Direct login to cloud-hosted virtual machines via cloud-native access methods (e.g., EC2 Instance Connect, Azure Serial Console, SSM), followed by command execution or privilege escalation on the VM
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | AWS:CloudTrail | SendSSHPublicKey, StartSession (SSM), EC2InstanceConnect |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TimeWindow | Correlates cloud login to host activity within a reasonable time span (e.g., < 60 seconds) |
| CloudAuthMethod | Filters based on access vector: SSH key, SSM session, or Console connect |
| SessionOriginRegion | Identifies sessions from out-of-region or untrusted networks |
| TargetInstanceTags | Filters sensitive systems or production assets for alert tuning |