MITRE ATT&CK Technique
Description
Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager). Methods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access. Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console) These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., [Cloud Administration Command](https://attack.mitre.org/techniques/T1651)).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2023-06-02T15:27:55.412Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may leverage [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078) to log '
'directly into accessible cloud hosted compute infrastructure '
'through cloud native methods. Many cloud providers offer '
'interactive connections to virtual infrastructure that can be '
'accessed through the [Cloud '
'API](https://attack.mitre.org/techniques/T1059/009), such as '
'Azure Serial Console(Citation: Azure Serial Console), AWS EC2 '
'Instance Connect(Citation: EC2 Instance Connect)(Citation: '
'lucr-3: Getting SaaS-y in the cloud), and AWS System '
'Manager.(Citation: AWS System Manager).\n'
'\n'
'Methods of authentication for these connections can include '
'passwords, application access tokens, or SSH keys. These '
'cloud native methods may, by default, allow for privileged '
'access on the host with SYSTEM or root level access. \n'
'\n'
'Adversaries may utilize these cloud native methods to '
'directly access virtual infrastructure and pivot through an '
'environment.(Citation: SIM Swapping and Abuse of the '
'Microsoft Azure Serial Console) These connections typically '
'provide direct console access to the VM rather than the '
'execution of scripts (i.e., [Cloud Administration '
'Command](https://attack.mitre.org/techniques/T1651)).',
'external_references': [{'external_id': 'T1021.008',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1021/008'},
{'description': 'AWS. (2023, June 2). Connect using '
'EC2 Instance Connect. Retrieved June '
'2, 2023.',
'source_name': 'EC2 Instance Connect',
'url': 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html'},
{'description': 'AWS. (2023, June 2). What is AWS '
'System Manager?. Retrieved June 2, '
'2023.',
'source_name': 'AWS System Manager',
'url': 'https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html'},
{'description': 'Ian Ahl. (2023, September 20). '
'LUCR-3: Scattered Spider Getting '
'SaaS-y In The Cloud. Retrieved '
'September 20, 2023.',
'source_name': 'lucr-3: Getting SaaS-y in the cloud',
'url': 'https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud'},
{'description': 'Mandiant Intelligence. (2023, May '
'16). SIM Swapping and Abuse of the '
'Microsoft Azure Serial Console: '
'Serial Is Part of a Well Balanced '
'Attack. Retrieved June 2, 2023.',
'source_name': 'SIM Swapping and Abuse of the '
'Microsoft Azure Serial Console',
'url': 'https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial'},
{'description': 'Microsoft. (2022, October 17). Azure '
'Serial Console. Retrieved June 2, '
'2023.',
'source_name': 'Azure Serial Console',
'url': 'https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview'}],
'id': 'attack-pattern--45241b9e-9bbc-4826-a2cc-78855e51ca09',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'lateral-movement'}],
'modified': '2025-04-15T22:18:53.305Z',
'name': 'Direct Cloud VM Connections',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Thanabodi Phrakhun, @naikordian'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS'],
'x_mitre_version': '1.0'}