect-ExchangeOnline*"
    OR cmd_line matches "*az login*"
    OR cmd_line matches "*az account*"
    OR cmd_line matches "*aws configure*"
    OR cmd_line matches "*aws sts*"
    OR cmd_line matches "*gcloud auth*"
  )
  // Pattern 2: Risky Azure AD sign-in
  OR (
    !isBlank(properties.riskLevelDuringSignIn)
    AND (properties.riskLevelDuringSignIn = "medium" OR properties.riskLevelDuringSignIn = "high")
    AND properties.status.errorCode = 0
  )
  OR (
    !isBlank(properties.networkLocationDetails)
    AND properties.networkLocationDetails matches "*anonymizedIP*"
    AND properties.status.errorCode = 0
  )
  // Pattern 3: AWS Console login without MFA
  OR (
    eventName = "ConsoleLogin"
    AND responseElements.ConsoleLogin = "Success"
    AND additionalEventData.MFAUsed = "No"
  )
// Classify cloud platform
| if(
    cmd_line matches "*Connect-Az*" OR cmd_line matches "*az login*" OR cmd_line matches "*az account*" OR !isBlank(properties.riskLevelDuringSignIn),
    "Azure",
    if(cmd_line matches "*aws*" OR eventName = "ConsoleLogin", "AWS",
      if(cmd_line matches "*gcloud*", "GCP", "Unknown")
    )
  ) as CloudPlatform
// Classify detection type
| if(!isBlank(cmd_line) AND cmd_line != "", "CloudCLI_Execution",
    if(!isBlank(properties.riskLevelDuringSignIn) OR properties.networkLocationDetails matches "*anonymizedIP*",
      "RiskyAzureSignin", "AWSConsoleNoMFA")
  ) as DetectionType
| count by _sourceCategory, actor, src_ip, CloudPlatform, DetectionType, cmd_line
| sort by _count desc
high severity medium confidence

Detects T1021.007 cloud lateral movement across Windows endpoint (Sysmon/Security), Azure Sign-in Logs, and AWS CloudTrail sources in Sumo Logic. Uses json auto field normalization to handle schema differences between log sources. Covers cloud CLI tool invocations, risky Azure AD sign-ins with medium/high risk level or anonymized IP, and AWS Console logins without MFA. Adjust _sourceCategory values to match your environment's configured source categories.

Data Sources

Windows Sysmon via Sumo Logic Windows agent (Sysmon Event ID 1, _sourceCategory=*Windows/Sysmon*)Windows Security Event Log via Sumo Logic agent (Event ID 4688, _sourceCategory=*Windows/Security*)Azure Sign-in Logs via Azure Monitor diagnostic settings export to Sumo Logic (_sourceCategory=*Azure/SignIn*)AWS CloudTrail via Sumo Logic AWS S3 integration (_sourceCategory=*AWS/CloudTrail*)

Required Tables

_sourceCategory=*Windows/Sysmon* or *Windows/Security* (endpoint process events)_sourceCategory=*Azure/SignIn* (Azure Monitor SigninLogs JSON)_sourceCategory=*AWS/CloudTrail* (CloudTrail JSON events from S3 or Kinesis)

False Positives & Tuning

  • Cloud platform engineering teams and developers authenticate to Azure, AWS, and GCP via CLI tools as part of daily infrastructure and development work on managed corporate endpoints
  • Automated runbooks, Terraform and Ansible provisioning scripts, and CI/CD pipeline agents authenticate using service principals or IAM roles, frequently without MFA requirements
  • Azure Identity Protection risk scoring may flag legitimate users traveling internationally, accessing via split-tunnel VPN, or logging in from new devices as medium risk
Download portable Sigma rule (.yml)

Other platforms for T1021.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Authenticate to Azure via Azure CLI from Compromised Endpoint

    Expected signal: Sysmon Event ID 1: az.cmd (or az) process creation with 'login' in command line. Sysmon Event ID 3: outbound HTTPS connections to login.microsoftonline.com. Azure AD SigninLogs entry for the authenticated user from the endpoint's IP address.

  2. Test 2Authenticate to Azure PowerShell (Connect-AzAccount)

    Expected signal: Sysmon Event ID 1: powershell.exe with Connect-AzAccount in command line. Sysmon Event ID 3: HTTPS connections to login.microsoftonline.com, management.azure.com. Azure AD SigninLogs showing PowerShell client sign-in.

  3. Test 3Configure AWS CLI with Stolen Credentials

    Expected signal: Linux auditd EXECVE for aws CLI binary. File creation/modification of ~/.aws/credentials. HTTPS connection to sts.amazonaws.com. AWS CloudTrail event for GetCallerIdentity API call from the source IP.

  4. Test 4List and Access Cloud Resources After Authentication

    Expected signal: Sysmon Event ID 1 for each az command execution. HTTPS connections to management.azure.com API. Azure Activity Log: List operations for subscriptions, resources, and key vaults. Entra ID audit log for authenticated session activities.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1021.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.003Distributed Component Object ModelT1021.004SSHT1021.005VNCT1021.006Windows Remote ManagementT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1078.004Cloud AccountsT1550.001Application Access TokenT1528Steal Application Access TokenT1539Steal Web Session CookieT1059.009Cloud APIT1580Cloud Infrastructure DiscoveryT1530Data from Cloud Storage

Same Tactic: Lateral Movement

Popular Detections