AWS AssumeRole
Returns temporary security credentials for assuming an IAM role. Allows an entity (user, service, or account) to act with the role's permissions.
Lateral Movement
Lateral Movement
Section titled “Lateral Movement”The adversary is trying to move through your environment.
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target, then pivoting through multiple systems and accounts to gain access to it. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
In cloud environments, lateral movement involves assuming roles across accounts, accessing shared resources, using SSH keys injected via metadata services, or pivoting through VPC peering connections. Adversaries may also move between cloud services (e.g., from a compromised EC2 instance to S3 or RDS) using the permissions of the compromised identity.
View Lateral Movement on MITRE ATT&CK →Events Related to Lateral Movement
Section titled “Events Related to Lateral Movement”AWS AssumeRoleWithSAML
Returns temporary credentials for a SAML-authenticated user to assume an IAM role, used in federated SSO scenarios.
AWS AssumeRoleWithWebIdentity
Returns temporary credentials for a user authenticated via an OIDC identity provider (e.g., Cognito, Google) to assume an IAM role.
GCP Compute.instances.setMetadata
Sets or updates instance-level metadata on a Compute Engine VM, which can include SSH keys or startup scripts.
GCP compute.projects.setCommonInstanceMetadata
Sets project-wide Compute Engine metadata, applied to all instances and commonly used to manage SSH keys.
AWS CreateKeyPair
Creates an EC2 key pair and returns the private key material, used for SSH authentication to EC2 instances.
AWS EnableSerialConsoleAccess
Enables the EC2 Serial Console at the account level, allowing direct serial port access to instances for troubleshooting.
AWS GetSigninToken
Generates a sign-in token used to construct a federation URL for single sign-on to the AWS Management Console.
GCP google.ssh-serialport.v1.connect
Establishes a serial console connection to a Compute Engine VM, providing low-level instance access.
GCP iam.serviceAccountKeys.implicitDelegation
Records a token exchange where a service account implicitly delegates its authority to another identity.
GCP iam.serviceAccounts.actAs
Records use of the actAs permission, where one identity impersonates and acts on behalf of a GCP service account.
AWS ImportKeyPair
Imports an existing RSA or ED25519 public key into EC2 for use as a key pair when launching instances.
Azure Microsoft.Compute/sshPublicKeys/write
Creates or updates an SSH public key resource in Azure, used to authenticate to Linux virtual machines.
Azure Microsoft.Compute/virtualMachines/runCommand/action
Executes a script or command on an Azure VM without requiring network-based access such as SSH or RDP.
Azure Microsoft.ContainerService/managedClusters/runCommand/action
Executes a command against an AKS cluster's Kubernetes API without requiring direct network connectivity to the API server.
Azure Microsoft.Network/networkSecurityGroups/securityRules/write
Creates or updates a security rule in an Azure Network Security Group, controlling inbound or outbound traffic.
Azure Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
Creates or modifies a virtual network peering, enabling network connectivity for lateral movement across VNets.
Azure Microsoft.SerialConsole/serialPorts/connect/action
Connects to the serial console of an Azure VM, providing low-level access without requiring network connectivity.
AWS ResumeSession
Resumes a previously disconnected Systems Manager Session Manager session with a managed instance.
AWS SendCommand
Remotely executes a command or script on one or more managed instances via AWS Systems Manager Run Command.
AWS SendSerialConsoleSSHPublicKey
Pushes an SSH public key to an EC2 instance's serial console interface, enabling SSH access over the serial port.
AWS SendSSHPublicKey
Pushes a temporary SSH public key to an EC2 instance via EC2 Instance Connect, valid for 60 seconds.
AWS StartSession
Starts an interactive Systems Manager Session Manager session with a managed EC2 instance or on-premises server.
GCP users.importSshPublicKey
Imports an SSH public key into a user's GCP OS Login profile, enabling SSH access to Compute Engine instances.
GCP users.sshPublicKeys.patch
Updates an existing SSH public key in a user's GCP OS Login profile.