---
title: Anomalous data access via possible script tool from service account
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Anomalous data access via possible
  script tool from service account
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Anomalous data access via possible script tool from service account
Classification:attackTechnique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) 
## Goal{% #goal %}

Detects when a GCP Compute Engine default service account performs admin write operations using a scripting-tool user agent such as `curl`, `wget`, or `python-requests`.

## Strategy{% #strategy %}

This rule monitors GCP data access audit logs for `ADMIN_WRITE` operations originating from principals matching the Compute Engine default service account pattern (`*-compute@developer.gserviceaccount.com`), where the `User-Agent` header indicates a scripting tool. Default Compute Engine service accounts are often broadly scoped and are therefore frequently targeted by attackers after gaining code execution on a VM instance. The use of raw HTTP clients like `curl` or `python-requests` for admin-level API calls is atypical for legitimate applications and suggests post-exploitation tooling or a misconfigured workload performing ADMIN_WRITE priviledged operations.

## Triage and Response{% #triage-and-response %}

- Determine whether `{{@method}}` is an expected API call for the workload running on the instance associated with this service account.
- Review the `{{@http.useragent}}` value and assess whether the invoking process is a known application component or an unexpected script.
- Identify the GCP resources targeted by the admin write operation and evaluate the potential impact of the action.
- Check for other recent API calls from this service account around the same timeframe, and whether any deviate from its normal operation pattern.
- Investigate whether the Compute Engine instance associated with this service account shows signs of compromise, such as unexpected processes, network connections, and other lateral movement indicators.
