Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0211: Detection of Direct VM Console Access via Cloud-Native Methods

DET0211 is a detection strategy for spotting direct access to cloud-hosted virtual machines through cloud-native console or connection features. Its busine...

EnterpriseDET0211Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0211 is a detection strategy for spotting direct access to cloud-hosted virtual machines through cloud-native console or connection features. Its business significance is that an adversary with valid cloud credentials may bypass traditional network access paths and move laterally into IaaS workloads through provider APIs or interactive VM access methods. This makes identity, cloud control-plane logging, and incident response readiness central to coverage.

Executive priority

Prioritize this as a cloud resilience and identity governance question: can the organization prove who used native VM access features, from where, against which instances, and under what authorization? Leaders should ask whether SOC and IR teams have usable audit evidence for cloud-native VM connections, because gaps can weaken lateral-movement investigations, access reviews, compliance evidence, and containment decisions in IaaS environments.

Technical view

This detection strategy is linked to ATT&CK technique T1021.008, Direct Cloud VM Connections, under lateral movement for IaaS. Because the official detection text and platforms for DET0211 are not provided, teams should validate coverage against the related technique context: adversaries may use valid accounts and cloud APIs to access cloud-hosted compute infrastructure through native interactive connection methods. SOC and detection engineers should focus on cloud control-plane events, identity authentication/authorization activity, and provider-native VM connection or console session records rather than relying only on network perimeter or endpoint telemetry.

Likely telemetry

  • Cloud control-plane/API audit logs for VM connection or console access events
  • Identity and access management authentication logs, role assumption, privilege use, and authorization decisions
  • Provider-native interactive VM session or console records, where available
  • Cloud compute instance metadata and target VM identifiers associated with access events
  • Endpoint or guest OS login/session logs on the accessed VM, where collected

Detection direction

  • Confirm that cloud audit logging captures native VM console or direct connection activity for IaaS resources, not just standard SSH/RDP network access.
  • Correlate VM access events with identity context: account, role, source location, time, target instance, and whether the access pattern is expected for the user or workload owner.
  • Tune detections around unusual use of cloud-native VM access methods, first-time use by an identity, access outside maintenance windows, or access to sensitive instances; validate locally to avoid false positives from administrators, break-glass operations, or support workflows.
  • Do not assume endpoint or network monitoring alone will see this behavior, since the related technique emphasizes cloud-native methods and Cloud API-driven access.
  • Use the relationship to T1021.008 to connect alerts to lateral-movement investigation playbooks and valid-account compromise hypotheses.

Mitigation priorities

  • Inventory which cloud-native VM console or direct connection features are enabled and who is authorized to use them.
  • Apply least-privilege access controls for native VM access methods and review privileged roles that can initiate sessions through cloud APIs.
  • Require strong identity controls for accounts able to access IaaS instances, including appropriate authentication and monitored privileged access processes.
  • Ensure cloud audit logs and relevant VM/session logs are retained, centralized, and available to SOC and IR teams.
  • Document approved administrative use cases so detections can distinguish expected maintenance from suspicious lateral-movement behavior.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description or detection text. The practical guidance above is derived from the object name and its relationship to T1021.008, Direct Cloud VM Connections, whose supplied context references valid accounts, Cloud API use, and cloud-native interactive access to cloud-hosted compute infrastructure.

Coverage and exact event names depend on the cloud provider, logging configuration, enabled VM access features, and local identity model. The object itself does not specify tactics, platforms, detection analytics, mitigations, or data sources, so organizations must validate telemetry and detections in their own IaaS environments.

Official MITRE ATT&CK definition

Detection of Direct VM Console Access via Cloud-Native Methods

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1021.008 Direct Cloud VM Connections Sub-technique This object detects Direct Cloud VM Connections.
Relationship explorer

All related ATT&CK context

detects · Technique T1021.008: Direct Cloud VM Connections Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
06d6e71990c83aba...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 06d6e71990c8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0211
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use