Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1502: Analytic 1502

Monitor for suspicious use of cloud-native administrative command services (e.g., AWS Systems Manager Run Command, Azure RunCommand, GCP OS Config) to execute code inside VMs. Detect anomalies such as commands/scripts executed by unexpected users, execution outside of maintenance windows, or commands initiated by service accounts not normally tied to administration. Correlate cloud control-plane activity logs with host-level execution (process creation, script execution) to validate if commands materialized inside the guest OS.

EnterpriseAN1502AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because cloud-native admin command services can execute code inside virtual machines without traditional remote login paths. For leaders, the practical issue is control-plane-to-host visibility: a command may look like an authorized cloud administration action, but still create real execution inside the guest OS. Organizations using IaaS should know whether they can distinguish approved maintenance from unexpected command execution by unusual users, service accounts, or time windows.

Executive priority

Prioritize this as a cloud operations and incident readiness question: can the organization prove who initiated cloud-admin commands, when they ran, and whether they actually executed on the VM? This supports business continuity, audit evidence, privileged access governance, and faster incident decisions when administrative cloud tooling is used outside expected patterns.

Technical view

For SOC, detection engineering, and IR teams, validate correlation between cloud control-plane activity for services such as AWS Systems Manager Run Command, Azure RunCommand, or GCP OS Config and host-level evidence such as process creation or script execution. Focus on anomalies called out by the analytic: unexpected users, commands outside maintenance windows, and service accounts not normally associated with administration. Because no tactic mapping or official detection logic is provided, local baselining and environment-specific allowlists are required.

Likely telemetry

  • IaaS cloud control-plane activity logs for administrative command services
  • Cloud identity and service account activity associated with command initiation
  • VM guest OS process creation events
  • Script execution logs or command-line telemetry inside VMs
  • Change or maintenance window records for correlation

Detection direction

  • Confirm that cloud-admin command invocations are logged with initiator identity, target VM, timestamp, and command metadata where available.
  • Correlate cloud control-plane command events with guest OS execution evidence to verify whether the command materialized inside the VM.
  • Baseline normal administrative users, service accounts, target systems, and maintenance windows before treating deviations as high confidence.
  • Tune for expected automation and patching workflows to reduce false positives.
  • Identify blind spots where cloud logs exist but endpoint or guest OS telemetry is missing, or where service account ownership is unclear.

Mitigation priorities

  • Establish clear ownership and approved use cases for cloud-native VM command services.
  • Restrict administrative command permissions to expected users and service accounts using least privilege.
  • Define and enforce maintenance windows or change-management expectations where operationally feasible.
  • Maintain VM-level logging sufficient to validate process or script execution resulting from cloud control-plane actions.
  • Review service accounts used for administration and remove or rotate unused or poorly governed access.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for IaaS environments. It provides a strong monitoring concept but no formal detection query, no tactic mapping, and no relationship context. The most useful implementation work is validating cross-plane visibility between cloud administration events and VM guest execution telemetry.

This take is limited to the official fields provided. No active exploitation, adversary attribution, specific ATT&CK technique relationship, or guaranteed detection coverage is implied. Effectiveness depends on the organization’s cloud provider logging, VM telemetry, identity governance, and maintenance-process data.

Official MITRE ATT&CK definition

Analytic 1502

Monitor for suspicious use of cloud-native administrative command services (e.g., AWS Systems Manager Run Command, Azure RunCommand, GCP OS Config) to execute code inside VMs. Detect anomalies such as commands/scripts executed by unexpected users, execution outside of maintenance windows, or commands initiated by service accounts not normally tied to administration. Correlate cloud control-plane activity logs with host-level execution (process creation, script execution) to validate if commands materialized inside the guest OS.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3f5e229ee6243a29...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3f5e229ee624…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1502
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use