Microsoft.Compute/sshPublicKeys/write
Azure
Microsoft.Compute/sshPublicKeys/write
Event
Creates or updates an SSH public key resource in Azure, used to authenticate to Linux virtual machines.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
- SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.
Log Source
Azure Activity Log
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud creates an SSH public key resource named draco-ssh-666 in the production resource group. The intent is to subsequently inject this public key into Linux VMs (via Microsoft.Compute/virtualMachines/runCommand or extension write) so Draco can SSH into them with a private key only he holds. Maps to T1098.004 (SSH Authorized Keys) + T1021.004 (Remote Services: SSH).
{ "authorization": { "action": "Microsoft.Compute/sshPublicKeys/write", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/sshPublicKeys/draco-ssh-666" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/", "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud" }, "correlationId": "90000000-0000-4000-8000-000010100100", "description": "", "eventDataId": "90000000-0000-4000-8000-000010100101", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T21:54:08.5183194Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/sshPublicKeys/draco-ssh-666/events/90000000-0000-4000-8000-000010100101/ticks/638798254485183194", "level": "Informational", "operationId": "90000000-0000-4000-8000-000010100110", "operationName": { "value": "Microsoft.Compute/sshPublicKeys/write", "localizedValue": "Create or update an SSH public key resource" }, "resourceGroupName": "rg-fantasticlogs-prod", "resourceProviderName": { "value": "Microsoft.Compute", "localizedValue": "Microsoft.Compute" }, "resourceType": { "value": "Microsoft.Compute/sshPublicKeys", "localizedValue": "Microsoft.Compute/sshPublicKeys" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/sshPublicKeys/draco-ssh-666", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "Created", "localizedValue": "Created (HTTP Status Code: 201)" }, "submissionTimestamp": "2026-04-15T21:54:09.0218732Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "Created", "serviceRequestId": null, "requestbody": "{\"location\":\"eastus\",\"properties\":{\"publicKey\":\"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDRACOEXAMPLEpubkeyfingerprintXXXXXXXXXXXXXXXXXXX draco@evilcorp.example\"}}", "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/sshPublicKeys/draco-ssh-666", "message": "Microsoft.Compute/sshPublicKeys/write", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": [], "httpRequest": { "clientRequestId": "90000000-0000-4000-8000-000010100111", "clientIpAddress": "203.0.113.66", "method": "PUT", "url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/sshPublicKeys/draco-ssh-666?api-version=2024-03-01" }, "identity": null}MITRE ATT&CK Mapping
Tactics: Persistence Lateral Movement
Techniques:
- T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</...
- T1021.004 — SSH — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.