Techniques
Sample rules
Azure VM Serial Console Connection with Unusual User and ASN
- source: elastic
- technicques:
- T1021
- T1078
Description
Identifies a connection to the Azure Serial Console of a virtual machine (VM) by an identity and source network combination that has not been observed recently. The Serial Console provides text-based console access to a VM through the boot diagnostics serial port, independent of the VM’s network state. Because it does not traverse the VM’s network interface, a Serial Console session bypasses Network Security Groups (NSGs), Just-in-Time (JIT) access policies, and other network controls. An adversary with a privileged Azure RBAC role (for example Virtual Machine Contributor) and boot diagnostics enabled on the target can use the Serial Console to obtain an interactive session as SYSTEM (Windows) or root (Linux).
Detection logic
data_stream.dataset:azure.activitylogs and
azure.activitylogs.operation_name:"MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION" and
event.outcome:("success" or "Success") and
azure.activitylogs.identity.authorization.evidence.principal_id:* and
source.as.number:*