Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

GCP - Logging Post Exploitation

Support HackTricks

Taarifa za Msingi

Kwa taarifa zaidi angalia:

GCP - Logging Enum

Kwa njia nyingine za kuvuruga ufuatiliaji angalia:

GCP - Monitoring Post Exploitation

Kumbukumbu za Kawaida

Kwa kawaida hutakamatwa kwa kufanya vitendo vya kusoma tu. Kwa taarifa zaidi angalia sehemu ya Logging Enum.

Ongeza Excepted Principal

Katika https://console.cloud.google.com/iam-admin/audit/allservices na https://console.cloud.google.com/iam-admin/audit inawezekana kuongeza principals ili zisizalishe kumbukumbu. Mshambuliaji anaweza kutumia hii ili kuepuka kukamatwa.

Soma kumbukumbu - logging.logEntries.list

# Read logs
gcloud logging read "logName=projects/your-project-id/logs/log-id" --limit=10 --format=json

# Everything from a timestamp
gcloud logging read "timestamp >= \"2023-01-01T00:00:00Z\"" --limit=10 --format=json

# Use these options to indicate a different bucket or view to use: --bucket=_Required  --view=_Default

logging.logs.delete

# Delete all entries from a log in the _Default log bucket - logging.logs.delete
gcloud logging logs delete <log-name>

Kuandika kumbukumbu - logging.logEntries.create

# Write a log entry to try to disrupt some system
gcloud logging write LOG_NAME "A deceptive log entry" --severity=ERROR

logging.buckets.update

# Set retention period to 1 day (_Required has a fixed one of 400days)

gcloud logging buckets update bucketlog --location=<location> --description="New description" --retention-days=1

logging.buckets.delete

Maelezo

Ruhusa hii inaruhusu kufuta ndoo za Logging. Hii inaweza kutumika kufuta ushahidi wa shughuli za baada ya unyonyaji.

Athari

Kufuta ndoo za Logging kunaweza kuzuia uchunguzi wa shughuli za baada ya unyonyaji, na hivyo kufanya iwe vigumu kwa wachunguzi kufuatilia shughuli zako.

Utekelezaji

Unaweza kufuta ndoo za Logging kwa kutumia amri ifuatayo:

gcloud logging buckets delete [BUCKET_NAME]

Badilisha [BUCKET_NAME] na jina la ndoo unayotaka kufuta.

logging.sinks.delete

Maelezo

Ruhusa hii inaruhusu kufuta sinks za Logging. Hii inaweza kutumika kuzuia data ya Logging isifike kwenye maeneo yaliyokusudiwa.

Athari

Kufuta sinks za Logging kunaweza kuzuia data muhimu ya Logging kufika kwenye maeneo yaliyokusudiwa, na hivyo kufanya iwe vigumu kwa wachunguzi kufuatilia shughuli zako.

Utekelezaji

Unaweza kufuta sinks za Logging kwa kutumia amri ifuatayo:

gcloud logging sinks delete [SINK_NAME]

Badilisha [SINK_NAME] na jina la sink unayotaka kufuta.

# Delete log bucket
gcloud logging buckets delete BUCKET_NAME --location=<location>

logging.links.delete

# Delete link
gcloud logging links delete <link-id> --bucket <bucket> --location <location>

logging.views.delete

Maelezo

Ruhusa hii inaruhusu kufuta view ya logi.

Athari

Kufuta view ya logi kunaweza kuzuia wachunguzi kuona au kuchambua matukio ya usalama, hivyo kuficha shughuli za baada ya unyonyaji.

Uzuiaji

  • Hakikisha kuwa ruhusa za kufuta view ya logi zinatolewa tu kwa watumiaji wanaoaminika.

  • Tumia sera za IAM ili kudhibiti upatikanaji wa ruhusa hizi.

logging.sinks.delete

Maelezo

Ruhusa hii inaruhusu kufuta sink ya logi.

Athari

Kufuta sink ya logi kunaweza kuzuia matukio ya usalama yasirekodiwe au kupelekwa kwenye mifumo ya uchambuzi, hivyo kuficha shughuli za baada ya unyonyaji.

Uzuiaji

  • Hakikisha kuwa ruhusa za kufuta sink ya logi zinatolewa tu kwa watumiaji wanaoaminika.

  • Tumia sera za IAM ili kudhibiti upatikanaji wa ruhusa hizi.

logging.exclusions.create

Maelezo

Ruhusa hii inaruhusu kuunda exclusion ya logi.

Athari

Kuunda exclusion ya logi kunaweza kuzuia matukio fulani yasirekodiwe, hivyo kuficha shughuli za baada ya unyonyaji.

Uzuiaji

  • Hakikisha kuwa ruhusa za kuunda exclusion ya logi zinatolewa tu kwa watumiaji wanaoaminika.

  • Tumia sera za IAM ili kudhibiti upatikanaji wa ruhusa hizi.

logging.exclusions.delete

Maelezo

Ruhusa hii inaruhusu kufuta exclusion ya logi.

Athari

Kufuta exclusion ya logi kunaweza kuruhusu matukio fulani kurekodiwa tena, ambayo yanaweza kufichua shughuli za baada ya unyonyaji.

Uzuiaji

  • Hakikisha kuwa ruhusa za kufuta exclusion ya logi zinatolewa tu kwa watumiaji wanaoaminika.

  • Tumia sera za IAM ili kudhibiti upatikanaji wa ruhusa hizi.

# Delete a logging view to remove access to anyone using it
gcloud logging views delete <view-id> --bucket=<bucket> --location=global

logging.views.update

# Update a logging view to hide data
gcloud logging views update <view-id> --log-filter="resource.type=gce_instance" --bucket=<bucket> --location=global --description="New description for the log view"

logging.logMetrics.update

# Update log based metrics - logging.logMetrics.update
gcloud logging metrics update <metric-name> --description="Changed metric description" --log-filter="severity>CRITICAL" --project=PROJECT_ID

logging.logMetrics.delete

Kuweka alama za logi

Katika GCP, unaweza kuweka alama za logi kwa kutumia logging.logMetrics.create na kuzifuta kwa kutumia logging.logMetrics.delete. Hii inaweza kuwa muhimu kwa kuficha shughuli zako za baada ya unyonyaji.

Kufuta alama za logi

Unaweza kufuta alama za logi kwa kutumia amri ifuatayo:

gcloud logging metrics delete METRIC_NAME

Badilisha METRIC_NAME na jina la alama ya logi unayotaka kufuta. Hii itasaidia kuficha athari za shughuli zako kwenye mazingira ya GCP.

# Delete log based metrics - logging.logMetrics.delete
gcloud logging metrics delete <metric-name>

logging.sinks.delete

Maelezo

Uwezo wa kufuta logging sinks unaweza kuwa muhimu kwa kuficha shughuli zako. Hii inaweza kusaidia kuzuia kugunduliwa kwa haraka.

Hatua

  1. Tambua logging sinks zilizopo:

    gcloud logging sinks list

  2. Futa logging sink:

    gcloud logging sinks delete [SINK_NAME]

Tahadhari

Kumbuka kuwa kufuta logging sinks kunaweza kuleta tahadhari kwa watumiaji wa kawaida wa mfumo. Ni muhimu kutumia mbinu hii kwa uangalifu na kuhakikisha kuwa unajua athari zake.

# Delete sink - logging.sinks.delete
gcloud logging sinks delete <sink-name>

logging.sinks.update

# Disable sink - logging.sinks.update
gcloud logging sinks update <sink-name> --disabled

# Createa filter to exclude attackers logs - logging.sinks.update
gcloud logging sinks update SINK_NAME --add-exclusion="name=exclude-info-logs,filter=severity<INFO"

# Change where the sink is storing the data - logging.sinks.update
gcloud logging sinks update <sink-name> new-destination

# Change the service account to one withuot permissions to write in the destination - logging.sinks.update
gcloud logging sinks update SINK_NAME --custom-writer-identity=attacker-service-account-email --project=PROJECT_ID

# Remove explusions to try to overload with logs - logging.sinks.update
gcloud logging sinks update SINK_NAME --clear-exclusions

# If the sink exports to BigQuery, an attacker might enable or disable the use of partitioned tables, potentially leading to inefficient querying and higher costs. - logging.sinks.update
gcloud logging sinks update SINK_NAME --use-partitioned-tables
gcloud logging sinks update SINK_NAME --no-use-partitioned-tables
Support HackTricks
PreviousGCP - KMS Post ExploitationNextGCP - Monitoring Post Exploitation

Last updated