Suspicious GCP API calls indicating Compute Engine serial port enabled
Description
AlphaSOC detected that serial port access was enabled on a Google Cloud Compute Engine instance. The serial console provides an out-of-band management channel for interactive access to instances, commonly used for troubleshooting boot issues, debugging unresponsive instances, and recovery operations. Enabling this feature unexpectedly may indicate an attacker establishing an alternative access method.
Impact
Serial port access provides an additional channel to interact with instances that may not be as closely monitored as standard SSH or RDP connections. Attackers may enable this feature to conduct activities through a less scrutinized path, potentially evading detection.
Severity
| Severity | Condition |
|---|---|
Informational | Serial port access enabled |
Low | Serial port access enabled with anomalous patterns |
Medium | Serial port access enabled in suspicious context |
Investigation and Remediation
Review GCP audit logs for the compute.instances.setMetadata action with
serial-port-enable in the metadata keys added. Identify who enabled serial
port access and verify whether the change was authorized for troubleshooting
purposes.
If unauthorized, immediately disable serial port access by removing the metadata key. Investigate any access to the instance via serial console during the exposure period. Review the instance for signs of compromise or unauthorized modifications.