title: Direct Cloud VM Connections (T1021.008)
id: df00tech-t1021-008
status: experimental
description: "Adversaries may leverage Valid Accounts to log directly into cloud-hosted virtual infrastructure using cloud-native connection methods. Cloud providers offer interactive console access to VMs that bypasses traditional network controls: Azure Serial Console, AWS EC2 Instance Connect, AWS Systems Manager Session Manager (SSM), and GCP OS Login. These methods authenticate via the cloud IAM layer rather than network credentials, can bypass firewall rules and security groups, and often provide SYSTEM or root-level access by default. Adversaries who compromise cloud IAM credentials can pivot to VM instances using these native APIs, even when SSH/RDP is blocked at the network level."
references:
  - https://attack.mitre.org/techniques/T1021/008/
  - https://df00tech.com/detections/T1021.008
author: df00tech
date: 2026/04/13
tags:
  - attack.t1021.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - DevOps and cloud operations teams using Azure Serial Console or Run Command for legitimate VM troubleshooting and patch management
  - Automated configuration management pipelines using AWS SSM Run Command to apply configurations at scale
  - IT operations using EC2 Instance Connect as a replacement for SSH bastion hosts in approved workflows
  - Cloud platform teams testing instance connectivity and emergency recovery procedures via serial console
  - Managed service providers performing authorized maintenance via cloud-native access tools
level: high