Persistence: GCE Admin Added SSH Key

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

Description Actions

Description	Actions
The `ssh-keys` Compute Engine instance metadata key was changed on an established instance.	The Compute Engine instance metadata key `ssh-keys` was modified on an instance that was created more than seven days ago. Verify whether the change was done intentionally by a member, or if it was implemented by an adversary to introduce new access to your organization.	Check logs using the following filters: `protopayload.resource.labels.instance_id=INSTANCE_ID` `protoPayload.serviceName="compute.googleapis.com"` `(protoPayload.metadata.instanceMetaData.addedMetadataKey : "ssh-keys" OR protoPayload.metadata.instanceMetaData.modifiedMetadataKey : "ssh-keys" )` `logName="organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity` Replace the following: `INSTANCE_ID`: the `gceInstanceId` listed in the finding `ORGANIZATION_ID`: your organization ID
Research events that trigger this finding: MITRE: https://attack.mitre.org/techniques/T1098/004/

The ssh-keys Compute Engine instance metadata key was changed on an established instance.

The Compute Engine instance metadata key ssh-keys was modified on an instance that was created more than seven days ago. Verify whether the change was done intentionally by a member, or if it was implemented by an adversary to introduce new access to your organization.

Check logs using the following filters:

protopayload.resource.labels.instance_id=INSTANCE_ID

protoPayload.serviceName="compute.googleapis.com"

(protoPayload.metadata.instanceMetaData.addedMetadataKey : "ssh-keys" OR protoPayload.metadata.instanceMetaData.modifiedMetadataKey : "ssh-keys" )

logName="organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity

Replace the following:

INSTANCE_ID: the gceInstanceId listed in the finding
ORGANIZATION_ID: your organization ID

Research events that trigger this finding:

MITRE: https://attack.mitre.org/techniques/T1098/004/

What's next

Learn how to work with threat findings in Security Command Center.
Refer to the Threat findings index.
Learn how to review a finding through the Google Cloud console.
Learn about the services that generate threat findings.

Persistence: GCE Admin Added SSH Key Stay organized with collections Save and categorize content based on your preferences.

Finding description

What's next

Persistence: GCE Admin Added SSH Key