AN0753: Analytic 0753
Use of cloud-based bastion or VM console session followed by commands that initiate outbound SSH or RDP sessions from the cloud instance to other environments.
Analyst context for executives and security teams
This analytic matters because cloud bastion or VM console access can become a pivot point: after someone gains an interactive session on an IaaS instance, outbound SSH or RDP from that instance may indicate movement toward other systems or environments. For leaders, the key question is whether cloud console activity, bastion use, and east-west or outbound administrative connections are visible enough to support timely investigation.
Executive priority
Prioritize this as a cloud security and incident response readiness issue. It tests whether the organization can prove who accessed cloud-hosted administrative entry points, what they did after access, and whether cloud instances are being used to reach other environments. The business value is strongest for environments where IaaS systems bridge cloud, data center, or operationally sensitive networks, because gaps in this visibility can slow containment and weaken audit evidence.
Technical view
For SOC and IR teams, validate whether telemetry can correlate cloud-based bastion or VM console sessions with subsequent outbound SSH or RDP connections from the same IaaS instance. Because no ATT&CK tactic or detection logic is supplied, treat this as a detection validation pattern rather than a complete rule. Useful analysis should tie together the initiating cloud session, the instance identity, user or role context where available, timing, destination environment, and protocol evidence for SSH or RDP.
Likely telemetry
- Cloud control-plane audit logs for bastion or VM console session activity
- IaaS instance metadata and identity context
- Network flow logs showing outbound connections from cloud instances
- Firewall, security group, or network access control logs for SSH and RDP paths
- Host logs from the cloud instance showing interactive sessions and outbound remote administration tools where available
Detection direction
- Validate correlation between cloud bastion or VM console session start events and outbound SSH/RDP connections from the accessed instance within a practical time window.
- Tune for environment-specific administrative patterns to reduce false positives from approved jump-host operations, maintenance windows, and automation.
- Pay attention to destinations outside the expected management plane, including other cloud networks, on-premises ranges, or sensitive segments if such context is available locally.
- Check blind spots where cloud console activity is logged but network flow logs, host telemetry, or destination authentication logs are missing.
- Because the official detection field is not provided, avoid treating this as a ready-made detection; use it as a coverage assessment and analytic design prompt.
Mitigation priorities
- Establish and document approved paths for administrative access through cloud bastions or VM consoles.
- Restrict outbound SSH and RDP from IaaS instances to expected destinations and management workflows where business requirements allow.
- Require strong identity controls and accountable logging for cloud console and bastion access.
- Collect and retain cloud audit, network flow, and relevant host or destination authentication logs needed to reconstruct these sessions.
- Review exceptions regularly so legitimate jump-host behavior does not mask risky or unauthorized pivoting.
Analyst notes and limits
The supplied object is an ATT&CK detection analytic for IaaS platforms describing cloud-based bastion or VM console use followed by outbound SSH or RDP from the cloud instance. No tactics, relationships, labels, aliases, or official detection content were supplied, so analysis should remain focused on telemetry validation and defensive decision-making rather than attribution or threat behavior beyond the stated pattern.
This take is limited to the provided STIX fields and external reference. There is no supplied detection query, no relationship context, and no associated technique or tactic in the provided data. Local architecture, approved administration paths, logging coverage, and identity context are required to determine severity and build reliable detections.
Analytic 0753
Use of cloud-based bastion or VM console session followed by commands that initiate outbound SSH or RDP sessions from the cloud instance to other environments.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e6a1d662f188… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0753Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.