Skip to content

DET0211 Detection of Direct VM Console Access via Cloud-Native Methods

Item Value
ID DET0211
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1021.008 (Direct Cloud VM Connections)

Analytics

IaaS

AN0594

Direct login to cloud-hosted virtual machines via cloud-native access methods (e.g., EC2 Instance Connect, Azure Serial Console, SSM), followed by command execution or privilege escalation on the VM

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) AWS:CloudTrail SendSSHPublicKey, StartSession (SSM), EC2InstanceConnect
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
TimeWindow Correlates cloud login to host activity within a reasonable time span (e.g., < 60 seconds)
CloudAuthMethod Filters based on access vector: SSH key, SSM session, or Console connect
SessionOriginRegion Identifies sessions from out-of-region or untrusted networks
TargetInstanceTags Filters sensitive systems or production assets for alert tuning