Azure VM Serial Console Connection with Unusual User and ASN

  1[metadata]
  2creation_date = "2026/06/07"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/06/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a connection to the Azure Serial Console of a virtual machine (VM) by an identity and source network
 11combination that has not been observed recently. The Serial Console provides text-based console access to a VM through
 12the boot diagnostics serial port, independent of the VM's network state. Because it does not traverse the VM's network
 13interface, a Serial Console session bypasses Network Security Groups (NSGs), Just-in-Time (JIT) access policies, and
 14other network controls. An adversary with a privileged Azure RBAC role (for example Virtual Machine Contributor) and
 15boot diagnostics enabled on the target can use the Serial Console to obtain an interactive session as SYSTEM (Windows)
 16or root (Linux).
 17"""
 18false_positives = [
 19    """
 20    System or platform administrators may legitimately use the Serial Console to troubleshoot a VM that is unreachable
 21    over the network (boot failures, misconfigured firewall/NSG, lost SSH/RDP access). The first connection per
 22    identity and source ASN will alert; baseline expected break-glass principals and their corporate/VPN networks and
 23    exclude them if verified as authorized.
 24    """,
 25]
 26from = "now-9m"
 27index = ["logs-azure.activitylogs-*"]
 28language = "kuery"
 29license = "Elastic License v2"
 30name = "Azure VM Serial Console Connection with Unusual User and ASN"
 31note = """## Triage and analysis
 32
 33### Investigating Azure VM Serial Console Connection with Unusual User and ASN
 34
 35The Azure Serial Console gives text-based console access to a VM over the boot diagnostics serial port. It works even
 36when the VM has no inbound network connectivity, so a session bypasses NSGs, JIT, and other network controls. This rule
 37flags successful `MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION` operations where the combination of acting
 38principal and source ASN has not been seen in the history window.
 39
 40This rule uses a new terms approach keyed on the acting principal and source ASN, so it surfaces a
 41known identity connecting from an unusual network as well as any new identity using the Serial Console.
 42
 43### Triage checklist
 44
 45- Identify the caller via `azure.activitylogs.identity.authorization.evidence.principal_id` and
 46  `azure.activitylogs.identity.authorization.evidence.principal_type` (User vs ServicePrincipal). Service principal
 47  Serial Console access is unusual and warrants scrutiny.
 48- Review `source.as.organization.name`, `source.as.number`, and `source.geo.country_name` - is the network a known
 49  corporate/VPN ASN or an unexpected hosting/residential provider?
 50- Was the connect preceded by reconnaissance, role assignment changes, or Run Command / extension activity on the same VM?
 51- Were there preceding failed Serial Console connect attempts (`event.outcome:failure`) suggesting access probing?
 52- Does the target VM normally require Serial Console access, or is it a production system that should be reachable over
 53  the network?
 54
 55### Possible investigation steps
 56
 57- Review `azure.resource.id` to identify the VM and confirm boot diagnostics is enabled.
 58- Correlate with Entra ID sign-in logs for the caller and review MFA / conditional access posture.
 59- Pivot on the VM for endpoint telemetry around the connect timestamp (interactive shell, new local accounts, credential
 60  access) since Serial Console sessions execute as SYSTEM/root.
 61- Review the principal's RBAC role assignments on the subscription, resource group, and VM.
 62
 63### Response and remediation
 64
 65- If unauthorized, terminate the session, rotate credentials reachable from the VM, and review RBAC on the affected scope.
 66- Consider disabling the subscription-level Serial Console where it is not operationally required.
 67- Isolate the VM and collect endpoint and activity log artifacts per incident procedures.
 68"""
 69references = [
 70    "https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview",
 71    "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors",
 72    "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/",
 73]
 74risk_score = 47
 75rule_id = "97266eb4-b8c3-4e3e-9417-7d0ace6b3dfe"
 76severity = "medium"
 77tags = [
 78    "Domain: Cloud",
 79    "Data Source: Azure",
 80    "Data Source: Azure Activity Logs",
 81    "Use Case: Threat Detection",
 82    "Tactic: Lateral Movement",
 83    "Tactic: Defense Evasion",
 84    "Resources: Investigation Guide",
 85]
 86timestamp_override = "event.ingested"
 87type = "new_terms"
 88query = '''
 89data_stream.dataset:azure.activitylogs and
 90  azure.activitylogs.operation_name:"MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION" and
 91  event.outcome:("success" or "Success") and
 92  azure.activitylogs.identity.authorization.evidence.principal_id:* and
 93  source.as.number:*
 94'''
 95
 96[rule.investigation_fields]
 97field_names = [
 98    "@timestamp",
 99    "event.outcome",
100    "azure.activitylogs.operation_name",
101    "azure.activitylogs.identity.authorization.evidence.principal_id",
102    "azure.activitylogs.identity.authorization.evidence.principal_type",
103    "azure.activitylogs.identity.claims_initiated_by_user.name",
104    "azure.resource.id",
105    "azure.resource.name",
106    "source.ip",
107    "source.as.number",
108    "source.as.organization.name",
109    "source.geo.country_name",
110    "azure.subscription_id",
111    "azure.activitylogs.tenant_id",
112]
113
114[rule.new_terms]
115field = "new_terms_fields"
116value = [
117    "azure.activitylogs.identity.authorization.evidence.principal_id",
118    "source.as.number",
119]
120
121[[rule.new_terms.history_window_start]]
122field = "history_window_start"
123value = "now-7d"
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127
128[[rule.threat.technique]]
129id = "T1021"
130name = "Remote Services"
131reference = "https://attack.mitre.org/techniques/T1021/"
132
133[[rule.threat.technique.subtechnique]]
134id = "T1021.008"
135name = "Direct Cloud VM Connections"
136reference = "https://attack.mitre.org/techniques/T1021/008/"
137
138[rule.threat.tactic]
139id = "TA0008"
140name = "Lateral Movement"
141reference = "https://attack.mitre.org/tactics/TA0008/"
142
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145
146[[rule.threat.technique]]
147id = "T1078"
148name = "Valid Accounts"
149reference = "https://attack.mitre.org/techniques/T1078/"
150
151[[rule.threat.technique.subtechnique]]
152id = "T1078.004"
153name = "Cloud Accounts"
154reference = "https://attack.mitre.org/techniques/T1078/004/"
155
156[rule.threat.tactic]
157id = "TA0001"
158name = "Initial Access"
159reference = "https://attack.mitre.org/tactics/TA0001/"