Detect Direct Cloud VM Connections in Sumo Logic CSE
Adversaries may leverage Valid Accounts to log directly into cloud-hosted virtual infrastructure using cloud-native connection methods. Cloud providers offer interactive console access to VMs that bypasses traditional network controls: Azure Serial Console, AWS EC2 Instance Connect, AWS Systems Manager Session Manager (SSM), and GCP OS Login. These methods authenticate via the cloud IAM layer rather than network credentials, can bypass firewall rules and security groups, and often provide SYSTEM or root-level access by default. Adversaries who compromise cloud IAM credentials can pivot to VM instances using these native APIs, even when SSH/RDP is blocked at the network level.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.008 Direct Cloud VM Connections
- Canonical reference
- https://attack.mitre.org/techniques/T1021/008/
Sumo Detection Query
(_sourceCategory=*cloudtrail* OR _sourceCategory=*azure*activity*)
| json auto maxdepth 5 nodrop
| where (
(
eventSource in ("ssm.amazonaws.com", "ec2-instance-connect.amazonaws.com")
AND eventName in (
"StartSession", "ResumeSession", "TerminateSession",
"SendCommand", "StartAutomationExecution",
"SendSSHPublicKey", "StartSSHSession"
)
)
OR (
%"operationName.value" matches "*RUNCOMMAND/ACTION*"
OR %"operationName.value" matches "*SERIALCONSOLE/CONSOLESERVICES/ACCESS*"
OR %"operationName.value" matches "*EXTENSIONS/WRITE*"
)
)
| eval cloud_provider = if(eventSource matches "*.amazonaws.com", "AWS", "Azure")
| eval actor = coalesce(%"userIdentity.arn", %"userIdentity.userName", caller)
| eval target_vm = coalesce(
%"requestParameters.target",
%"requestParameters.instanceId",
resourceId
)
| eval action = coalesce(eventName, %"operationName.value")
| eval source_ip = coalesce(sourceIPAddress, %"httpRequest.clientIpAddress")
| where actor != "" and actor != null
| fields _messageTime, cloud_provider, actor, action, target_vm, source_ip, _sourceCategory
| sort by _messageTime descDetects direct cloud VM connections via AWS SSM/EC2 Instance Connect and Azure Serial Console/Run Command by parsing AWS CloudTrail and Azure Activity log JSON payloads. Source categories must match your Sumo Logic ingestion naming conventions; adjust the _sourceCategory wildcards to match your environment. The query uses json auto for field extraction and coalesce to handle field name differences between AWS and Azure schemas. actor resolves to the IAM ARN for AWS events and the UPN/caller for Azure events. target_vm resolves to the SSM target/instance ID for AWS or the full Azure resource ID for Azure.
Data Sources
Required Tables
False Positives & Tuning
- Automated infrastructure provisioning tools (Terraform, Pulumi, CDK) using SSM Run Command or SendCommand to bootstrap instances, configure agents, or run post-deployment validation scripts.
- Cloud incident response playbooks that leverage SSM Session Manager to access instances without requiring open security group ports, which is a security best practice and will generate identical events to adversarial access.
- Azure VM extensions being silently re-applied by Azure Policy remediation tasks or Azure Update Manager patch orchestration, generating EXTENSIONS/WRITE operations at scale with no human initiator.
Other platforms for T1021.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS SSM Send Command to EC2 Instance
Expected signal: AWS CloudTrail event: eventName=SendCommand, eventSource=ssm.amazonaws.com, with instanceId, documentName, and parameters. CloudWatch Log stream for the command output (if session logging enabled). Source IP address recorded in CloudTrail.
- Test 2AWS EC2 Instance Connect (Temporary SSH Key Injection)
Expected signal: AWS CloudTrail: SendSSHPublicKey event from ec2-instance-connect.amazonaws.com with instanceId, osUser, and publicKey fingerprint. Subsequent SSH connection attempt to the instance.
- Test 3Azure Run Command on VM
Expected signal: Azure Activity Log: MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION operation by the executing identity. The script content is visible in the Properties field. Source IP recorded in httpRequest.clientIpAddress.
- Test 4Start AWS SSM Session Manager Interactive Session
Expected signal: AWS CloudTrail: StartSession event from ssm.amazonaws.com with target instanceId, sessionId, and caller identity. Session logs in CloudWatch if session logging enabled. Note: interactive session content is only captured if session logging is configured.
References (7)
- https://attack.mitre.org/techniques/T1021/008/
- https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview
- https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.008/T1021.008.md
- https://www.mandiant.com/resources/blog/sim-swapping-and-abuse-of-the-microsoft-azure-serial-console
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
Unlock Pro Content
Get the full detection package for T1021.008 including response playbook, investigation guide, and atomic red team tests.