google.ssh-serialport.v1.connect
Event
Establishes a serial console connection to a Compute Engine VM, providing low-level instance access.
Security Context
- Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
- SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.
Log Source
Cloud Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Lateral Movement Execution
Techniques:
- T1021.004 — SSH — Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.