← Back to Explore
elasticmediumTTP
Azure VM Serial Console Connection with Unusual User and ASN
Identifies a connection to the Azure Serial Console of a virtual machine (VM) by an identity and source network combination that has not been observed recently. The Serial Console provides text-based console access to a VM through the boot diagnostics serial port, independent of the VM's network state. Because it does not traverse the VM's network interface, a Serial Console session bypasses Network Security Groups (NSGs), Just-in-Time (JIT) access policies, and other network controls. An adversary with a privileged Azure RBAC role (for example Virtual Machine Contributor) and boot diagnostics enabled on the target can use the Serial Console to obtain an interactive session as SYSTEM (Windows) or root (Linux).
Detection Query
data_stream.dataset:azure.activitylogs and
azure.activitylogs.operation_name:"MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION" and
event.outcome:("success" or "Success") and
azure.activitylogs.identity.authorization.evidence.principal_id:* and
source.as.number:*
Author
Elastic
Created
2026/06/07
Data Sources
AzureAzure Activity Logslogs-azure.activitylogs-*
References
- https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview
- https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors
- https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/
Tags
Domain: CloudData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: Lateral MovementTactic: Defense EvasionResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/07"
integration = ["azure"]
maturity = "production"
updated_date = "2026/06/07"
[rule]
author = ["Elastic"]
description = """
Identifies a connection to the Azure Serial Console of a virtual machine (VM) by an identity and source network
combination that has not been observed recently. The Serial Console provides text-based console access to a VM through
the boot diagnostics serial port, independent of the VM's network state. Because it does not traverse the VM's network
interface, a Serial Console session bypasses Network Security Groups (NSGs), Just-in-Time (JIT) access policies, and
other network controls. An adversary with a privileged Azure RBAC role (for example Virtual Machine Contributor) and
boot diagnostics enabled on the target can use the Serial Console to obtain an interactive session as SYSTEM (Windows)
or root (Linux).
"""
false_positives = [
"""
System or platform administrators may legitimately use the Serial Console to troubleshoot a VM that is unreachable
over the network (boot failures, misconfigured firewall/NSG, lost SSH/RDP access). The first connection per
identity and source ASN will alert; baseline expected break-glass principals and their corporate/VPN networks and
exclude them if verified as authorized.
""",
]
from = "now-9m"
index = ["logs-azure.activitylogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure VM Serial Console Connection with Unusual User and ASN"
note = """## Triage and analysis
### Investigating Azure VM Serial Console Connection with Unusual User and ASN
The Azure Serial Console gives text-based console access to a VM over the boot diagnostics serial port. It works even
when the VM has no inbound network connectivity, so a session bypasses NSGs, JIT, and other network controls. This rule
flags successful `MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION` operations where the combination of acting
principal and source ASN has not been seen in the history window.
This rule uses a new terms approach keyed on the acting principal and source ASN, so it surfaces a
known identity connecting from an unusual network as well as any new identity using the Serial Console.
### Triage checklist
- Identify the caller via `azure.activitylogs.identity.authorization.evidence.principal_id` and
`azure.activitylogs.identity.authorization.evidence.principal_type` (User vs ServicePrincipal). Service principal
Serial Console access is unusual and warrants scrutiny.
- Review `source.as.organization.name`, `source.as.number`, and `source.geo.country_name` - is the network a known
corporate/VPN ASN or an unexpected hosting/residential provider?
- Was the connect preceded by reconnaissance, role assignment changes, or Run Command / extension activity on the same VM?
- Were there preceding failed Serial Console connect attempts (`event.outcome:failure`) suggesting access probing?
- Does the target VM normally require Serial Console access, or is it a production system that should be reachable over
the network?
### Possible investigation steps
- Review `azure.resource.id` to identify the VM and confirm boot diagnostics is enabled.
- Correlate with Entra ID sign-in logs for the caller and review MFA / conditional access posture.
- Pivot on the VM for endpoint telemetry around the connect timestamp (interactive shell, new local accounts, credential
access) since Serial Console sessions execute as SYSTEM/root.
- Review the principal's RBAC role assignments on the subscription, resource group, and VM.
### Response and remediation
- If unauthorized, terminate the session, rotate credentials reachable from the VM, and review RBAC on the affected scope.
- Consider disabling the subscription-level Serial Console where it is not operationally required.
- Isolate the VM and collect endpoint and activity log artifacts per incident procedures.
"""
references = [
"https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview",
"https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors",
"https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/",
]
risk_score = 47
rule_id = "97266eb4-b8c3-4e3e-9417-7d0ace6b3dfe"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: Azure",
"Data Source: Azure Activity Logs",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Tactic: Defense Evasion",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
data_stream.dataset:azure.activitylogs and
azure.activitylogs.operation_name:"MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION" and
event.outcome:("success" or "Success") and
azure.activitylogs.identity.authorization.evidence.principal_id:* and
source.as.number:*
'''
[rule.investigation_fields]
field_names = [
"@timestamp",
"event.outcome",
"azure.activitylogs.operation_name",
"azure.activitylogs.identity.authorization.evidence.principal_id",
"azure.activitylogs.identity.authorization.evidence.principal_type",
"azure.activitylogs.identity.claims_initiated_by_user.name",
"azure.resource.id",
"azure.resource.name",
"source.ip",
"source.as.number",
"source.as.organization.name",
"source.geo.country_name",
"azure.subscription_id",
"azure.activitylogs.tenant_id",
]
[rule.new_terms]
field = "new_terms_fields"
value = [
"azure.activitylogs.identity.authorization.evidence.principal_id",
"source.as.number",
]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.008"
name = "Direct Cloud VM Connections"
reference = "https://attack.mitre.org/techniques/T1021/008/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"