Microsoft.SerialConsole/serialPorts/connect/action
Event
Connects to the serial console of an Azure VM, providing low-level access without requiring network connectivity.
Security Context
- Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
- Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.
Log Source
Azure Activity Log
Sample Event
MITRE ATT&CK Mapping
Tactics: Lateral Movement Execution
Techniques:
- T1021 — Remote Services — Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.