Skip to content

New attack technique: Modify a GCE Instance Startup Script (gcp.execution.modify-gce-startup-script)#797

Open
Minosity-VR wants to merge 6 commits into
mainfrom
simon.marechal/gcp-execution-modify-gce-startup-script
Open

New attack technique: Modify a GCE Instance Startup Script (gcp.execution.modify-gce-startup-script)#797
Minosity-VR wants to merge 6 commits into
mainfrom
simon.marechal/gcp-execution-modify-gce-startup-script

Conversation

@Minosity-VR
Copy link
Copy Markdown
Collaborator

@Minosity-VR Minosity-VR commented Mar 26, 2026

What does this PR do?

New attack technique: gcp.execution.modify-gce-startup-script

Motivation

GCP parity with existing AWS attack techniques.

Test results

  • stratus detonate gcp.execution.modify-gce-startup-script
  • v1.compute.instances.setMetadata appears in GCP Admin Activity audit logs

Checklist

  • The attack technique emulates a single attack step, not a full attack chain
  • We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
  • The attack technique makes no assumption about the state of the environment prior to warming it up

@Minosity-VR Minosity-VR mentioned this pull request Mar 26, 2026
Open
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-iap-tunnel-session branch from ec6c066 to 8f0f815 Compare March 30, 2026 14:54
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-gce-startup-script branch from 476744c to 9c0e68a Compare March 30, 2026 14:54
@Minosity-VR Minosity-VR marked this pull request as ready for review April 1, 2026 07:24
@Minosity-VR Minosity-VR requested review from a team as code owners April 1, 2026 07:24
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-iap-tunnel-session branch from 8f0f815 to d365af8 Compare April 1, 2026 08:28
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-gce-startup-script branch from 9c0e68a to c56605b Compare April 1, 2026 08:28
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-iap-tunnel-session branch from d365af8 to 52b4d0d Compare April 1, 2026 08:53
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-gce-startup-script branch from c56605b to b71b7b9 Compare April 1, 2026 08:53
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-iap-tunnel-session branch from 52b4d0d to 34a3079 Compare April 1, 2026 09:04
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-gce-startup-script branch from b71b7b9 to ec6aed6 Compare April 1, 2026 09:04
@christophetd christophetd force-pushed the simon.marechal/gcp-execution-iap-tunnel-session branch from 34a3079 to dc07d5d Compare April 8, 2026 13:58
Minosity-VR and others added 3 commits April 9, 2026 09:37
@Minosity-VR @claude
New attack technique: Modify a GCE Instance Startup Script (gcp.execu…
bcdc4cf 
…tion.modify-gce-startup-script)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Minosity-VR @claude
Add external references for technique documentation
085b7e0 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR @claude
Address PR feedback: remove HackTricks refs, regenerate docs
aa1fc8b 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Minosity-VR Minosity-VR force-pushed the simon.marechal/gcp-execution-modify-gce-startup-script branch from ec6aed6 to aa1fc8b Compare April 9, 2026 08:28
@Minosity-VR Minosity-VR changed the base branch from simon.marechal/gcp-execution-iap-tunnel-session to main April 9, 2026 08:28
christophetd
christophetd reviewed Apr 13, 2026
View reviewed changes
Comment thread v2/internal/attacktechniques/gcp/execution/modify-gce-startup-script/main.go Outdated
christophetd
christophetd reviewed Apr 13, 2026
View reviewed changes
Comment thread v2/internal/attacktechniques/gcp/execution/modify-gce-startup-script/main.go Outdated
@Minosity-VR
New attack technique: Inject a Malicious Startup Script into a Vertex…
48033d3 
… AI Workbench Instance (gcp.execution.modify-vertex-notebook-startup) (#798)
This was referenced Apr 30, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christophetd christophetd Awaiting requested review from christophetd

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Minosity-VR @christophetd