EnableSerialConsoleAccess
Event
Enables the EC2 Serial Console at the account level, allowing direct serial port access to instances for troubleshooting.
Security Context
- Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
- Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Lateral Movement Execution
Techniques:
- T1021 — Remote Services — Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.