Gcp Service Account Keys Mdfind

osquery
Indicative of stored GCP service account keys just sitting around unencrypted
Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Indicative of stored GCP service account keys just sitting around unencrypted
--
-- * False positives:
--   * Keys exported for non-production purposes
--
-- tags: persistent state filesystem disabled
-- platform: darwin
SELECT
  file.path,
  file.size,
  file.btime,
  file.ctime,
  file.mtime,
  magic.data,
  hash.sha256,
  u.username,
  ea.value AS url
FROM
  mdfind
  JOIN file ON mdfind.path = file.path
  LEFT JOIN users u ON file.uid = u.uid
  LEFT JOIN hash ON mdfind.path = hash.path
  LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
  AND ea.key = 'where_from'
  LEFT JOIN magic ON mdfind.path = magic.path
  LEFT JOIN signature ON mdfind.path = signature.path
WHERE
  mdfind.query = "kMDItemFSName == '*.json'"
  AND (
    file.filename LIKE "%-%-%.json"
    OR file.filename LIKE '%service%.json'
    OR file.filename LIKE '%acct%.json'
    OR file.filename LIKE '%key%.json'
    OR file.filename LIKE '%account%.json'
    OR file.filename LIKE '%-sa.json'
    OR file.filename LIKE 'sa%.json'
    OR file.filename LIKE '%s%r%v%acc%t%json'
    OR file.filename LIKE '%prod.json'
    OR file.filename LIKE 'prod%.json'
  )
  AND file.size BETWEEN 2311 AND 2385 -- Don't alert on tokens that begin with the username-, as they may be personal
  AND NOT INSTR(file.filename, CONCAT (u.username, "-")) == 1 -- Don't alert on tokens that begin with the users full name and a dash
  AND NOT (
    LENGTH(u.username) > 4
    AND INSTR(file.filename, SUBSTR(u.username, 3, 8)) > 0
  )
  AND NOT INSTR(
    file.filename,
    REPLACE(LOWER(TRIM(u.description)), " ", "-")
  ) == 1
  -- Common locations of test or demo keys
  AND NOT file.filename = 'keys.json'
  AND NOT file.directory = "/Users/Shared/LGHUB"
  AND NOT file.directory LIKE '%/pkg/%'
  AND NOT file.directory LIKE '%/go/src/%'
  AND NOT file.directory LIKE '%/pkg/mod/%'
  AND NOT file.directory LIKE '%/aws-sdk/apis'
  AND NOT file.directory LIKE '%/mock-infras/%'
  AND NOT file.directory LIKE '%/testdata%'
  AND NOT file.directory LIKE '%/conformance/%'
  AND NOT file.directory LIKE '%/third_party/%'
  AND NOT file.directory LIKE '%/generated/%'
  AND NOT file.directory LIKE '%/output/%'
  AND NOT file.directory LIKE '%/tests%'
  AND NOT file.directory LIKE '%/validation%'
  AND NOT file.directory LIKE '%/data/%'
  AND NOT file.directory LIKE '%/json%'
  AND NOT file.directory LIKE '%/specs%'
  AND NOT file.directory LIKE '%/schemas'
  AND NOT file.directory LIKE '/Users/%/Library/Application Support/%'
  AND NOT file.directory LIKE '%demo'
  AND NOT file.filename LIKE 'ntia-conformance-%'
  AND NOT file.filename LIKE '%-test.json'
  AND NOT file.filename LIKE '%package%'
  AND NOT file.filename LIKE '%expected%'
  AND NOT file.filename LIKE '%.pom.%'
  AND NOT file.filename LIKE '%latest%'
  AND NOT file.filename LIKE '%2022%'
  AND NOT file.filename LIKE '%2023%'
  AND NOT file.filename LIKE 'host-project-%'
  AND NOT file.filename LIKE '%spdx%'
  AND NOT file.filename LIKE '%-v1%'
  AND NOT file.filename LIKE 'libopenblas-%'
  -- Well known demo keys
  AND NOT hash.sha256 IN (
    '11ffc5141b4b0071c0796914deef68d012c4f4c289931c5587fe89d7d6dca0a1',
    '2d330d059f4af4d314a85418fb031ee628f41dcf3e31fbce46858e52e73180c4',
    '4b4be8c1bc7e3bc7ea1f02932a024466db5faf3eaad885cf31ac7383484b1b1c',
    '6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f',
    'e99b4e6dfbbefa19c9ec9c82bb0c3445a443702f960c2a05f882bb5577a59ef8',
    '421899fb9bfa0252ce7921969339918a5bbacbc7b9cd500e03a88f9c4e33bae4',
    '81bce2313cd00ffc42303fbf7c08e4d068fccc9c0076867903ef94616d795e12',
    '8d740893c1f9163ddfd8c193d9a95caf15da3740b42f2739c4b107ad12661809',
    '998ddcb7d1a7c2931c8546576873e47b399f23cef719227052f245c8240c6528',
    'af1a2f8e9d581bb1504e3d8801d15d962fdf12ee7ebcf2bb9c475c8b92da6472',
    'b68896dc8e8c23ade371cf8b5c9d25853d81b4cfa5baa2bc0200d9242a903d80',
    'bc4c0ad21d79fea9050e75e80f13dd54bfdc867236342ede901d15d815f31988',
    'cea85342377ef1bce115629c3d9d3ec405964a43545805c9f7ace98940aa0be2',
    'a0f925d91d2ae1d38c13305572b2bf027e09f39e8bea575d55e8fcd5f3bf8b32',
    'ef2c928c69403e023a332002d8c5c430e1022850b12f834563f6aec111d99f14'
  )
GROUP BY
  file.path

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit