google.ssh-serialport.v1.connect
google.ssh-serialport.v1.connect
Event
Establishes a serial console connection to a Compute Engine VM, providing low-level instance access.
Security Context
- Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
- SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco — having already injected an SSH key via the prior setCommonInstanceMetadata event — connects to the serial console of demiguise-infer-001 using gcloud compute connect-to-serial-port. The serial console gives Draco a tty-level shell that bypasses normal sshd configuration (PAM, MFA, allowed-users restrictions, fail2ban) — an effective T1021.004 path that also enables T1059 execution. This connect entry is the only audit signal of the session. Confidence: MEDIUM. The request.@type value is a best-guess; Google docs reference this methodName but do not publish the request proto definition.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6", "requestAttributes": { "time": "2026-04-15T16:08:42.221987654Z", "auth": {} }, "destinationAttributes": { "ip": "192.0.2.42", "port": "9600" } }, "serviceName": "compute.googleapis.com", "methodName": "google.ssh-serialport.v1.connect", "authorizationInfo": [ { "resource": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001", "permission": "compute.instances.get", "granted": true, "resourceAttributes": { "service": "compute", "name": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001", "type": "compute.googleapis.com/Instance" } } ], "resourceName": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001", "request": { "@type": "type.googleapis.com/google.ssh_serialport.v1.SerialPortConnect", "instance": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001", "port": 1, "username": "draco_malfoy" }, "metadata": { "publicKeyFingerprint": "SHA256:dRac0M4lf0y666sshKEYf1ngerprint00000000000=", "session": "session-001111110111", "sourceAddress": "203.0.113.66" } }, "insertId": "evt001111110111", "resource": { "type": "gce_instance", "labels": { "project_id": "fantasticlogs-prod", "zone": "us-central1-a", "instance_id": "6100000000000001111110111" } }, "timestamp": "2026-04-15T16:08:42.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T16:08:42.567890123Z"}MITRE ATT&CK Mapping
Tactics: Lateral Movement Execution
- T1021.004 — SSH — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.