Excess Google Drive Folder Exports Macos

osquery

Surface when a machine has downloaded an unusual number of zip exports from Google Drive

Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Surface when a machine has downloaded an unusual number of zip exports from Google Drive
--
-- platform: darwin
-- tags: persistent filesystem spotlight
-- interval: 3600
SELECT
  COUNT(DISTINCT file.path) AS num_exports,
  GROUP_CONCAT(DISTINCT file.path) AS paths,
  SUM(file.size) AS total_size,
  MIN(file.btime) AS first_btime,
  MAX(file.atime) AS last_atime
FROM
  mdfind
  JOIN file ON mdfind.path = file.path
  JOIN hash ON file.path = hash.path
  JOIN extended_attributes ea ON mdfind.path = ea.path
WHERE
  mdfind.query = "kMDItemWhereFroms == 'https://*-drive-data-export.googleusercontent.com*' AND 'kMDItemFSCreationDate >= $time.now(-604800)'"
  -- this seems excessive, but I was having issues with kMDItemFSCreationDate not filtering appropriately
  AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -604800)
  -- "GROUP BY" should be unnecessary, but Kolide seems to require it
GROUP BY
  ea.key
HAVING
  total_size > (100 * 1024 * 1024)
  OR num_exports > 1
ORDER BY
  file.path ASC

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit