Skip to content

Microsoft.Compute/sshPublicKeys/write

Azure

Microsoft.Compute/sshPublicKeys/write

service: Azure - Compute
techniques:

Event

Creates or updates an SSH public key resource in Azure, used to authenticate to Linux virtual machines.

Security Context

  • Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
  • SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.

Log Source

Azure Activity Log

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud creates an SSH public key resource named draco-ssh-666 in the production resource group. The intent is to subsequently inject this public key into Linux VMs (via Microsoft.Compute/virtualMachines/runCommand or extension write) so Draco can SSH into them with a private key only he holds. Maps to T1098.004 (SSH Authorized Keys) + T1021.004 (Remote Services: SSH).

{
"authorization": {
"action": "Microsoft.Compute/sshPublicKeys/write",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/sshPublicKeys/draco-ssh-666"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud"
},
"correlationId": "90000000-0000-4000-8000-000010100100",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000010100101",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T21:54:08.5183194Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/sshPublicKeys/draco-ssh-666/events/90000000-0000-4000-8000-000010100101/ticks/638798254485183194",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000010100110",
"operationName": {
"value": "Microsoft.Compute/sshPublicKeys/write",
"localizedValue": "Create or update an SSH public key resource"
},
"resourceGroupName": "rg-fantasticlogs-prod",
"resourceProviderName": {
"value": "Microsoft.Compute",
"localizedValue": "Microsoft.Compute"
},
"resourceType": {
"value": "Microsoft.Compute/sshPublicKeys",
"localizedValue": "Microsoft.Compute/sshPublicKeys"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/sshPublicKeys/draco-ssh-666",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "Created",
"localizedValue": "Created (HTTP Status Code: 201)"
},
"submissionTimestamp": "2026-04-15T21:54:09.0218732Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "Created",
"serviceRequestId": null,
"requestbody": "{\"location\":\"eastus\",\"properties\":{\"publicKey\":\"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDRACOEXAMPLEpubkeyfingerprintXXXXXXXXXXXXXXXXXXX draco@evilcorp.example\"}}",
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/sshPublicKeys/draco-ssh-666",
"message": "Microsoft.Compute/sshPublicKeys/write",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": [],
"httpRequest": {
"clientRequestId": "90000000-0000-4000-8000-000010100111",
"clientIpAddress": "203.0.113.66",
"method": "PUT",
"url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/sshPublicKeys/draco-ssh-666?api-version=2024-03-01"
},
"identity": null
}

MITRE ATT&CK Mapping

Tactics: Persistence Lateral Movement

Techniques:
  • T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</...
  • T1021.004 — SSH — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.