Compute.instances.setMetadata
GCP
Compute.instances.setMetadata
Event
Sets or updates instance-level metadata on a Compute Engine VM, which can include SSH keys or startup scripts.
Security Context
- Injecting SSH keys provides direct interactive access to compute instances, bypassing IAM authentication and most monitoring tools.
- Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
- SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.
Log Source
Cloud Audit Logs
Sample Event
Draco appends an SSH key to the demiguise-infer-001 VM’s instance metadata to establish a persistent, IAM-bypassing backdoor (T1098.004 / T1021.004). Google redacts the metadata values themselves; defenders see only the keys that changed via metadata.instanceMetadataDelta.addedMetadataKeys.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.instances.add-metadata invocation-id/90000000000000000000000000000011 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T15:03:48.448112233Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.setMetadata", "authorizationInfo": [ { "permission": "compute.instances.setMetadata", "granted": true, "resourceAttributes": { "service": "compute", "name": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001", "type": "compute.instances" } } ], "resourceName": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001", "request": { "@type": "type.googleapis.com/compute.instances.setMetadata" }, "response": { "@type": "type.googleapis.com/operation", "id": "8200000000000000011", "name": "operation-1776267828000-62fa20a8c0011-ab000011-cd000011", "operationType": "setMetadata", "targetId": "6100000000000000011", "targetLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001", "selfLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/operations/operation-1776267828000-62fa20a8c0011-ab000011-cd000011", "selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/operations/8200000000000000011", "user": "draco@fantasticlogs.cloud", "status": "RUNNING", "progress": "0", "zone": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a", "insertTime": "2026-04-15T08:03:48.501-07:00", "startTime": "2026-04-15T08:03:48.519-07:00" }, "metadata": { "@type": "type.googleapis.com/google.cloud.audit.GceInstanceAuditMetadata", "instanceMetadataDelta": { "addedMetadataKeys": [ "ssh-keys" ] } }, "resourceLocation": { "currentLocations": [ "us-central1-a" ] } }, "insertId": "evt0000000011", "resource": { "type": "gce_instance", "labels": { "project_id": "fantasticlogs-prod", "instance_id": "6100000000000000011", "zone": "us-central1-a" } }, "timestamp": "2026-04-15T15:03:48.339887766Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "operation": { "id": "operation-1776267828000-62fa20a8c0011-ab000011-cd000011", "producer": "compute.googleapis.com", "first": true }, "receiveTimestamp": "2026-04-15T15:03:48.778899001Z"}MITRE ATT&CK Mapping
Tactics: Persistence Execution Lateral Movement
Techniques:
- T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</...
- T1021.004 — SSH — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.