## **PoC**:
https://github.com/5stars217/malicious_models/
Can be deployed a number of ways, such as via a (public) [registry](obsidian://open?vault=AVML&file=Supply%20Chain%20Attacks%2FPublic%20Model%20Registries%2FUsing%20a%20Huggingface%20Watering%20Hole) ,
via [kserve](obsidian://open?vault=AVML&file=Supply%20Chain%20Attacks%2FMLops%20Pipelines%2FUsing%20kserve), and more to come.
***Bypass and detection note*** (Jan 7 '24):
In Tensorflow `2.14.0 ` switch to `saved_model` format to resolve an issue where execution of arbitrary lambda layers is restricted.
if you rename a `.h5` file to `model.keras` it still loads by the same function `tf.keras.models.load_model()` with the vulnerable `.h5` loader. - Thanks to [mairebear](https://twitter.com/Mairebear) & [faceteep](https://github.com/faceteep)
## **Details**:
A technique that can be used pre or post exploitation to gain code execution in an environment. Also a persistence technique.
Adds a malicious lambda to the architecture layer of a keras model:
https://5stars217.github.io/2023-08-08-red-teaming-with-ml-models/
ID: AML.T0010.003