Skip to content

T1021.008 Direct Cloud VM Connections

Adversaries may leverage Valid Accounts to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the Cloud API, such as Azure Serial Console5, AWS EC2 Instance Connect13, and AWS System Manager.2.

Methods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access.

Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.4 These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., Cloud Administration Command).

Item Value
ID T1021.008
Sub-techniques T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1021.007, T1021.008
Tactics TA0008
Platforms IaaS
Version 1.0
Created 02 June 2023
Last Modified 15 April 2025

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program If direct virtual machine connections are not required for administrative use, disable these connection types where feasible.
M1018 User Account Management Limit which users are allowed to access compute infrastructure via cloud native methods.

References

  1. AWS. (2023, June 2). Connect using EC2 Instance Connect. Retrieved June 2, 2023. 

  2. AWS. (2023, June 2). What is AWS System Manager?. Retrieved June 2, 2023. 

  3. Ian Ahl. (2023, September 20). LUCR-3: Scattered Spider Getting SaaS-y In The Cloud. Retrieved September 20, 2023. 

  4. Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack. Retrieved June 2, 2023. 

  5. Microsoft. (2022, October 17). Azure Serial Console. Retrieved June 2, 2023.