| ID | Name |
|---|---|
| T1021.001 | Remote Desktop Protocol |
| T1021.002 | SMB/Windows Admin Shares |
| T1021.003 | Distributed Component Object Model |
| T1021.004 | SSH |
| T1021.005 | VNC |
| T1021.006 | Windows Remote Management |
| T1021.007 | Cloud Services |
| T1021.008 | Direct Cloud VM Connections |
Adversaries may leverage Valid Accounts to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the Cloud API, such as Azure Serial Console[1], AWS EC2 Instance Connect[2][3], and AWS System Manager.[4].
Methods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access.
Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.[5] These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., Cloud Administration Command).
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
If direct virtual machine connections are not required for administrative use, disable these connection types where feasible. |
| M1018 | User Account Management |
Limit which users are allowed to access compute infrastructure via cloud native methods. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0211 | Detection of Direct VM Console Access via Cloud-Native Methods | AN0594 |
Direct login to cloud-hosted virtual machines via cloud-native access methods (e.g., EC2 Instance Connect, Azure Serial Console, SSM), followed by command execution or privilege escalation on the VM |