access GCP credentials

rule:
  meta:
    name: access GCP credentials
    namespace: collection/cloud/gcp
    authors:
      - maximemorin@google.com
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Credential Access::Unsecured Credentials::Credentials In Files [T1552.001]
    references:
      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
  features:
    - or:
      - string: ".config/gcloud/access_tokens.db"
      - string: ".config/gcloud/credentials.db"