GCP - Logging Post Exploitation

Tip

AWS 해킹 배우기 및 연습하기:HackTricks Training AWS Red Team Expert (ARTE)
GCP 해킹 배우기 및 연습하기: HackTricks Training GCP Red Team Expert (GRTE) Azure 해킹 배우기 및 연습하기: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks 지원하기

기본 정보

자세한 내용은 다음을 확인하세요:

GCP - Logging Enum

모니터링을 교란하는 다른 방법은 다음을 확인하세요:

GCP - Monitoring Post Exploitation

기본 로깅

기본적으로 단순한 읽기(read) 작업만으로는 탐지되지 않습니다. 자세한 내용은 Logging Enum 섹션을 확인하세요.

예외로 지정된 Principal 추가

https://console.cloud.google.com/iam-admin/audit/allserviceshttps://console.cloud.google.com/iam-admin/audit에서 로그를 생성하지 않도록 principal을 추가할 수 있습니다. 공격자는 이를 악용해 탐지를 피할 수 있습니다.

로그 읽기 - logging.logEntries.list

로그 항목 읽기 ```bash # Read logs gcloud logging read "logName=projects/your-project-id/logs/log-id" --limit=10 --format=json

Everything from a timestamp

gcloud logging read “timestamp >= "2023-01-01T00:00:00Z"” –limit=10 –format=json

Use these options to indicate a different bucket or view to use: –bucket=_Required –view=_Default

</details>

### `logging.logs.delete`

<details>

<summary>로그 항목 삭제</summary>
```bash
# Delete all entries from a log in the _Default log bucket - logging.logs.delete
gcloud logging logs delete <log-name>

로그 쓰기 - logging.logEntries.create

로그 항목 쓰기 ```bash # Write a log entry to try to disrupt some system gcloud logging write LOG_NAME "A deceptive log entry" --severity=ERROR ```

logging.buckets.update

로그 버킷 보존 기간 업데이트 ```bash # Set retention period to 1 day (_Required has a fixed one of 400days)

gcloud logging buckets update bucketlog –location= –description=“New description” –retention-days=1

</details>

### `logging.buckets.delete`

<details>

<summary>로그 버킷 삭제</summary>
```bash
# Delete log bucket
gcloud logging buckets delete BUCKET_NAME --location=<location>

logging.links.delete

로그 링크 삭제 ```bash # Delete link gcloud logging links delete --bucket --location ```

logging.views.delete

로그 뷰 삭제 ```bash # Delete a logging view to remove access to anyone using it gcloud logging views delete --bucket= --location=global ```

logging.views.update

로깅 뷰를 업데이트하여 데이터를 숨기기 ```bash # Update a logging view to hide data gcloud logging views update --log-filter="resource.type=gce_instance" --bucket= --location=global --description="New description for the log view" ```

logging.logMetrics.update

로그 기반 메트릭 업데이트 ```bash # Update log based metrics - logging.logMetrics.update gcloud logging metrics update --description="Changed metric description" --log-filter="severity>CRITICAL" --project=PROJECT_ID ```

logging.logMetrics.delete

로그 기반 메트릭 삭제 ```bash # Delete log based metrics - logging.logMetrics.delete gcloud logging metrics delete ```

logging.sinks.delete

로그 싱크 삭제 ```bash # Delete sink - logging.sinks.delete gcloud logging sinks delete ```

logging.sinks.update

로그 sink 업데이트/중단 ```bash # Disable sink - logging.sinks.update gcloud logging sinks update --disabled

Createa filter to exclude attackers logs - logging.sinks.update

gcloud logging sinks update SINK_NAME –add-exclusion=“name=exclude-info-logs,filter=severity<INFO”

Change where the sink is storing the data - logging.sinks.update

gcloud logging sinks update new-destination

Change the service account to one withuot permissions to write in the destination - logging.sinks.update

gcloud logging sinks update SINK_NAME –custom-writer-identity=attacker-service-account-email –project=PROJECT_ID

Remove explusions to try to overload with logs - logging.sinks.update

gcloud logging sinks update SINK_NAME –clear-exclusions

If the sink exports to BigQuery, an attacker might enable or disable the use of partitioned tables, potentially leading to inefficient querying and higher costs. - logging.sinks.update

gcloud logging sinks update SINK_NAME –use-partitioned-tables gcloud logging sinks update SINK_NAME –no-use-partitioned-tables

</details>

> [!TIP]
> AWS 해킹 배우기 및 연습하기:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> GCP 해킹 배우기 및 연습하기: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Azure 해킹 배우기 및 연습하기: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>HackTricks 지원하기</summary>
>
> - [**구독 계획**](https://github.com/sponsors/carlospolop) 확인하기!
> - **💬 [**Discord 그룹**](https://discord.gg/hRep4RUj7f) 또는 [**텔레그램 그룹**](https://t.me/peass)에 참여하거나 **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**를 팔로우하세요.**
> - **[**HackTricks**](https://github.com/carlospolop/hacktricks) 및 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) 깃허브 리포지토리에 PR을 제출하여 해킹 트릭을 공유하세요.**
>
> </details>