Detect Direct Cloud VM Connections in Google Chronicle
Adversaries may leverage Valid Accounts to log directly into cloud-hosted virtual infrastructure using cloud-native connection methods. Cloud providers offer interactive console access to VMs that bypasses traditional network controls: Azure Serial Console, AWS EC2 Instance Connect, AWS Systems Manager Session Manager (SSM), and GCP OS Login. These methods authenticate via the cloud IAM layer rather than network credentials, can bypass firewall rules and security groups, and often provide SYSTEM or root-level access by default. Adversaries who compromise cloud IAM credentials can pivot to VM instances using these native APIs, even when SSH/RDP is blocked at the network level.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.008 Direct Cloud VM Connections
- Canonical reference
- https://attack.mitre.org/techniques/T1021/008/
YARA-L Detection Query
rule direct_cloud_vm_connection_t1021_008 {
meta:
author = "Detection Engineering"
description = "Detects direct cloud VM connections via AWS SSM Session Manager, EC2 Instance Connect, and Azure Serial Console or Run Command (T1021.008)."
mitre_attack_tactic = "Lateral Movement"
mitre_attack_technique = "T1021.008"
severity = "HIGH"
priority = "HIGH"
confidence = "HIGH"
false_positives = "Authorized DevOps SSM usage, Azure automation extensions, CI/CD pipelines"
events:
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
$e.principal.user.userid != ""
(
(
$e.metadata.vendor_name = "Amazon Web Services"
and $e.metadata.product_name = "AWS CloudTrail"
and $e.target.application in nocase (
"ssm.amazonaws.com",
"ec2-instance-connect.amazonaws.com"
)
and $e.metadata.product_event_type in nocase (
"StartSession",
"ResumeSession",
"TerminateSession",
"SendCommand",
"StartAutomationExecution",
"SendSSHPublicKey",
"StartSSHSession"
)
)
or
(
$e.metadata.vendor_name = "Microsoft"
and $e.metadata.product_name = "Azure Activity"
and (
re.regex($e.target.resource.name, `(?i)VIRTUALMACHINES/RUNCOMMAND/ACTION`)
or re.regex($e.target.resource.name, `(?i)SERIALCONSOLE/CONSOLESERVICES/ACCESS`)
or re.regex($e.target.resource.name, `(?i)VIRTUALMACHINES/EXTENSIONS/WRITE`)
)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting direct cloud VM connections via cloud-native IAM-authenticated mechanisms. For AWS, matches CloudTrail USER_RESOURCE_ACCESS events where target.application resolves to ssm.amazonaws.com or ec2-instance-connect.amazonaws.com and the product_event_type is one of the session/command initiation actions. For Azure, matches Azure Activity log events where the resource name contains the operation path for Run Command, Serial Console access, or VM extension writes. Chronicle must have AWS CloudTrail and Azure Activity Log feeds ingested and normalized to UDM. The principal.ip field will carry the originating IP for enrichment in SIEM dashboards.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative use of AWS Systems Manager Session Manager by cloud operations teams following zero-trust access models that intentionally block direct SSH/RDP.
- Scheduled AWS SSM Automation runbooks triggered by EventBridge rules for automated patching, compliance remediation, or instance configuration drift correction.
- Azure VM extension deployments by Azure Security Center (now Defender for Cloud) automatically installing the Azure Monitor Agent, Guest Configuration extension, or Qualys vulnerability scanner on new or existing VMs.
Other platforms for T1021.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS SSM Send Command to EC2 Instance
Expected signal: AWS CloudTrail event: eventName=SendCommand, eventSource=ssm.amazonaws.com, with instanceId, documentName, and parameters. CloudWatch Log stream for the command output (if session logging enabled). Source IP address recorded in CloudTrail.
- Test 2AWS EC2 Instance Connect (Temporary SSH Key Injection)
Expected signal: AWS CloudTrail: SendSSHPublicKey event from ec2-instance-connect.amazonaws.com with instanceId, osUser, and publicKey fingerprint. Subsequent SSH connection attempt to the instance.
- Test 3Azure Run Command on VM
Expected signal: Azure Activity Log: MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION operation by the executing identity. The script content is visible in the Properties field. Source IP recorded in httpRequest.clientIpAddress.
- Test 4Start AWS SSM Session Manager Interactive Session
Expected signal: AWS CloudTrail: StartSession event from ssm.amazonaws.com with target instanceId, sessionId, and caller identity. Session logs in CloudWatch if session logging enabled. Note: interactive session content is only captured if session logging is configured.
References (7)
- https://attack.mitre.org/techniques/T1021/008/
- https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview
- https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.008/T1021.008.md
- https://www.mandiant.com/resources/blog/sim-swapping-and-abuse-of-the-microsoft-azure-serial-console
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
Unlock Pro Content
Get the full detection package for T1021.008 including response playbook, investigation guide, and atomic red team tests.