Skip to content

Exfiltrate Data from BigQuery Table via Unauthorized Query

Platform: GCP


  • Exfiltration


SQL queries in BigQuery operate asynchronously through a job submission process, where the results are queried afterward. This attack technique involves executing a query on a BigQuery Table to retrieve all data from every column.

Attacker Actions

The attack technique first calls the REST API, submitting a SQL query selecting all data from the derf-target-dev.derf_dataset.derf_table1 BigQuery Table.

  • Log methodName : jobservice.insert
  • Required Permissions: and bigquery.tables.getData

Secondly, the attack technique calls the REST API, returning the result of the previously submitted SQL query using the JobId as reference.

  • Log methodName : jobservice.getqueryresults
  • Required Permissions:

Workflow Inputs

None. The workflow will always run as Attack Execution Service Account 01

Clean Up:


Execution Instructions

  • See the User Guide for Execution Instructions via the Google Cloud Console
  • Programmatically execute this workflow with the following cli command:
gcloud workflows run gcp-bq-data-exfilration-via-job-toc

Detection Artifacts

LogName: projects/-/logs/

Run SQL query with a Job:

Retrieve SQL query results:

Control Objectives

Refer to the TrustOnCloud Control Catalog Dashboard for a complete list of controls and control objectives mapped to this attack technique.