LoFP LoFP / system or platform administrators may legitimately use the serial console to troubleshoot a vm that is unreachable over the network (boot failures, misconfigured firewall/nsg, lost ssh/rdp access). the first connection per identity and source asn will alert; baseline expected break-glass principals and their corporate/vpn networks and exclude them if verified as authorized.

Techniques

Sample rules

Azure VM Serial Console Connection with Unusual User and ASN

Description

Identifies a connection to the Azure Serial Console of a virtual machine (VM) by an identity and source network combination that has not been observed recently. The Serial Console provides text-based console access to a VM through the boot diagnostics serial port, independent of the VM’s network state. Because it does not traverse the VM’s network interface, a Serial Console session bypasses Network Security Groups (NSGs), Just-in-Time (JIT) access policies, and other network controls. An adversary with a privileged Azure RBAC role (for example Virtual Machine Contributor) and boot diagnostics enabled on the target can use the Serial Console to obtain an interactive session as SYSTEM (Windows) or root (Linux).

Detection logic

data_stream.dataset:azure.activitylogs and
  azure.activitylogs.operation_name:"MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION" and
  event.outcome:("success" or "Success") and
  azure.activitylogs.identity.authorization.evidence.principal_id:* and
  source.as.number:*