Description
Adversaries may leverage Valid Accounts to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the Cloud API, such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager).
Methods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access.
Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console) These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., Cloud Administration Command).
Network Pentesting Methodology
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (2)
User Account ManagementM1018
Limit which users are allowed to access compute infrastructure via cloud native methods.
Disable or Remove Feature or ProgramM1042
If direct virtual machine connections are not required for administrative use, disable these connection types where feasible.
References
- AWS. (2023, June 2). Connect using EC2 Instance Connect. Retrieved June 2, 2023.
- AWS. (2023, June 2). What is AWS System Manager?. Retrieved June 2, 2023.
- Ian Ahl. (2023, September 20). LUCR-3: Scattered Spider Getting SaaS-y In The Cloud. Retrieved September 20, 2023.
- Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack. Retrieved June 2, 2023.
- Microsoft. (2022, October 17). Azure Serial Console. Retrieved June 2, 2023.
Frequently Asked Questions
What is T1021.008 (Direct Cloud VM Connections)?
T1021.008 is a MITRE ATT&CK technique named 'Direct Cloud VM Connections'. It belongs to the Lateral Movement tactic(s). Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud provid...
How can T1021.008 be detected?
Detection of T1021.008 (Direct Cloud VM Connections) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1021.008?
There are 2 documented mitigations for T1021.008. Key mitigations include: User Account Management, Disable or Remove Feature or Program.
Which threat groups use T1021.008?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.