T1021.008 Direct Cloud VM Connections Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect direct cloud VM connections via cloud-native methods
// Azure Serial Console and Run Command detections
AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue in~ (
    "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION",
    "MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE",
    "MICROSOFT.SERIALCONSOLE/CONSOLESERVICES/ACCESS"
  )
| extend Caller = tostring(Caller)
| extend ResourceGroup = tostring(ResourceGroup)
| extend VMName = tostring(Resource)
| project TimeGenerated, Caller, OperationNameValue, ResourceGroup, VMName,
         HTTPRequest, Properties, Level
| union (
    // Detect SSM Session Manager connections (via CloudTrail if AWS logs ingested)
    // Using CommonSecurityLog for forwarded AWS/GCP events
    CommonSecurityLog
    | where TimeGenerated > ago(24h)
    | where DeviceVendor == "Amazon" and DeviceProduct == "CloudTrail"
    | where Activity in~ ("StartSession", "ResumeSession", "SendCommand", "StartAutomationExecution")
    | project TimeGenerated, SourceUserName, Activity, DestinationHostName, SourceIP
)
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Authentication Azure Activity Logs AWS CloudTrail Instance Metadata: Cloud API

Required Tables

AzureActivity CommonSecurityLog AuditLogs

False Positives

DevOps and cloud operations teams using Azure Serial Console or Run Command for legitimate VM troubleshooting and patch management
Automated configuration management pipelines using AWS SSM Run Command to apply configurations at scale
IT operations using EC2 Instance Connect as a replacement for SSH bastion hosts in approved workflows
Cloud platform teams testing instance connectivity and emergency recovery procedures via serial console
Managed service providers performing authorized maintenance via cloud-native access tools

Splunk

spl

index=aws OR index=azure (sourcetype="aws:cloudtrail" OR sourcetype="azure:activity")
(
  sourcetype="aws:cloudtrail"
  eventName IN ("StartSession", "ResumeSession", "TerminateSession", "SendCommand",
                "StartAutomationExecution", "SendSSHPublicKey", "StartSSHSession")
  eventSource IN ("ssm.amazonaws.com", "ec2-instance-connect.amazonaws.com")
| eval UserARN='userIdentity.arn'
| eval TargetInstance=coalesce('requestParameters.target', 'requestParameters.instanceId')
| eval SourceIP='sourceIPAddress'
| eval AlertType="AWS_DirectVMConnection"
| table _time, UserARN, eventName, TargetInstance, SourceIP, AlertType
)
OR
(
  sourcetype="azure:activity"
  operationName.value IN ("MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION",
                         "MICROSOFT.SERIALCONSOLE/CONSOLESERVICES/ACCESS",
                         "MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE")
| eval CallerUPN='caller'
| eval VMName='resourceId'
| eval SourceIP='httpRequest.clientIpAddress'
| eval AlertType="Azure_DirectVMConnection"
| table _time, CallerUPN, operationName.value, VMName, SourceIP, AlertType
)
| sort - _time

high severity medium confidence

Data Sources

AWS CloudTrail Azure Activity Log

Required Sourcetypes

aws:cloudtrail azure:activity

False Positives

DevOps teams using SSM/Run Command for legitimate configuration management
Cloud operations teams using Serial Console for VM troubleshooting
Automated pipelines using cloud-native access methods for patching
Emergency recovery procedures via serial console
Managed service providers performing authorized maintenance

Elastic Security (EQL)

eql

any where (
  (
    event.dataset == "aws.cloudtrail"
    and event.provider in ("ssm.amazonaws.com", "ec2-instance-connect.amazonaws.com")
    and event.action in (
      "StartSession", "ResumeSession", "TerminateSession",
      "SendCommand", "StartAutomationExecution",
      "SendSSHPublicKey", "StartSSHSession"
    )
  )
  or
  (
    event.dataset == "azure.activitylogs"
    and azure.activitylogs.operation_name in~ (
      "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION",
      "MICROSOFT.SERIALCONSOLE/CONSOLESERVICES/ACCESS",
      "MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE"
    )
  )
)

high severity high confidence

Data Sources

AWS CloudTrail (Elastic AWS integration) Azure Activity Logs (Elastic Azure integration)

Required Tables

logs-aws.cloudtrail-* logs-azure.activitylogs-*

False Positives

Legitimate SRE or DevOps engineers using AWS SSM Session Manager as a bastion-free SSH replacement for routine maintenance, patching, or troubleshooting.
CI/CD pipelines or configuration management tooling (e.g., Ansible via SSM, AWS Systems Manager Automation runbooks) invoking SendCommand or StartAutomationExecution as part of deployment workflows.
Azure VM extensions written by infrastructure automation (e.g., Azure Desired State Configuration, monitoring agent installation via ARM templates) triggering EXTENSIONS/WRITE during scheduled deployments.
Cloud security or compliance tools using Azure Run Command or AWS SSM to collect inventory data or run health checks as part of scheduled scanning.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  username AS caller_identity,
  sourceip AS source_ip,
  "EventName" AS action_performed,
  "EventSource" AS cloud_service,
  COALESCE("TargetInstanceId", "RequestParameters_target") AS target_vm,
  "OperationName" AS azure_operation,
  LOGSOURCENAME(logsourceid) AS log_source_name,
  CATEGORYNAME(category) AS event_category
FROM events
WHERE (
  (
    "EventSource" IN (
      'ssm.amazonaws.com',
      'ec2-instance-connect.amazonaws.com'
    )
    AND "EventName" IN (
      'StartSession',
      'ResumeSession',
      'TerminateSession',
      'SendCommand',
      'StartAutomationExecution',
      'SendSSHPublicKey',
      'StartSSHSession'
    )
  )
  OR (
    "OperationName" ILIKE '%VIRTUALMACHINES/RUNCOMMAND/ACTION%'
    OR "OperationName" ILIKE '%SERIALCONSOLE/CONSOLESERVICES/ACCESS%'
    OR "OperationName" ILIKE '%VIRTUALMACHINES/EXTENSIONS/WRITE%'
  )
)
AND username IS NOT NULL
AND username <> ''
LAST 24 HOURS
ORDER BY starttime DESC

high severity high confidence

Data Sources

Amazon AWS CloudTrail (QRadar DSM) Microsoft Azure Platform Activity Logs (QRadar DSM)

Required Tables

events

False Positives

Authorized cloud operations engineers performing routine maintenance via AWS SSM Session Manager, which is standard practice in environments that have eliminated direct SSH access to instances.
AWS Systems Manager Automation documents executing SendCommand or StartAutomationExecution during scheduled patch management windows or golden AMI bake pipelines.
Azure infrastructure automation (Terraform, Bicep, ARM) deploying or updating VM extensions such as the Azure Monitor Agent, Log Analytics Agent, or custom script extensions during provisioning workflows.

Sumo Logic CSE

sql

(_sourceCategory=*cloudtrail* OR _sourceCategory=*azure*activity*)
| json auto maxdepth 5 nodrop
| where (
    (
      eventSource in ("ssm.amazonaws.com", "ec2-instance-connect.amazonaws.com")
      AND eventName in (
        "StartSession", "ResumeSession", "TerminateSession",
        "SendCommand", "StartAutomationExecution",
        "SendSSHPublicKey", "StartSSHSession"
      )
    )
    OR (
      %"operationName.value" matches "*RUNCOMMAND/ACTION*"
      OR %"operationName.value" matches "*SERIALCONSOLE/CONSOLESERVICES/ACCESS*"
      OR %"operationName.value" matches "*EXTENSIONS/WRITE*"
    )
  )
| eval cloud_provider = if(eventSource matches "*.amazonaws.com", "AWS", "Azure")
| eval actor = coalesce(%"userIdentity.arn", %"userIdentity.userName", caller)
| eval target_vm = coalesce(
    %"requestParameters.target",
    %"requestParameters.instanceId",
    resourceId
  )
| eval action = coalesce(eventName, %"operationName.value")
| eval source_ip = coalesce(sourceIPAddress, %"httpRequest.clientIpAddress")
| where actor != "" and actor != null
| fields _messageTime, cloud_provider, actor, action, target_vm, source_ip, _sourceCategory
| sort by _messageTime desc

high severity high confidence

Data Sources

AWS CloudTrail logs ingested into Sumo Logic Azure Activity Logs ingested into Sumo Logic

Required Tables

Sumo Logic index with _sourceCategory matching *cloudtrail* Sumo Logic index with _sourceCategory matching *azure*activity*

False Positives

Automated infrastructure provisioning tools (Terraform, Pulumi, CDK) using SSM Run Command or SendCommand to bootstrap instances, configure agents, or run post-deployment validation scripts.
Cloud incident response playbooks that leverage SSM Session Manager to access instances without requiring open security group ports, which is a security best practice and will generate identical events to adversarial access.
Azure VM extensions being silently re-applied by Azure Policy remediation tasks or Azure Update Manager patch orchestration, generating EXTENSIONS/WRITE operations at scale with no human initiator.

Google Chronicle / SecOps

yaral

rule direct_cloud_vm_connection_t1021_008 {
  meta:
    author = "Detection Engineering"
    description = "Detects direct cloud VM connections via AWS SSM Session Manager, EC2 Instance Connect, and Azure Serial Console or Run Command (T1021.008)."
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1021.008"
    severity = "HIGH"
    priority = "HIGH"
    confidence = "HIGH"
    false_positives = "Authorized DevOps SSM usage, Azure automation extensions, CI/CD pipelines"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.principal.user.userid != ""
    (
      (
        $e.metadata.vendor_name = "Amazon Web Services"
        and $e.metadata.product_name = "AWS CloudTrail"
        and $e.target.application in nocase (
          "ssm.amazonaws.com",
          "ec2-instance-connect.amazonaws.com"
        )
        and $e.metadata.product_event_type in nocase (
          "StartSession",
          "ResumeSession",
          "TerminateSession",
          "SendCommand",
          "StartAutomationExecution",
          "SendSSHPublicKey",
          "StartSSHSession"
        )
      )
      or
      (
        $e.metadata.vendor_name = "Microsoft"
        and $e.metadata.product_name = "Azure Activity"
        and (
          re.regex($e.target.resource.name, `(?i)VIRTUALMACHINES/RUNCOMMAND/ACTION`)
          or re.regex($e.target.resource.name, `(?i)SERIALCONSOLE/CONSOLESERVICES/ACCESS`)
          or re.regex($e.target.resource.name, `(?i)VIRTUALMACHINES/EXTENSIONS/WRITE`)
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

AWS CloudTrail feed (Chronicle ingestion) Microsoft Azure Activity Logs feed (Chronicle ingestion)

Required Tables

UDM events with metadata.product_name = "AWS CloudTrail" UDM events with metadata.product_name = "Azure Activity"

False Positives

Legitimate administrative use of AWS Systems Manager Session Manager by cloud operations teams following zero-trust access models that intentionally block direct SSH/RDP.
Scheduled AWS SSM Automation runbooks triggered by EventBridge rules for automated patching, compliance remediation, or instance configuration drift correction.
Azure VM extension deployments by Azure Security Center (now Defender for Cloud) automatically installing the Azure Monitor Agent, Guest Configuration extension, or Qualys vulnerability scanner on new or existing VMs.

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale: Detect cloud-native VM connection events from ingested AWS CloudTrail
// and Azure Activity logs, plus Falcon sensor signals for SSM agent process activity

// Branch 1: AWS CloudTrail events ingested into LogScale
#repo=cloudtrail
| eventSource = /ssm\.amazonaws\.com|ec2-instance-connect\.amazonaws\.com/
| eventName = /^(StartSession|ResumeSession|TerminateSession|SendCommand|StartAutomationExecution|SendSSHPublicKey|StartSSHSession)$/
| eval CloudProvider = "AWS"
| eval ActorIdentity = userIdentity.arn
| eval TargetVM = coalesce(requestParameters.target, requestParameters.instanceId)
| eval SourceIP = sourceIPAddress
| eval AlertType = "AWS_DirectVMConnection"
| table([_time, CloudProvider, ActorIdentity, eventName, eventSource, TargetVM, SourceIP, AlertType])

// Branch 2: Azure Activity logs ingested into LogScale  
// Uncomment and union if Azure logs are in a separate repo
// #repo=azureactivity
// | operationName.value = /RUNCOMMAND\/ACTION|SERIALCONSOLE\/CONSOLESERVICES\/ACCESS|EXTENSIONS\/WRITE/i
// | eval CloudProvider = "Azure"
// | eval ActorIdentity = caller
// | eval TargetVM = resourceId
// | eval SourceIP = httpRequest.clientIpAddress
// | eval AlertType = "Azure_DirectVMConnection"
// | table([_time, CloudProvider, ActorIdentity, operationName.value, TargetVM, SourceIP, AlertType])

// Branch 3: Falcon sensor — SSM agent or EC2 instance connect process spawned on endpoint
// Detects adversary-controlled SSM agent or shell sessions initiated from cloud console
// #event_simpleName=ProcessRollup2
// | CommandLine = /amazon-ssm-agent|ssm-session-worker|ec2-instance-connect|ssm-agent/i
// | groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName],
//     function=[count(as=EventCount), min(_time, as=FirstSeen), max(_time, as=LastSeen)])
// | sort(EventCount, order=desc)

high severity medium confidence

Data Sources

AWS CloudTrail logs ingested into CrowdStrike LogScale Azure Activity Logs ingested into CrowdStrike LogScale CrowdStrike Falcon sensor ProcessRollup2 events (for endpoint-side SSM agent detection)

Required Tables

LogScale repo containing AWS CloudTrail events (eventSource, eventName fields) LogScale repo containing Azure Activity log events (operationName.value field) Falcon ProcessRollup2 events via #event_simpleName filter

False Positives

AWS Systems Manager agents running legitimately on managed instances will generate SSM session telemetry during routine patch baselines, inventory collection runs, or compliance document execution initiated by authorized automation accounts.
Security operations tooling such as AWS Security Hub automated remediation actions or third-party CSPM platforms using SSM SendCommand to quarantine compromised instances or collect forensic artifacts.
Developers using AWS SSM Session Manager port-forwarding as a secure tunnel for local development database access or service debugging on private-subnet instances, which generates StartSession events indistinguishable from interactive shell access.

Direct Cloud VM Connections

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Lateral Movement

Popular Detections