Skip to content

Microsoft.SerialConsole/serialPorts/connect/action

Azure

Microsoft.SerialConsole/serialPorts/connect/action

service: Azure - Compute
techniques:

Event

Connects to the serial console of an Azure VM, providing low-level access without requiring network connectivity.

Security Context

  • Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
  • Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud opens a Serial Console session to vm-demiguise-infer-001. Because Serial Console authenticates via ARM (not the VM’s network stack), the attacker bypasses any NSG/firewall restrictions on the VM. With the VM’s default password (or a sysadmin’s stored password) the attacker now has interactive low-level shell access — used for execution (T1059) and lateral-movement (T1021) per the project mapping.

{
"authorization": {
"action": "Microsoft.SerialConsole/serialPorts/connect/action",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001/providers/Microsoft.SerialConsole/serialPorts/0"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "serial217ExampleUtid01",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100110000",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100110001",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T18:55:42.1148707Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001/providers/Microsoft.SerialConsole/serialPorts/0/events/90000000-0000-4000-8000-000100110001/ticks/638798267421148707",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100110010",
"operationName": {
"value": "Microsoft.SerialConsole/serialPorts/connect/action",
"localizedValue": "Connect to Serial Port"
},
"resourceGroupName": "rg-fantasticlogs-prod",
"resourceProviderName": {
"value": "Microsoft.SerialConsole",
"localizedValue": "Microsoft.SerialConsole"
},
"resourceType": {
"value": "Microsoft.SerialConsole/serialPorts",
"localizedValue": "Microsoft.SerialConsole/serialPorts"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001/providers/Microsoft.SerialConsole/serialPorts/0",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T18:55:42.7218194Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001/providers/Microsoft.SerialConsole/serialPorts/0",
"message": "Microsoft.SerialConsole/serialPorts/connect/action",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Lateral Movement Execution

Techniques:
  • T1021 — Remote Services — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.