Microsoft.SerialConsole/serialPorts/connect/action
Azure
Microsoft.SerialConsole/serialPorts/connect/action
Event
Connects to the serial console of an Azure VM, providing low-level access without requiring network connectivity.
Security Context
- Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
- Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.
Log Source
Azure Activity Log
Sample Event
Adversarial. draco@fantasticlogs.cloud opens a Serial Console session to vm-demiguise-infer-001. Because Serial Console authenticates via ARM (not the VM’s network stack), the attacker bypasses any NSG/firewall restrictions on the VM. With the VM’s default password (or a sysadmin’s stored password) the attacker now has interactive low-level shell access — used for execution (T1059) and lateral-movement (T1021) per the project mapping.
{ "authorization": { "action": "Microsoft.SerialConsole/serialPorts/connect/action", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001/providers/Microsoft.SerialConsole/serialPorts/0" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "serial217ExampleUtid01", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100110000", "description": "", "eventDataId": "90000000-0000-4000-8000-000100110001", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T18:55:42.1148707Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001/providers/Microsoft.SerialConsole/serialPorts/0/events/90000000-0000-4000-8000-000100110001/ticks/638798267421148707", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100110010", "operationName": { "value": "Microsoft.SerialConsole/serialPorts/connect/action", "localizedValue": "Connect to Serial Port" }, "resourceGroupName": "rg-fantasticlogs-prod", "resourceProviderName": { "value": "Microsoft.SerialConsole", "localizedValue": "Microsoft.SerialConsole" }, "resourceType": { "value": "Microsoft.SerialConsole/serialPorts", "localizedValue": "Microsoft.SerialConsole/serialPorts" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001/providers/Microsoft.SerialConsole/serialPorts/0", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T18:55:42.7218194Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001/providers/Microsoft.SerialConsole/serialPorts/0", "message": "Microsoft.SerialConsole/serialPorts/connect/action", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Lateral Movement Execution
Techniques:
- T1021 — Remote Services — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.