Unexpected GCP API calls indicating project SSH key modification
Description
AlphaSOC detected modification of SSH keys at the GCP project level via
compute.projects.setCommonInstanceMetadata. Project-level SSH keys grant
access to all Compute Engine instances in the project that don't explicitly
block project-wide SSH keys.
Adversaries may add SSH keys at the project level to establish persistent backdoor access to multiple instances simultaneously. This is a powerful persistence technique that provides broad access across the project.
Impact
Project-level SSH keys provide access to all instances that accept project-wide keys. Attackers can use this to access multiple instances without modifying each individually. This access persists across instance reboots and new instance creation, providing long-term persistent access to compute resources.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the compute.projects.setCommonInstanceMetadata
action with ssh-keys metadata changes. Identify which SSH key was added and
the principal responsible.
If unauthorized, immediately remove the suspicious SSH key from project metadata. Review OS-level authentication logs on all instances for access using the added key. Consider reimaging compromised instances. Rotate credentials for the identity that made the change.