T1021.008 CrowdStrike LogScale · LogScale

Detect Direct Cloud VM Connections in CrowdStrike LogScale

Adversaries may leverage Valid Accounts to log directly into cloud-hosted virtual infrastructure using cloud-native connection methods. Cloud providers offer interactive console access to VMs that bypasses traditional network controls: Azure Serial Console, AWS EC2 Instance Connect, AWS Systems Manager Session Manager (SSM), and GCP OS Login. These methods authenticate via the cloud IAM layer rather than network credentials, can bypass firewall rules and security groups, and often provide SYSTEM or root-level access by default. Adversaries who compromise cloud IAM credentials can pivot to VM instances using these native APIs, even when SSH/RDP is blocked at the network level.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.008 Direct Cloud VM Connections
Canonical reference
https://attack.mitre.org/techniques/T1021/008/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// CrowdStrike LogScale: Detect cloud-native VM connection events from ingested AWS CloudTrail
// and Azure Activity logs, plus Falcon sensor signals for SSM agent process activity

// Branch 1: AWS CloudTrail events ingested into LogScale
#repo=cloudtrail
| eventSource = /ssm\.amazonaws\.com|ec2-instance-connect\.amazonaws\.com/
| eventName = /^(StartSession|ResumeSession|TerminateSession|SendCommand|StartAutomationExecution|SendSSHPublicKey|StartSSHSession)$/
| eval CloudProvider = "AWS"
| eval ActorIdentity = userIdentity.arn
| eval TargetVM = coalesce(requestParameters.target, requestParameters.instanceId)
| eval SourceIP = sourceIPAddress
| eval AlertType = "AWS_DirectVMConnection"
| table([_time, CloudProvider, ActorIdentity, eventName, eventSource, TargetVM, SourceIP, AlertType])

// Branch 2: Azure Activity logs ingested into LogScale  
// Uncomment and union if Azure logs are in a separate repo
// #repo=azureactivity
// | operationName.value = /RUNCOMMAND\/ACTION|SERIALCONSOLE\/CONSOLESERVICES\/ACCESS|EXTENSIONS\/WRITE/i
// | eval CloudProvider = "Azure"
// | eval ActorIdentity = caller
// | eval TargetVM = resourceId
// | eval SourceIP = httpRequest.clientIpAddress
// | eval AlertType = "Azure_DirectVMConnection"
// | table([_time, CloudProvider, ActorIdentity, operationName.value, TargetVM, SourceIP, AlertType])

// Branch 3: Falcon sensor — SSM agent or EC2 instance connect process spawned on endpoint
// Detects adversary-controlled SSM agent or shell sessions initiated from cloud console
// #event_simpleName=ProcessRollup2
// | CommandLine = /amazon-ssm-agent|ssm-session-worker|ec2-instance-connect|ssm-agent/i
// | groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName],
//     function=[count(as=EventCount), min(_time, as=FirstSeen), max(_time, as=LastSeen)])
// | sort(EventCount, order=desc)
high severity medium confidence

CrowdStrike LogScale (Humio) detection for T1021.008 covering three signal sources. Branch 1 queries AWS CloudTrail logs ingested into a LogScale repo, filtering for SSM and EC2 Instance Connect session and command initiation events. Branch 2 (commented) covers Azure Activity logs if ingested into a separate repo. Branch 3 (commented) uses Falcon ProcessRollup2 sensor telemetry to detect SSM agent processes spawned on endpoints, which can indicate cloud-console-initiated sessions on instances running the CrowdStrike agent. The #repo tag must match your LogScale repository naming convention. Enrich alerts with AWS account ID from the recipientAccountId field and the AWS region from awsRegion for high-fidelity triage. For CrowdStrike Falcon Horizon (CSPM) users, additional cloud IOA detections may surface this activity via the Falcon UI without custom LogScale queries.

Data Sources

AWS CloudTrail logs ingested into CrowdStrike LogScaleAzure Activity Logs ingested into CrowdStrike LogScaleCrowdStrike Falcon sensor ProcessRollup2 events (for endpoint-side SSM agent detection)

Required Tables

LogScale repo containing AWS CloudTrail events (eventSource, eventName fields)LogScale repo containing Azure Activity log events (operationName.value field)Falcon ProcessRollup2 events via #event_simpleName filter

False Positives & Tuning

  • AWS Systems Manager agents running legitimately on managed instances will generate SSM session telemetry during routine patch baselines, inventory collection runs, or compliance document execution initiated by authorized automation accounts.
  • Security operations tooling such as AWS Security Hub automated remediation actions or third-party CSPM platforms using SSM SendCommand to quarantine compromised instances or collect forensic artifacts.
  • Developers using AWS SSM Session Manager port-forwarding as a secure tunnel for local development database access or service debugging on private-subnet instances, which generates StartSession events indistinguishable from interactive shell access.
Download portable Sigma rule (.yml)

Other platforms for T1021.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS SSM Send Command to EC2 Instance

    Expected signal: AWS CloudTrail event: eventName=SendCommand, eventSource=ssm.amazonaws.com, with instanceId, documentName, and parameters. CloudWatch Log stream for the command output (if session logging enabled). Source IP address recorded in CloudTrail.

  2. Test 2AWS EC2 Instance Connect (Temporary SSH Key Injection)

    Expected signal: AWS CloudTrail: SendSSHPublicKey event from ec2-instance-connect.amazonaws.com with instanceId, osUser, and publicKey fingerprint. Subsequent SSH connection attempt to the instance.

  3. Test 3Azure Run Command on VM

    Expected signal: Azure Activity Log: MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION operation by the executing identity. The script content is visible in the Properties field. Source IP recorded in httpRequest.clientIpAddress.

  4. Test 4Start AWS SSM Session Manager Interactive Session

    Expected signal: AWS CloudTrail: StartSession event from ssm.amazonaws.com with target instanceId, sessionId, and caller identity. Session logs in CloudWatch if session logging enabled. Note: interactive session content is only captured if session logging is configured.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1021.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.003Distributed Component Object ModelT1021.004SSHT1021.005VNCT1021.006Windows Remote ManagementT1021.007Cloud Services

Related Techniques

T1021Remote ServicesT1021.004SSHT1078.004Cloud AccountsT1651Cloud Administration CommandT1580Cloud Infrastructure DiscoveryT1098.001Additional Cloud CredentialsT1550.001Application Access Token

Same Tactic: Lateral Movement

Popular Detections