Skip to content

New attack technique: Inject a Malicious Startup Script into a Vertex AI Workbench Instance (gcp.execution.modify-vertex-notebook-startup)#845

Merged
christophetd merged 6 commits into
mainfrom
simon.marechal/gcp-execution-modify-vertex-notebook-startup
May 20, 2026
Merged

New attack technique: Inject a Malicious Startup Script into a Vertex AI Workbench Instance (gcp.execution.modify-vertex-notebook-startup)#845
christophetd merged 6 commits into
mainfrom
simon.marechal/gcp-execution-modify-vertex-notebook-startup

Conversation

@christophetd

@christophetd christophetd commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

New attack technique: gcp.execution.modify-vertex-notebook-startup

Recreated PR — original #798 was inadvertently merged into the #797 branch (the stacked base) instead of main. This PR re-targets the same change against main.

Motivation

GCP parity with existing AWS attack techniques.

Test results

  • stratus detonate gcp.execution.modify-vertex-notebook-startup
  • google.cloud.notebooks.v2.NotebookService.UpdateInstance appears in GCP Admin Activity audit logs (no audit log observed — may require non-default audit config for Notebooks DATA_WRITE events)

Checklist

  • The attack technique emulates a single attack step, not a full attack chain
  • We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
  • The attack technique makes no assumption about the state of the environment prior to warming it up

@christophetd christophetd requested review from a team as code owners April 30, 2026 13:48
@christophetd christophetd mentioned this pull request Apr 30, 2026
Merged
5 tasks
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 30, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c40324eb37

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread v2/internal/attacktechniques/gcp/execution/modify-vertex-notebook-startup/main.go
if scriptURL == "" {
delete(metadata, "post-startup-script")
} else {
metadata["post-startup-script"] = scriptURL

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 30, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Set post-startup behavior for patched scripts

When detonating against the warmed Workbench instance, this only sets post-startup-script and leaves post-startup-script-behavior at its default. Google's Workbench metadata docs define the default run_once as running after instance creation or upgrade, while run_every_start/download_and_run_every_start are the values that run after starts; because warm-up has already created the instance and detonate doesn't upgrade it, the injected URI won't execute on the advertised “next start” unless this metadata key is set too.

Useful? React with 👍 / 👎.

Minosity-VR
Minosity-VR previously approved these changes May 19, 2026
View reviewed changes
Minosity-VR and others added 5 commits May 20, 2026 09:20
@Minosity-VR @claude @christophetd
New attack technique: Inject a Malicious Startup Script into a Vertex…
bc4815d 
… AI Workbench Instance (gcp.execution.modify-vertex-notebook-startup)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Minosity-VR @claude @christophetd
Add external references for technique documentation
5bcd1e9 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR @claude @christophetd
Address PR feedback: remove HackTricks refs, regenerate docs
b7d61db 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@christophetd
Document Notebooks API requirement for Vertex Workbench technique
7fb7bdd 
Address PR feedback: warm-up fails with a 403 when notebooks.googleapis.com
is not enabled. Add a note in the technique description so users know to
enable the API beforehand.
@christophetd
Fix staticcheck ST1005: lowercase error strings
b768703
@christophetd christophetd force-pushed the simon.marechal/gcp-execution-modify-vertex-notebook-startup branch from b6beed2 to b768703 Compare May 20, 2026 07:22
@datadog-official

This comment has been minimized.

Sign in to view
Minosity-VR
Minosity-VR previously approved these changes May 20, 2026
View reviewed changes
@christophetd christophetd merged commit 91b4b3c into main May 20, 2026
5 checks passed
@christophetd christophetd deleted the simon.marechal/gcp-execution-modify-vertex-notebook-startup branch May 20, 2026 07:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@Minosity-VR Minosity-VR Minosity-VR approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@christophetd @Minosity-VR