T1021.004: SSH

T1021.004: SSH

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

View on MITRE ATT&CK →

GCP Compute.instances.setMetadata

Sets or updates instance-level metadata on a Compute Engine VM, which can include SSH keys or startup scripts.

Cloud Service: GCP - Compute Engine

Tactics:

Persistence Execution Lateral Movement

Techniques:

T1098.004T1021.004

Tags:

GCP Compute Engine

GCP compute.projects.setCommonInstanceMetadata

Sets project-wide Compute Engine metadata, applied to all instances and commonly used to manage SSH keys.

Cloud Service: GCP - Compute Engine

Tactics:

Persistence Execution Lateral Movement

Techniques:

T1098.004T1021.004

Tags:

GCP Compute Engine

GCP google.ssh-serialport.v1.connect

Establishes a serial console connection to a Compute Engine VM, providing low-level instance access.

Cloud Service: GCP - SSH Serial Port

Tactics:

Lateral Movement Execution

Techniques:

T1021.004

Tags:

GCP SSH Serial Port

Azure Microsoft.Compute/sshPublicKeys/write

Creates or updates an SSH public key resource in Azure, used to authenticate to Linux virtual machines.

Cloud Service: Azure - Compute

Tactics:

Persistence Lateral Movement

Techniques:

T1098.004T1021.004

Tags:

Azure Compute

AWS SendSerialConsoleSSHPublicKey

Pushes an SSH public key to an EC2 instance's serial console interface, enabling SSH access over the serial port.

Cloud Service: AWS - EC2InstanceConnect

Tactics:

Lateral Movement Execution

Techniques:

T1098.004T1021.004

Tags:

AWS EC2InstanceConnect

AWS SendSSHPublicKey

Pushes a temporary SSH public key to an EC2 instance via EC2 Instance Connect, valid for 60 seconds.

Cloud Service: AWS - EC2InstanceConnect

Tactics:

Lateral Movement Persistence

Techniques:

T1098.004T1021.004

Tags:

AWS EC2InstanceConnect

GCP users.importSshPublicKey

Imports an SSH public key into a user's GCP OS Login profile, enabling SSH access to Compute Engine instances.

Cloud Service: GCP - OS Login

Tactics:

Persistence Lateral Movement

Techniques:

T1098.004T1021.004

Tags:

GCP OS Login

GCP users.sshPublicKeys.patch

Updates an existing SSH public key in a user's GCP OS Login profile.

Cloud Service: GCP - OS Login

Tactics:

Persistence Lateral Movement

Techniques:

T1098.004T1021.004

Tags:

GCP OS Login