Compute.instances.setMetadata
Event
Sets or updates instance-level metadata on a Compute Engine VM, which can include SSH keys or startup scripts.
Security Context
- Injecting SSH keys provides direct interactive access to compute instances, bypassing IAM authentication and most monitoring tools.
- Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
- SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.
Log Source
Cloud Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence Execution Lateral Movement
Techniques:
- T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management.
- T1021.004 — SSH — Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.