Skip to content

New attack technique: Inject a Malicious Startup Script into a Vertex AI Workbench Instance (gcp.execution.modify-vertex-notebook-startup)#798

Merged
christophetd merged 6 commits into
simon.marechal/gcp-execution-modify-gce-startup-scriptfrom
simon.marechal/gcp-execution-modify-vertex-notebook-startup
Apr 30, 2026
Merged

New attack technique: Inject a Malicious Startup Script into a Vertex AI Workbench Instance (gcp.execution.modify-vertex-notebook-startup)#798
christophetd merged 6 commits into
simon.marechal/gcp-execution-modify-gce-startup-scriptfrom
simon.marechal/gcp-execution-modify-vertex-notebook-startup

Conversation

@Minosity-VR

@Minosity-VR Minosity-VR commented Mar 26, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

New attack technique: gcp.execution.modify-vertex-notebook-startup

Motivation

GCP parity with existing AWS attack techniques.

Test results

  • stratus detonate gcp.execution.modify-vertex-notebook-startup
  • google.cloud.notebooks.v2.NotebookService.UpdateInstance appears in GCP Admin Activity audit logs (no audit log observed — may require non-default audit config for Notebooks DATA_WRITE events)

Checklist

  • The attack technique emulates a single attack step, not a full attack chain
  • We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
  • The attack technique makes no assumption about the state of the environment prior to warming it up

@Minosity-VR Minosity-VR mentioned this pull request Mar 26, 2026
Open
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-gce-startup-script branch from 476744c to 9c0e68a Compare March 30, 2026 14:54
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-vertex-notebook-startup branch from e311a77 to 525c891 Compare March 30, 2026 14:54
@Minosity-VR Minosity-VR marked this pull request as ready for review April 1, 2026 07:24
@Minosity-VR Minosity-VR requested review from a team as code owners April 1, 2026 07:24
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-gce-startup-script branch from 9c0e68a to c56605b Compare April 1, 2026 08:28
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-vertex-notebook-startup branch from 525c891 to 8a37147 Compare April 1, 2026 08:28
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-gce-startup-script branch from c56605b to b71b7b9 Compare April 1, 2026 08:53
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-vertex-notebook-startup branch from 8a37147 to ccaf620 Compare April 1, 2026 08:53
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-gce-startup-script branch from b71b7b9 to ec6aed6 Compare April 1, 2026 09:04
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-vertex-notebook-startup branch from ccaf620 to 626c9c0 Compare April 1, 2026 09:04
Minosity-VR and others added 3 commits April 9, 2026 10:01
@Minosity-VR @claude
New attack technique: Inject a Malicious Startup Script into a Vertex…
faa093f 
… AI Workbench Instance (gcp.execution.modify-vertex-notebook-startup)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Minosity-VR @claude
Add external references for technique documentation
5c6f5bf 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR @claude
Address PR feedback: remove HackTricks refs, regenerate docs
2889bcd 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-gce-startup-script branch from ec6aed6 to aa1fc8b Compare April 9, 2026 08:28
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-vertex-notebook-startup branch from 626c9c0 to 2889bcd Compare April 9, 2026 08:28
christophetd
christophetd reviewed Apr 13, 2026
View reviewed changes
Comment thread v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.tf
auto_create_subnetworks = true
}

resource "google_workbench_instance" "notebook" {

@christophetd christophetd Apr 13, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

Error: Error creating Instance: googleapi: Error 403: Notebooks API has not been used in project security-detection-reseach before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/notebooks.googleapis.com/overview?project=security-detection-reseach then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

I think we need to mention this in the docs, or ideally print a nicer error message

@christophetd
Document Notebooks API requirement for Vertex Workbench technique
7fb4cae 
Address PR feedback: warm-up fails with a 403 when notebooks.googleapis.com
is not enabled. Add a note in the technique description so users know to
enable the API beforehand.
@christophetd
Merge remote-tracking branch 'origin/simon.marechal/gcp-execution-mod…
d2241e6 
…ify-gce-startup-script' into simon.marechal/gcp-execution-modify-vertex-notebook-startup

# Conflicts:
#	docs/index.yaml
@christophetd
Regenerate docs/index.yaml after merge
95b3b0d 
Re-run `make docs` to incorporate the base branch's idempotency update for
modify-gce-startup-script while preserving the modify-vertex-notebook-startup
entry from this branch.
@christophetd christophetd merged commit 48033d3 into simon.marechal/gcp-execution-modify-gce-startup-script Apr 30, 2026
1 check passed
@christophetd christophetd deleted the simon.marechal/gcp-execution-modify-vertex-notebook-startup branch April 30, 2026 12:28
@christophetd christophetd mentioned this pull request Apr 30, 2026
Merged
5 tasks
@christophetd

christophetd commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

Note: this PR was inadvertently merged into the stacked base branch (#797's branch) rather than main, so its changes are not actually in main. Recreated as #845 against main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christophetd christophetd christophetd left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Minosity-VR @christophetd