An identity attempted to modify the SSH keys of a single compute instance.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.
Synopsis
Description
An identity attempted to modify the SSH keys of a single compute instance.
The identity has high administrative activity
This may indicate an attacker's attempt to maintain persistence on the cloud instance.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Synopsis
Description
An identity has modified the SSH keys of an instance for the first time in the cloud provider.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Synopsis
Description
A service account has modified the SSH keys of a single compute instance.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Synopsis
Description
An identity has modified the SSH keys of a single compute instance.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Synopsis
Description
A service account has modified the metadata of the entire instances in the project.
This may indicate an attacker's attempt to perform lateral movement within the project.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Synopsis
Description
An identity account has modified the metadata of the entire instances in the project.
This may indicate an attacker's attempt to perform lateral movement within the project.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Synopsis
Description
An identity account has modified the metadata of the entire instances in the project.
This may indicate an attacker's attempt to perform lateral movement within the project.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.