Cyberattack Bulletin: How Attackers Use Shodan & FOFA

Cyberattack Bulletin: How Attackers Use Shodan & FOFA

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections

Azure Suspicious Serial Console Usage

Azure Suspicious Serial Console Usage
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

Triggers

  • The Serial Console is accessed by an unexpected or unauthorized user/service principal.
  • Unusual frequency of Serial Console connections in a short window.
  • Serial Console connections are made from an unusual location or IP address.

Possible Root Causes

  • Unauthorized Access: An attacker has gained access to a user account or service principal with Contributor or higher permissions and is using it to access the Serial Console on a virtual machine (VM) or virtual machine scale set (VMSS) instance.
  • Excessive Permissions: A user account or service principal has excessive privileges, allowing access to the Serial Console on VMs or VMSS instances they should not have access to.
  • Insider Threat: An authorized user is intentionally accessing the Serial Console for malicious purposes, such as data theft or system manipulation.
  • Misconfiguration: A legitimate user has accidentally configured their account or service principal with excessive permissions, allowing unnecessary access to the Serial Console.

Business Impact

  • Exposed sensitive data due to unauthorized access.
  • Security vulnerabilities exploited due to misconfigured permissions.
  • Unplanned changes to business logic or workflows.
  • Potential data breaches, unauthorized access to resources, disruption of critical business services, and reputational damage.

Steps to Verify

  • Investigate User Activity: Review the Azure Activity Logs for the suspicious Serial Console usage event, focusing on the user/service principal who accessed the console.
  • Verify Permissions: Investigate the user�s or service principal�s permissions and access levels within Azure to determine if they have excessive privileges.
  • Analyze Connection Parameters: Examine the parameters used in the Serial Console connection to identify potential security risks, such as data theft or system manipulation.
  • Consult with Azure Administrators: Work with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.
Azure Suspicious Serial Console Usage

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Serial Console Usage

Example scenarios

Azure Suspicious Serial Console Usage

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Serial Console Usage

Steps to investigate

Azure Suspicious Serial Console Usage

MITRE ATT&CK techniques covered

Cloud Administration Command

T1651
Azure Suspicious Serial Console Usage

Related detections

No items found.

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs