EXPLORE
← Back to Explore
elasticmediumTTP

Azure VM Serial Console Connection with Unusual User and ASN

Identifies a connection to the Azure Serial Console of a virtual machine (VM) by an identity and source network combination that has not been observed recently. The Serial Console provides text-based console access to a VM through the boot diagnostics serial port, independent of the VM's network state. Because it does not traverse the VM's network interface, a Serial Console session bypasses Network Security Groups (NSGs), Just-in-Time (JIT) access policies, and other network controls. An adversary with a privileged Azure RBAC role (for example Virtual Machine Contributor) and boot diagnostics enabled on the target can use the Serial Console to obtain an interactive session as SYSTEM (Windows) or root (Linux).

MITRE ATT&CK

lateral-movementinitial-access

Detection Query

data_stream.dataset:azure.activitylogs and
  azure.activitylogs.operation_name:"MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION" and
  event.outcome:("success" or "Success") and
  azure.activitylogs.identity.authorization.evidence.principal_id:* and
  source.as.number:*

Author

Elastic

Created

2026/06/07

Data Sources

AzureAzure Activity Logslogs-azure.activitylogs-*

Tags

Domain: CloudData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: Lateral MovementTactic: Defense EvasionResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/07"
integration = ["azure"]
maturity = "production"
updated_date = "2026/06/07"

[rule]
author = ["Elastic"]
description = """
Identifies a connection to the Azure Serial Console of a virtual machine (VM) by an identity and source network
combination that has not been observed recently. The Serial Console provides text-based console access to a VM through
the boot diagnostics serial port, independent of the VM's network state. Because it does not traverse the VM's network
interface, a Serial Console session bypasses Network Security Groups (NSGs), Just-in-Time (JIT) access policies, and
other network controls. An adversary with a privileged Azure RBAC role (for example Virtual Machine Contributor) and
boot diagnostics enabled on the target can use the Serial Console to obtain an interactive session as SYSTEM (Windows)
or root (Linux).
"""
false_positives = [
    """
    System or platform administrators may legitimately use the Serial Console to troubleshoot a VM that is unreachable
    over the network (boot failures, misconfigured firewall/NSG, lost SSH/RDP access). The first connection per
    identity and source ASN will alert; baseline expected break-glass principals and their corporate/VPN networks and
    exclude them if verified as authorized.
    """,
]
from = "now-9m"
index = ["logs-azure.activitylogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure VM Serial Console Connection with Unusual User and ASN"
note = """## Triage and analysis

### Investigating Azure VM Serial Console Connection with Unusual User and ASN

The Azure Serial Console gives text-based console access to a VM over the boot diagnostics serial port. It works even
when the VM has no inbound network connectivity, so a session bypasses NSGs, JIT, and other network controls. This rule
flags successful `MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION` operations where the combination of acting
principal and source ASN has not been seen in the history window.

This rule uses a new terms approach keyed on the acting principal and source ASN, so it surfaces a
known identity connecting from an unusual network as well as any new identity using the Serial Console.

### Triage checklist

- Identify the caller via `azure.activitylogs.identity.authorization.evidence.principal_id` and
  `azure.activitylogs.identity.authorization.evidence.principal_type` (User vs ServicePrincipal). Service principal
  Serial Console access is unusual and warrants scrutiny.
- Review `source.as.organization.name`, `source.as.number`, and `source.geo.country_name` - is the network a known
  corporate/VPN ASN or an unexpected hosting/residential provider?
- Was the connect preceded by reconnaissance, role assignment changes, or Run Command / extension activity on the same VM?
- Were there preceding failed Serial Console connect attempts (`event.outcome:failure`) suggesting access probing?
- Does the target VM normally require Serial Console access, or is it a production system that should be reachable over
  the network?

### Possible investigation steps

- Review `azure.resource.id` to identify the VM and confirm boot diagnostics is enabled.
- Correlate with Entra ID sign-in logs for the caller and review MFA / conditional access posture.
- Pivot on the VM for endpoint telemetry around the connect timestamp (interactive shell, new local accounts, credential
  access) since Serial Console sessions execute as SYSTEM/root.
- Review the principal's RBAC role assignments on the subscription, resource group, and VM.

### Response and remediation

- If unauthorized, terminate the session, rotate credentials reachable from the VM, and review RBAC on the affected scope.
- Consider disabling the subscription-level Serial Console where it is not operationally required.
- Isolate the VM and collect endpoint and activity log artifacts per incident procedures.
"""
references = [
    "https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview",
    "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors",
    "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/",
]
risk_score = 47
rule_id = "97266eb4-b8c3-4e3e-9417-7d0ace6b3dfe"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Data Source: Azure",
    "Data Source: Azure Activity Logs",
    "Use Case: Threat Detection",
    "Tactic: Lateral Movement",
    "Tactic: Defense Evasion",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
data_stream.dataset:azure.activitylogs and
  azure.activitylogs.operation_name:"MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION" and
  event.outcome:("success" or "Success") and
  azure.activitylogs.identity.authorization.evidence.principal_id:* and
  source.as.number:*
'''

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "event.outcome",
    "azure.activitylogs.operation_name",
    "azure.activitylogs.identity.authorization.evidence.principal_id",
    "azure.activitylogs.identity.authorization.evidence.principal_type",
    "azure.activitylogs.identity.claims_initiated_by_user.name",
    "azure.resource.id",
    "azure.resource.name",
    "source.ip",
    "source.as.number",
    "source.as.organization.name",
    "source.geo.country_name",
    "azure.subscription_id",
    "azure.activitylogs.tenant_id",
]

[rule.new_terms]
field = "new_terms_fields"
value = [
    "azure.activitylogs.identity.authorization.evidence.principal_id",
    "source.as.number",
]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"

[[rule.threat.technique.subtechnique]]
id = "T1021.008"
name = "Direct Cloud VM Connections"
reference = "https://attack.mitre.org/techniques/T1021/008/"

[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"