detection.wiki

Remote Services: Direct Cloud VM Connections T1021.008

Tactic: Lateral Movement

Adversaries may leverage Valid Accounts to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the Cloud API, such as Azure Serial Console, AWS EC2 Instance Connect, and AWS System Manager..

Events covered

6 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 3Network connection
SysmonEvent ID 11FileCreate
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Defender-DeviceFileEventsFileCreatedFile created
Defender-DeviceNetworkEventsConnectionSuccessConnection succeeded

Authoring guide

Patterns shared across the 4 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (10 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventType2eq 2, in 1ConnectionAttempt, ConnectionFailed, ConnectionRequest, FileCreated
parent_process_name2eq 2customscripthandler.exe
CategoryValue1eq 1Administrative
DestinationPort1in 1135, 22, 3389
EventMessage1contains 1extensions/write, runcommand/action
FileType1contains 1executable
FirstTimeUserPerformedAction1eq 1True
azure_ad::operation_name_value1eq 1MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE, Microsoft.Compute/virtualMachines/runCommand/action
file_name1contains 1.bat, .cmd, .com
sha2561is_not_null 1

Top indicator values (30 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventTypeeq
FileCreated
28
parent_process_nameeq
customscripthandler.exe
22
CategoryValueeq
Administrative
17
DestinationPortin
135
13
DestinationPortin
22
14
DestinationPortin
3389
14
DestinationPortin
445
17
DestinationPortin
5900
12
DestinationPortin
5985
15
DestinationPortin
5986
15
EventMessagecontains
extensions/write
1
EventMessagecontains
runcommand/action
1
EventTypein
ConnectionAttempt
12
EventTypein
ConnectionFailed
12
EventTypein
ConnectionRequest
12
EventTypein
ConnectionSuccess
13
FileTypecontains
executable
1
FirstTimeUserPerformedActioneq
True
1
azure_ad::operation_name_valueeq
MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE
1
azure_ad::operation_name_valueeq
Microsoft.Compute/virtualMachines/runCommand/action
12
file_namecontains
.bat
12
file_namecontains
.cmd
12
file_namecontains
.com
12
file_namecontains
.cpl
12
file_namecontains
.dll
12
file_namecontains
.exe
12
file_namecontains
.msi
1
file_namecontains
.scr
1
file_namecontains
.vbs
12
file_namecontains
.wsf
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Kusto 4 rules