Open christophetd opened 1 year ago
challenge: might be very noisy and not actionable enough for detection, as the gcloud compute ssh
seems to do it
Note: OS login is generally used, so that could be a good detection
Might also be added at the VM level.
Moving to "to implement" considering we now have evidence from https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/ it's been exploited in the wild
Sources:
By default, allows access to all VMs in a project (unless the VMs disable project-wide SSH keys, which is not the default)