AN0594: Analytic 0594
Direct login to cloud-hosted virtual machines via cloud-native access methods (e.g., EC2 Instance Connect, Azure Serial Console, SSM), followed by command execution or privilege escalation on the VM
Analyst context for executives and security teams
This analytic concerns administrators or actors logging directly into cloud-hosted virtual machines through cloud-native access paths such as EC2 Instance Connect, Azure Serial Console, or SSM, then running commands or attempting privilege escalation on the VM. For leaders, the decision value is whether cloud VM access is governed and observable as strongly as traditional SSH/RDP access. These paths can be legitimate for operations and break-glass support, but if logging, identity controls, and response procedures are weak, they can create blind spots in cloud incident response.
Executive priority
Prioritize this as a cloud security and incident-readiness validation item for IaaS environments. Security leaders should ask: who is allowed to use cloud-native VM access methods, is use tied to approved identity and change processes, are sessions and commands logged, and can the SOC distinguish routine administration from unusual access followed by privilege escalation? This supports operational resilience, audit evidence, and cloud IAM governance by confirming that direct VM access is controlled and reviewable.
Technical view
The supplied ATT&CK object is a detection analytic for IaaS platforms. It describes direct login to cloud-hosted virtual machines via cloud-native access methods, followed by command execution or privilege escalation on the VM. Because no official detection logic is provided, SOC and detection engineering teams should validate coverage by correlating cloud control-plane access events for native VM access features with host-level evidence of login, command execution, and privilege changes. Incident responders should confirm whether they can reconstruct the identity used, target VM, access method, session timing, commands or process activity, and any privilege escalation indicators.
Likely telemetry
- Cloud control-plane audit logs for native VM access services and console/session features
- Cloud IAM authentication and authorization events tied to the user, role, or service principal initiating access
- VM operating system login/session records
- Host process execution telemetry after the cloud-native access event
- Privilege escalation or authorization change events on the VM
Detection direction
- Validate that cloud-native VM access methods are logged and forwarded to the SOC, not only traditional SSH/RDP telemetry.
- Correlate cloud access events with host login and process activity on the same VM within a practical time window.
- Tune for context: administrators and automation may legitimately use these methods, so enrich detections with identity, role, asset criticality, time, source context, and change approval where available.
- Look for sequences where direct cloud-native access is followed by command execution or privilege escalation on the VM.
- Review blind spots where host telemetry is absent, cloud audit logs are not retained, or break-glass accounts are excluded from monitoring.
Mitigation priorities
- Inventory which cloud-native access methods are enabled for IaaS virtual machines.
- Restrict use through least-privilege cloud IAM policies and approved administrative groups.
- Require strong authentication and governed break-glass processes for privileged VM access.
- Ensure cloud audit logs and host telemetry are retained, centralized, and available to SOC and incident response teams.
- Apply change-management or access-approval evidence to reduce false positives and support audit readiness.
Analyst notes and limits
This object is useful as a control-coverage prompt: it highlights that cloud provider access paths to VMs may bypass assumptions built around network login monitoring. The strongest local implementation will depend on the organization’s cloud provider, enabled access mechanisms, IAM model, host logging depth, and SOC correlation capability.
The official object provides a description, platform of IaaS, and an external reference, but no official detection logic, tactics, relationships, procedures, mitigations, or attribution. The take therefore avoids claiming exploitation, specific attacker behavior, or guaranteed detection coverage. Local cloud and host telemetry must be reviewed to determine actual risk and coverage.
Analytic 0594
Direct login to cloud-hosted virtual machines via cloud-native access methods (e.g., EC2 Instance Connect, Azure Serial Console, SSM), followed by command execution or privilege escalation on the VM
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 162cea78fd15… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0594Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.