Skip to content

google.ssh-serialport.v1.connect

GCP

google.ssh-serialport.v1.connect

service: GCP - SSH Serial Port
techniques:

Event

Establishes a serial console connection to a Compute Engine VM, providing low-level instance access.

Security Context

  • Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
  • SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco — having already injected an SSH key via the prior setCommonInstanceMetadata event — connects to the serial console of demiguise-infer-001 using gcloud compute connect-to-serial-port. The serial console gives Draco a tty-level shell that bypasses normal sshd configuration (PAM, MFA, allowed-users restrictions, fail2ban) — an effective T1021.004 path that also enables T1059 execution. This connect entry is the only audit signal of the session. Confidence: MEDIUM. The request.@type value is a best-guess; Google docs reference this methodName but do not publish the request proto definition.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6",
"requestAttributes": {
"time": "2026-04-15T16:08:42.221987654Z",
"auth": {}
},
"destinationAttributes": {
"ip": "192.0.2.42",
"port": "9600"
}
},
"serviceName": "compute.googleapis.com",
"methodName": "google.ssh-serialport.v1.connect",
"authorizationInfo": [
{
"resource": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001",
"permission": "compute.instances.get",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001",
"type": "compute.googleapis.com/Instance"
}
}
],
"resourceName": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001",
"request": {
"@type": "type.googleapis.com/google.ssh_serialport.v1.SerialPortConnect",
"instance": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001",
"port": 1,
"username": "draco_malfoy"
},
"metadata": {
"publicKeyFingerprint": "SHA256:dRac0M4lf0y666sshKEYf1ngerprint00000000000=",
"session": "session-001111110111",
"sourceAddress": "203.0.113.66"
}
},
"insertId": "evt001111110111",
"resource": {
"type": "gce_instance",
"labels": {
"project_id": "fantasticlogs-prod",
"zone": "us-central1-a",
"instance_id": "6100000000000001111110111"
}
},
"timestamp": "2026-04-15T16:08:42.123456789Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T16:08:42.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Lateral Movement Execution

Techniques:
  • T1021.004 — SSH — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.