DataDog · christophetd · May 20, 2026 · Mar 26, 2026 · Mar 30, 2026 · Apr 1, 2026
@@ -0,0 +1,69 @@
+---
+title: Inject a Malicious Startup Script into a Vertex AI Workbench Instance
+---
+
+# Inject a Malicious Startup Script into a Vertex AI Workbench Instance
+
+ <span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique might be slow to warm up or detonate">slow</span> 
+
+
+Platform: GCP
+
+## Mappings
+
+- MITRE ATT&CK
+    - Execution
+  - Privilege Escalation
+
+
+
+## Description
+
+
+Modifies a Vertex AI Workbench (user-managed notebook) instance to execute a
+remote script on the next start by injecting a malicious URL into the instance's
+<code>post-startup-script</code> metadata field. An attacker with
+<code>notebooks.instances.update</code> permission can use this technique to
+achieve persistent code execution inside the notebook environment, run under
+the instance's service account identity.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create a Vertex AI Workbench instance (<code>e2-standard-2</code>, us-central1-a)
+
+Note: This technique requires the Notebooks API (<code>notebooks.googleapis.com</code>) to be enabled in your GCP project. If it is not enabled, the warm-up will fail with a 403 error pointing to the API enablement page.
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Patch the Workbench instance's GCE setup metadata to set
+  <code>post-startup-script</code> to a fictitious attacker-controlled GCS URI
+  (<code>gs://evil-attacker-&lt;project-id&gt;-&lt;random&gt;/malicious.sh</code>)
+
+Revert:
+
+- Remove the <code>post-startup-script</code> metadata key from the instance
+
+References:
+
+- https://cloud.google.com/vertex-ai/docs/workbench/user-managed/manage-notebooks-introduction
+- https://cloud.google.com/vertex-ai/docs/workbench/reference/rest/v2/projects.locations.instances/patch
+- https://sra.io/blog/privilege-escalation-in-aws-and-gcp-machine-learning-instances/
+- https://unit42.paloaltonetworks.com/privilege-escalation-llm-model-exfil-vertex-ai/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate gcp.execution.modify-vertex-notebook-startup
+```
+## Detection
+
+
+Identify when a Vertex AI Workbench instance's metadata is modified by monitoring
+for <code>google.cloud.notebooks.v2.NotebookService.UpdateInstance</code> events in
+GCP Admin Activity audit logs. Alert when the <code>post-startup-script</code> or
+<code>startup-script</code> metadata fields are added or changed to external URLs,
+which may indicate an attempt to establish persistent code execution in the notebook
+environment.
+
+
@@ -9,6 +9,11 @@ Note that some Stratus attack techniques may correspond to more than a single AT
   - [Steal and Use the GCE Default Service Account Token from Outside Google Cloud](./gcp.initial-access.use-compute-sa-outside-gcp.md)
 
 
+## Execution
+
+  - [Inject a Malicious Startup Script into a Vertex AI Workbench Instance](./gcp.execution.modify-vertex-notebook-startup.md)
+
+
 ## Persistence
 
   - [Register SSH public key to instance metadata](./gcp.lateral-movement.add-sshkey-instance-metadata.md)
@@ -30,6 +35,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
   - [Impersonate GCP Service Accounts](./gcp.privilege-escalation.impersonate-service-accounts.md)
 
+  - [Inject a Malicious Startup Script into a Vertex AI Workbench Instance](./gcp.execution.modify-vertex-notebook-startup.md)
+
 
 ## Defense Evasion
 

@@ -101,6 +101,7 @@ This page contains the list of all Stratus Attack Techniques.
 | [Impersonate GCP Service Accounts](./GCP/gcp.privilege-escalation.impersonate-service-accounts.md) | [GCP](./GCP/index.md) | Privilege Escalation |
 | [Delete a GCP Log Sink](./GCP/gcp.defense-evasion.delete-logging-sink.md) | [GCP](./GCP/index.md) | Defense Evasion |
 | [Disable a GCP Log Sink](./GCP/gcp.defense-evasion.disable-logging-sink.md) | [GCP](./GCP/index.md) | Defense Evasion |
+| [Inject a Malicious Startup Script into a Vertex AI Workbench Instance](./GCP/gcp.execution.modify-vertex-notebook-startup.md) | [GCP](./GCP/index.md) | Execution, Privilege Escalation |
 | [Reduce Log Retention Period on a Cloud Logging Sink Bucket](./GCP/gcp.defense-evasion.reduce-sink-log-retention.md) | [GCP](./GCP/index.md) | Defense Evasion |
 | [GCS Ransomware through client-side encryption](./GCP/gcp.impact.gcs-ransomware-client-side-encryption.md) | [GCP](./GCP/index.md) | Impact |
 | [GCS Ransomware through individual file deletion](./GCP/gcp.impact.gcs-ransomware-individual-deletion.md) | [GCP](./GCP/index.md) | Impact |
@@ -53,15 +53,15 @@ This provides coverage matrices of MITRE ATT&CK tactics and techniques currently
 </div>
 <h2>GCP</h2>
 <div class="table-container"><table>
-<thead><tr><th>Initial Access</th><th>Persistence</th><th>Privilege Escalation</th><th>Defense Evasion</th><th>Credential Access</th><th>Discovery</th><th>Lateral Movement</th><th>Exfiltration</th><th>Impact</th></tr></thead>
+<thead><tr><th>Initial Access</th><th>Execution</th><th>Persistence</th><th>Privilege Escalation</th><th>Defense Evasion</th><th>Credential Access</th><th>Discovery</th><th>Lateral Movement</th><th>Exfiltration</th><th>Impact</th></tr></thead>
 <tbody>
-<tr><td><a href="../GCP/gcp.initial-access.use-compute-sa-outside-gcp">Steal and Use the GCE Default Service Account Token from Outside Google Cloud</a></td><td><a href="../GCP/gcp.lateral-movement.add-sshkey-instance-metadata">Register SSH public key to instance metadata</a></td><td><a href="../GCP/gcp.persistence.create-admin-service-account">Create an Admin GCP Service Account</a></td><td><a href="../GCP/gcp.defense-evasion.delete-dns-logs">Delete a Cloud DNS Logging Policy</a></td><td><a href="../GCP/gcp.credential-access.secretmanager-retrieve-secrets">Retrieve a High Number of Secret Manager secrets</a></td><td><a href="../GCP/gcp.discovery.download-instance-metadata">Read GCE Instance Metadata via the Compute API</a></td><td><a href="../GCP/gcp.lateral-movement.add-sshkey-instance-metadata">Register SSH public key to instance metadata</a></td><td><a href="../GCP/gcp.exfiltration.share-compute-disk">Exfiltrate Compute Disk by sharing it</a></td><td><a href="../GCP/gcp.impact.create-gpu-vm">Create a GCE GPU Virtual Machine</a></td></tr>
-<tr><td></td><td><a href="../GCP/gcp.persistence.backdoor-service-account-policy">Backdoor a GCP Service Account through its IAM Policy</a></td><td><a href="../GCP/gcp.persistence.create-service-account-key">Create a GCP Service Account Key</a></td><td><a href="../GCP/gcp.defense-evasion.disable-audit-logs">Disable Data Access Audit Logs for a GCP Service</a></td><td><a href="../GCP/gcp.initial-access.use-compute-sa-outside-gcp">Steal and Use the GCE Default Service Account Token from Outside Google Cloud</a></td><td><a href="../GCP/gcp.discovery.enumerate-permissions">Enumerate Permissions of a GCP Service Account</a></td><td></td><td><a href="../GCP/gcp.exfiltration.share-compute-image">Exfiltrate Compute Image by sharing it</a></td><td><a href="../GCP/gcp.impact.create-instances-in-multiple-zones">Create GCE Instances in Multiple Zones</a></td></tr>
-<tr><td></td><td><a href="../GCP/gcp.persistence.create-admin-service-account">Create an Admin GCP Service Account</a></td><td><a href="../GCP/gcp.privilege-escalation.impersonate-service-accounts">Impersonate GCP Service Accounts</a></td><td><a href="../GCP/gcp.defense-evasion.remove-project-from-organization">Attempt to Remove a GCP Project from its Organization</a></td><td></td><td></td><td></td><td><a href="../GCP/gcp.exfiltration.share-compute-snapshot">Exfiltrate Compute Disk by sharing a snapshot</a></td><td><a href="../GCP/gcp.impact.gcs-ransomware-client-side-encryption">GCS Ransomware through client-side encryption</a></td></tr>
-<tr><td></td><td><a href="../GCP/gcp.persistence.create-service-account-key">Create a GCP Service Account Key</a></td><td></td><td><a href="../GCP/gcp.defense-evasion.remove-vpc-flow-logs">Disable VPC Flow Logs on a Subnet</a></td><td></td><td></td><td></td><td></td><td><a href="../GCP/gcp.impact.gcs-ransomware-individual-deletion">GCS Ransomware through individual file deletion</a></td></tr>
-<tr><td></td><td><a href="../GCP/gcp.persistence.invite-external-user">Invite an External User to a GCP Project</a></td><td></td><td><a href="../GCP/gcp.defense-evasion.delete-logging-sink">Delete a GCP Log Sink</a></td><td></td><td></td><td></td><td></td><td></td></tr>
-<tr><td></td><td></td><td></td><td><a href="../GCP/gcp.defense-evasion.disable-logging-sink">Disable a GCP Log Sink</a></td><td></td><td></td><td></td><td></td><td></td></tr>
-<tr><td></td><td></td><td></td><td><a href="../GCP/gcp.defense-evasion.reduce-sink-log-retention">Reduce Log Retention Period on a Cloud Logging Sink Bucket</a></td><td></td><td></td><td></td><td></td><td></td></tr>
+<tr><td><a href="../GCP/gcp.initial-access.use-compute-sa-outside-gcp">Steal and Use the GCE Default Service Account Token from Outside Google Cloud</a></td><td><a href="../GCP/gcp.execution.modify-vertex-notebook-startup">Inject a Malicious Startup Script into a Vertex AI Workbench Instance</a></td><td><a href="../GCP/gcp.lateral-movement.add-sshkey-instance-metadata">Register SSH public key to instance metadata</a></td><td><a href="../GCP/gcp.persistence.create-admin-service-account">Create an Admin GCP Service Account</a></td><td><a href="../GCP/gcp.defense-evasion.delete-dns-logs">Delete a Cloud DNS Logging Policy</a></td><td><a href="../GCP/gcp.credential-access.secretmanager-retrieve-secrets">Retrieve a High Number of Secret Manager secrets</a></td><td><a href="../GCP/gcp.discovery.download-instance-metadata">Read GCE Instance Metadata via the Compute API</a></td><td><a href="../GCP/gcp.lateral-movement.add-sshkey-instance-metadata">Register SSH public key to instance metadata</a></td><td><a href="../GCP/gcp.exfiltration.share-compute-disk">Exfiltrate Compute Disk by sharing it</a></td><td><a href="../GCP/gcp.impact.create-gpu-vm">Create a GCE GPU Virtual Machine</a></td></tr>
+<tr><td></td><td></td><td><a href="../GCP/gcp.persistence.backdoor-service-account-policy">Backdoor a GCP Service Account through its IAM Policy</a></td><td><a href="../GCP/gcp.persistence.create-service-account-key">Create a GCP Service Account Key</a></td><td><a href="../GCP/gcp.defense-evasion.disable-audit-logs">Disable Data Access Audit Logs for a GCP Service</a></td><td><a href="../GCP/gcp.initial-access.use-compute-sa-outside-gcp">Steal and Use the GCE Default Service Account Token from Outside Google Cloud</a></td><td><a href="../GCP/gcp.discovery.enumerate-permissions">Enumerate Permissions of a GCP Service Account</a></td><td></td><td><a href="../GCP/gcp.exfiltration.share-compute-image">Exfiltrate Compute Image by sharing it</a></td><td><a href="../GCP/gcp.impact.create-instances-in-multiple-zones">Create GCE Instances in Multiple Zones</a></td></tr>
+<tr><td></td><td></td><td><a href="../GCP/gcp.persistence.create-admin-service-account">Create an Admin GCP Service Account</a></td><td><a href="../GCP/gcp.privilege-escalation.impersonate-service-accounts">Impersonate GCP Service Accounts</a></td><td><a href="../GCP/gcp.defense-evasion.remove-project-from-organization">Attempt to Remove a GCP Project from its Organization</a></td><td></td><td></td><td></td><td><a href="../GCP/gcp.exfiltration.share-compute-snapshot">Exfiltrate Compute Disk by sharing a snapshot</a></td><td><a href="../GCP/gcp.impact.gcs-ransomware-client-side-encryption">GCS Ransomware through client-side encryption</a></td></tr>
+<tr><td></td><td></td><td><a href="../GCP/gcp.persistence.create-service-account-key">Create a GCP Service Account Key</a></td><td><a href="../GCP/gcp.execution.modify-vertex-notebook-startup">Inject a Malicious Startup Script into a Vertex AI Workbench Instance</a></td><td><a href="../GCP/gcp.defense-evasion.remove-vpc-flow-logs">Disable VPC Flow Logs on a Subnet</a></td><td></td><td></td><td></td><td></td><td><a href="../GCP/gcp.impact.gcs-ransomware-individual-deletion">GCS Ransomware through individual file deletion</a></td></tr>
+<tr><td></td><td></td><td><a href="../GCP/gcp.persistence.invite-external-user">Invite an External User to a GCP Project</a></td><td></td><td><a href="../GCP/gcp.defense-evasion.delete-logging-sink">Delete a GCP Log Sink</a></td><td></td><td></td><td></td><td></td><td></td></tr>
+<tr><td></td><td></td><td></td><td></td><td><a href="../GCP/gcp.defense-evasion.disable-logging-sink">Disable a GCP Log Sink</a></td><td></td><td></td><td></td><td></td><td></td></tr>
+<tr><td></td><td></td><td></td><td></td><td><a href="../GCP/gcp.defense-evasion.reduce-sink-log-retention">Reduce Log Retention Period on a Cloud Logging Sink Bucket</a></td><td></td><td></td><td></td><td></td><td></td></tr>
 </tbody>
 </table>
 </div>

@@ -617,6 +617,15 @@ GCP:
             - Discovery
           platform: GCP
           isIdempotent: true
+    Execution:
+        - id: gcp.execution.modify-vertex-notebook-startup
+          name: Inject a Malicious Startup Script into a Vertex AI Workbench Instance
+          isSlow: true
+          mitreAttackTactics:
+            - Execution
+            - Privilege Escalation
+          platform: GCP
+          isIdempotent: false
     Exfiltration:
         - id: gcp.exfiltration.share-compute-disk
           name: Exfiltrate Compute Disk by sharing it
@@ -749,6 +758,14 @@ GCP:
             - Privilege Escalation
           platform: GCP
           isIdempotent: true
+        - id: gcp.execution.modify-vertex-notebook-startup
+          name: Inject a Malicious Startup Script into a Vertex AI Workbench Instance
+          isSlow: true
+          mitreAttackTactics:
+            - Execution
+            - Privilege Escalation
+          platform: GCP
+          isIdempotent: false
 Azure:
     Execution:
         - id: azure.execution.vm-custom-script-extension