- Tactics
- Lateral Movement
- Platforms
- IaaS
- Reference
- attack.mitre.org/techniques/T1021.008
Description
Adversaries may leverage Valid Accounts to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the Cloud API, such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager).
Methods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access.
Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console) These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., Cloud Administration Command).
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Lateral Movement tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1021 — Remote Services
- T1072 — Software Deployment Tools
- T1080 — Taint Shared Content
- T1091 — Replication Through Removable Media
- T1210 — Exploitation of Remote Services
- T1534 — Internal Spearphishing
- T1550 — Use Alternate Authentication Material
- T1563 — Remote Service Session Hijacking
- T1570 — Lateral Tool Transfer