GCP instance SSH key modified
Description
AlphaSOC detected modification of SSH keys on a specific GCP Compute Engine
instance via compute.instances.setMetadata. Instance-level SSH keys grant
access to the specific instance where they are configured.
Adversaries may add SSH keys to establish persistent backdoor access to compute instances. Unlike project-level keys, instance-level keys only affect a single instance, making this technique useful for targeted lateral movement or persistence.
Impact
Unauthorized SSH key addition provides attackers with persistent access to the targeted compute instance. This access persists across instance reboots and can be used for data theft, further lateral movement, or as a foothold for attacking other resources accessible from the instance.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the compute.instances.setMetadata action with
ssh-keys metadata changes. Identify which SSH key was added and the principal
responsible.
If unauthorized, immediately remove the suspicious SSH key from the instance metadata. Review OS-level authentication logs for any access using the added key. Consider reimaging the instance if compromise is suspected. Rotate credentials for the identity that made the change and investigate their other activities.