T1021.008: Direct Cloud VM Connections

Direct Cloud VM Connections matters because it turns cloud control-plane access into hands-on access to virtual machines. If an adversary has valid credentials, tokens, passwords, or SSH keys, cloud-native features such as Azure Serial Console, AWS EC2 Instance Connect, or AWS Systems Manager may provide direct interactive access to IaaS hosts, sometimes with root or SYSTEM-level privileges. For leaders, this is a lateral movement risk that sits between identity security, cloud administration, and incident response readiness.

Executive priority

Prioritize this as a cloud resilience and privileged-access governance issue. Security leaders should ask whether only approved administrators can use direct VM console methods, whether those actions are logged and reviewable, and whether unnecessary cloud-native connection features are disabled. This technique can materially affect incident scoping because activity may look like legitimate cloud administration through valid accounts rather than traditional network remote access.

Technical view

SOC, cloud security, and IR teams should validate visibility for cloud-native interactive VM access on IaaS platforms. Focus on events for Azure Serial Console, AWS EC2 Instance Connect, and AWS Systems Manager-style access where applicable. Because ATT&CK lists no official detection text for this object, detection engineering should use the related DET0211 strategy as a starting point and tune for direct console/session access performed by valid accounts, especially when the account, target VM, timing, or privilege level does not match expected administration patterns. Distinguish these sessions from cloud administration command execution behavior referenced separately by ATT&CK as T1651.

Likely telemetry

Cloud control-plane audit logs for interactive VM connection features
Identity and access management authentication and authorization logs
Session records for cloud-native VM access services such as serial console, instance connect, or systems management sessions
VM host login/session evidence where available
Records of SSH key, password, or application access token use tied to cloud VM access

Detection direction

Inventory which cloud-native direct VM connection methods are enabled across IaaS accounts, subscriptions, projects, and regions.
Alert or review direct VM console/session access by unexpected users, service principals, access tokens, SSH keys, or accounts outside approved administrative workflows.
Correlate VM console access with valid-account activity and lateral movement investigations under Remote Services behavior.
Tune for false positives from legitimate break-glass administration, maintenance, and incident response activity by requiring approved change, ticket, or emergency-access context where available.
Check for blind spots where cloud audit logs are not retained, session logs are not centralized, or host logs do not capture cloud-native console entry clearly.

Mitigation priorities

Apply User Account Management controls: enforce least privilege, remove stale accounts, and tightly govern who can initiate direct VM console connections.
Disable or remove unnecessary cloud-native VM access features where they are not required for operations.
Limit privileged use of passwords, application access tokens, and SSH keys associated with direct VM access.
Define approved administrative paths for emergency console access and require evidence that use is authorized and reviewable.
Include direct cloud VM connection events in incident response playbooks for cloud lateral movement investigations.

Analyst notes and limits

This object is a sub-technique of T1021 Remote Services and is scoped to IaaS lateral movement. The supplied relationships identify User Account Management and disabling/removing unnecessary features as relevant mitigations, and DET0211 as a related detection strategy. The most important defensive decision is whether cloud-native console paths are governed like privileged remote access rather than treated as routine cloud administration.

MITRE provides no official detection text for this object in the supplied fields, and the DET0211 relationship does not include detailed detection logic here. Actual coverage depends on the cloud provider, enabled services, identity configuration, log retention, and whether session-level and host-level evidence is collected locally.

Official MITRE ATT&CK definition

Direct Cloud VM Connections

Adversaries may leverage Valid Accounts to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the Cloud API, such as Azure Serial Console[1], AWS EC2 Instance Connect[2][3], and AWS System Manager.[4].

Methods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access.

Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.[5] These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., Cloud Administration Command).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1021	Remote Services	This object subtechnique of Remote Services.

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1018: User Account Management Enterprise detects · Detection Strategy DET0211: Detection of Direct VM Console Access via Cloud-Native Methods Enterprise mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise subtechnique of · Technique T1021: Remote Services Enterprise

Mitigations

Mitigation direction

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Jun 2, 2023, 15:27 UTC (UTC+00:00)
Modified: Apr 15, 2025, 22:18 UTC (UTC+00:00)
Raw hash: 5f25aba1e2a8bf9a...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 15, 2025, 22:18 UTC (UTC+00:00)	Current bundle	`5f25aba1e2a8…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Azure Serial Console

Microsoft. (2022, October 17). Azure Serial Console. Retrieved June 2, 2023.
Open source URL
[2]
EC2 Instance Connect

AWS. (2023, June 2). Connect using EC2 Instance Connect. Retrieved June 2, 2023.
Open source URL
[3]
lucr-3: Getting SaaS-y in the cloud

Ian Ahl. (2023, September 20). LUCR-3: Scattered Spider Getting SaaS-y In The Cloud. Retrieved September 20, 2023.
Open source URL
[4]
AWS System Manager

AWS. (2023, June 2). What is AWS System Manager?. Retrieved June 2, 2023.
Open source URL
[5]
SIM Swapping and Abuse of the Microsoft Azure Serial Console

Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack. Retrieved June 2, 2023.
Open source URL
[6]
mitre-attack T1021.008
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams