Unexpected GCP API calls indicating Compute Engine instance startup script modification
Description
AlphaSOC detected modification of a startup script on a GCP Compute Engine
instance via compute.instances.setMetadata. Startup scripts execute
automatically when an instance boots, running with elevated privileges.
Adversaries use startup scripts to establish persistence and execute malicious code. A modified startup script will run on every instance restart, potentially downloading and executing malware, establishing reverse shells, or modifying system configurations.
Impact
Malicious startup scripts provide persistent code execution on compute instances. Attackers can use this to maintain access across reboots, deploy malware, exfiltrate data, or establish command and control channels. The script runs with instance service account privileges, potentially enabling further cloud resource access.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the compute.instances.setMetadata action with
startup-script modifications. Examine the script contents and identify the
principal responsible.
If unauthorized, immediately remove or replace the malicious startup script. Consider stopping and reimaging the affected instance if compromise is suspected. Rotate credentials for the instance service account. Investigate the identity that made the change and review their other activities.