Skip to content

Register SSH public key to instance metadata

idempotent

Platform: GCP

Mappings

  • MITRE ATT&CK
    • Lateral Movement
  • Persistence

Description

Register a public key to the instance's metadata to allow login and gain access to the instance.

Warm-up:

  • Create a compute instance (Linux)

Detonation:

  • Create RSA key-pair (private key and public key)
  • Register public key to instance's metadata.
  • Print private key to stdout.

Note that you need to save the private key for login.

Reference: - https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata - https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.html

Instructions

Detonate with Stratus Red Team
stratus detonate gcp.lateral-movement.add-sshkey-instance-metadata

Detection

Identify when an SSH key is added to a GCE instance's metadata through the GCP Admin Activity audit logs event v1.compute.instances.setMetadata.

Monitor specifically for setMetadata calls where the instanceMetadataDelta contains modifications to the ssh-keys metadata key, especially from unexpected principals or service accounts.

This technique corresponds to MITRE ATT&CK T1098.004: Account Manipulation: SSH Authorized Keys.

Sample event (shortened for readability):

{
  "logName": "projects/my-project-id/logs/cloudaudit.googleapis.com%2Factivity",
  "protoPayload": {
    "authenticationInfo": {
      "principalEmail": "username@service.com",
    },
    "metadata": {
      "instanceMetadataDelta": {
        "addedMetadataKeys": [
          "ssh-keys public-key-here",
        ],
      },
    },
    "serviceName": "compute.googleapis.com",
    "methodName": "v1.compute.instances.setMetadata",
    "resourceName": "projects/my-project-id/zones/my-zone-id/instances/my-instance-id",
  },
  "resource": {
    "type": "gce_instance"
  },
  "severity": "NOTICE"
}