MCPcopy Index your code
hub / github.com/F41zK4r1m/GCP-Hound

github.com/F41zK4r1m/GCP-Hound @v1.1.2

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.1.2 ↗ · + Follow
205 symbols 561 edges 28 files 190 documented · 93% updated 4mo agov1.1.2 · 2026-02-17★ 88

Browse by type

Functions 191 Types & classes 14
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

☁️ GCP-Hound - Google Cloud Security Attack Path Discovery Tool

🚀 Advanced GCP Attack Surface Analysis & Privilege Escalation Discovery

image

License: MIT Python 3.9+ BloodHound Compatible

Visualize complex GCP attack paths with the power of BloodHound


Credits

GCP-Hound's BloodHound-compatible graph export feature relies on the excellent bhopengraph library by @p0dalirius.

Many thanks to the author for providing an easy, schema-flexible way to generate and export complex attack graphs!

🎯 Overview

GCP-Hound is an open-source security enumeration and privilege escalation discovery tool designed specifically for Google Cloud Platform environments. Built to integrate seamlessly with BloodHound's OpenGraph framework, it transforms complex GCP IAM relationships into interactive attack graphs.

Project Background

This project began as a personal learning journey into GCP-focused penetration testing and red teaming techniques. While GCP-Hound already provides substantial reconnaissance and analysis capabilities, it remains a work-in-progress tool that will continue evolving with new features and improvements over time.

The tool may currently lack many advanced features, but I'm committed to gradually improving and expanding its capabilities based on community feedback and real-world testing scenarios.

Limitations

Search Functionality: The BloodHound Community Edition UI currently does not support search for custom start/end nodes with GCP data. Analysis must be performed via direct Cypher queries. This is a limitation of the BloodHound platform, not GCP-Hound, and will be addressed if native support becomes available. - API Coverage: GCP-Hound relies on Google Cloud APIs for enumeration. Some APIs or services may be disabled in target projects by default, resulting in partial data collection. Enabling additional APIs (e.g., via the gcloud CLI) may improve coverage, but this tool is strictly read-only and does not modify cloud configurations. - - User and Group Enumeration: Unlike Azure Entra ID (AAD) or on-premises Active Directory, GCP does not reliably expose APIs to enumerate all users or groups within an organization or project by default. Enumeration of users and groups is only possible if the executing account has sufficient permissions (such as admin privileges or delegated directory roles). Otherwise, group/user visibility is limited or unavailable. - Environment Scope: The tool has primarily been tested in lab and CTF settings. Results in large-scale or production GCP organizations may be incomplete or contain gaps. - Edge/Description Accuracy: Some edge relationship descriptions are generated heuristically and may be imprecise in certain contexts due to the diversity of real-world GCP configurations.

Known Issues

  • Some edge types/descriptions are still experimental and may change.
  • Parsing of large GCP environments can result in missed entities if project-level APIs are disabled or throttled.

Key Features

Current Capabilities (Implemented)

  • 🔍 Comprehensive GCP Enumeration – Projects, service accounts, storage buckets, BigQuery datasets, logging resources
  • 👥 Identity & Access Analysis – Users, groups, Google Workspace integration
  • 🚨 Advanced Privilege Escalation Detection – Service account key analysis, impersonation chains, and log access paths
  • ☸️ Container Security – GKE cluster enumeration and Kubernetes RBAC analysis
  • 🔐 Secret Management – Secret Manager enumeration and access analysis
  • 💻 Compute Infrastructure – VM instances, disks, and compute resource discovery
  • 🌐 Network Mapping – VPC, subnets, firewall rules, and network topology
  • 🏢 Organizational Structure – Folder hierarchy and project organization mapping
  • 📚 Logging Resource Discovery – Log sinks, log buckets, and log metrics with attack edge modeling
  • 🎨 Professional BloodHound Integration – Custom GCP icons and OpenGraph compatibility

Future Enhancements (Planned)

  • [ ] Pub/Sub Enumeration - Topics, subscriptions, and messaging analysis
  • [ ] Cloud Functions Deep Analysis - Serverless function security assessment

🚨 Advanced Privilege Escalation Detection

  • Service Account Key Analysis – Detect dangerous key creation/management permissions
  • Impersonation Chain Discovery – Map cross-account privilege escalation paths
  • Log Privilege Analysis – Detect paths allowing unintended or CRITICAL access to logging resources (sinks, buckets, metrics, log streams)
  • Risk-Based Scoring – CRITICAL, HIGH, MEDIUM risk classifications (currently not 100% accurate)
  • Multi-Hop Attack Chains – Complex privilege escalation and log access paths

🎨 Professional BloodHound Integration

  • Custom GCP Icons - Beautiful, distinct icons for each GCP resource type
  • OpenGraph Compatibility - Full BloodHound v8.0+ support
  • Interactive Visualizations - Explore attack paths through BloodHound's interface

Installation & Setup

Prerequisites

  • Python 3.9 or higher
  • Access to target GCP environment(s)
  • BloodHound (8.0 or higher) Community Edition or Enterprise (optional, for visualization)

1. Clone Repository

Clone repository

git clone https://github.com/F41zK4r1m/GCP-Hound.git
cd GCP-Hound

Create and activate virtual environment

python3 -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate

Install dependencies

pip install -r requirements.txt

2. Configure GCP Authentication

Option A: Service Account Key

export GCP_CREDS="path/to/key.json"

Option B: OAuth2 (Interactive)

gcloud auth application-default login

Option C: Using gcloud CLI (Experimental Features)

gcloud auth login

3. BloodHound Integration Setup to make the icons enable (Optional but Recommended)

To enable custom GCP icons and node types in BloodHound:

python3 register_gcp_nodes.py -s http://localhost:8080 -u admin -p password

This step is required only once per BloodHound instance and enables: - ✅ Custom GCP icons in the BloodHound UI
- ✅ Enhanced visualization experience


Usage

Basic Analysis

4. Run GCP-Hound Analysis

python3 gcp-hound.py

Verbose output (recommended for first runs)

python3 gcp-hound.py -v

Target specific project

python3 gcp-hound.py -p my-gcp-project

Debug mode for troubleshooting

python3 gcp-hound.py -d

Custom output directory

python3 gcp-hound.py -o /path/to/output

Impersonate service account

python3 gcp-hound.py -i service@project.iam.gserviceaccount.com

Quiet mode (minimal output)

python3 gcp-hound.py -q

4. Import to BloodHound

  • Generated file: ./output/gcp-bhopengraph.json
  • Upload via BloodHound UI file import
  • Explore interactive attack graphs

Analysis Phases

GCP-Hound performs analysis in 6 comprehensive phases:

  1. 🔍 Authentication & Project Discovery – Validate credentials and discover projects
  2. 📊 API Capability Assessment – Determine available GCP APIs and permissions
  3. 🗂️ Resource Enumeration – Discover service accounts, storage, BigQuery, GKE, compute, and logging resources
  4. 🔐 Privilege Analysis – Analyze service account permissions, logging access, and key access capabilities
  5. 🚨 Privilege Escalation Detection – Identify critical attack paths and escalation opportunities, including logging-based risks
  6. 📈 BloodHound Export – Generate OpenGraph JSON with custom GCP visualizations

BloodHound Import

After analysis completes:

  1. Locate the generated file: ./output/gcp-bhopengraph.json
  2. Open BloodHound web interface
  3. Navigate to "Data Collection" → "File Ingest"
  4. Upload the JSON file
  5. Explore your GCP attack surface!

Enumerated Resources & Relationships

GCP Node Types

GCP-Hound currently enumerates 23 distinct GCP node types across the Google Cloud ecosystem:

Category Node Types Description
Identity & Access GCPUser, GCPGroup, GCPServiceAccount, GCPServiceAccountKey, GCPGoogleManagedSA,CanSignBlob, CanSignJWT User identities, groups, and service accounts
Organization GCPProject, GCPFolder, GCPOrganization Organizational structure and hierarchy
Compute & Containers GCPInstance, GCPCluster, GCPNode Compute Engine VMs and GKE clusters
Storage & Data GCPBucket, GCPDataset, GCPSecret, GCPFunction Storage, BigQuery, Secret Manager, Cloud Functions
Networking GCPNetwork, GCPVPC, GCPSubnet, GCPFirewall, GCPRole Network infrastructure and roles
Additional Services GCPPubSubTopic, GCPCloudFunction, GCPKMSKey Messaging, serverless, and encryption
Logging & Monitoring GCPLogSink, GCPLogBucket, GCPLogMetric Logging sinks, log buckets, and log metrics

Note: While GCPPubSubTopic is registered as a node type, Pub/Sub enumeration is not yet implemented in the current collectors.

Attack Relationship Types

Edge Type Risk Level Description
CanCreateKeys CRITICAL Ability to create service account keys (direct privilege escalation)
CanImpersonate HIGH Service account impersonation capabilities
CanReadSecrets and CanReadSecretsInProject HIGH shows which account hold privileged access to secrets
CanListKeys MEDIUM Ability to enumerate existing service account keys
ContainsServiceAccount LOW Project ownership of service accounts
OwnsStorageBucket MEDIUM Resource ownership relationships
HasGoogleOwnedSA INFO Indicates that a GCP project relies on a Google-managed service account for certain internal operations or APIs.
CanModifyBucketPoliciesInProject HIGH Indicates that an identity (user, SA) has permissions to modify storage bucket policies at the project scope, supporting privilege escalation scenarios.
BelongsTo INFO Resource-to-project associations

Understanding Attack Paths

GCP-Hound focuses on discovering privilege escalation opportunities through:

  • Service Account Key Creation → Direct credential access → Full service account privileges
  • Cross-Project Impersonation → Privilege escalation across GCP projects
  • Storage Bucket Access → Data exfiltration or modification capabilities
  • BigQuery Data Access → Sensitive data exposure and analysis

🎨 BloodHound Visualization

Custom GCP Node Types

  • 🔐 Service Accounts – Green user-secret icon
  • 📁 Projects – Red folder-open icon
  • 🗄️ Storage Buckets – Blue database icon
  • 📊 BigQuery Datasets – Purple chart-bar icon
  • 👤 Users – Brown user-circle icon
  • 🟣 Log Sinks – Purple stream icon
  • 📨 Log Buckets – Teal inbox icon
  • 📈 Log Metrics – Gold chart-line icon

Attack Relationship Types

  • CanCreateKeys - CRITICAL service account key creation
  • CanImpersonate - HIGH-risk service account impersonation
  • CanSignBlob - HIGH-risk, where identity (user or service account) has the iam.serviceAccounts.signBlob permission on service account.
  • CanSignJWT - HIGH-risk, where iam.serviceAccounts.signJwt permission allows an identity to sign a JSON Web Token (JWT) using a target service account's identity
  • CanListKeys - MEDIUM key enumeration capabilities
  • BelongsTo - Resource ownership relationships

Useful BloodHound Queries

Show all critical attack paths:

MATCH (n)-[r]->(m)
WHERE r.riskLevel = "CRITICAL"
RETURN n, r, m

image

Show complete GCP attack surface:

MATCH (n:GCPResource)-[r]->(m:GCPResource)
RETURN n, r, m LIMIT 100

image

More example queries

  • Basic Node Enumeration

``` // List all service accounts MATCH (sa:GCPServiceAccount) RETURN sa LIMIT 25

// List all GCP projects
MATCH (p:GCPProject) RETURN p LIMIT 25

// List all GCP resources MATCH (res:GCPResource) RETURN res LIMIT 25

// Show all accounts with secret access MATCH p = ()-[r]->() WHERE type(r) IN ["CanReadSecrets", "CanReadSecretsInProject"] RETURN p LIMIT 50

// Show owner/editor secret access MATCH p = (sa)-[r:CanReadSecretsInProject]->(proj) WHERE r.role IN ["roles/owner", "roles/editor"] RETURN p

// Show service account with secret access MATCH p = (sa:GCPServiceAccount)-[r]->(target) WHERE type(r) IN ["CanReadSecrets", "CanReadSecretsInProject"] RETURN p

// Show users with secret access MATCH p = (user

Core symbols most depended-on inside this repo

Shape

Function 158
Method 33
Class 14

Languages

Python100%

Modules by API surface

collectors/privesc_analyzer.py29 symbols
collectors/edge_builder.py21 symbols
bloodhound/json_builder.py16 symbols
collectors/users_groups_collector.py12 symbols
collectors/secret_collector.py12 symbols
collectors/folder_collector.py11 symbols
register_gcp_nodes.py10 symbols
collectors/logging_collector.py10 symbols
collectors/user_collector.py9 symbols
collectors/bigquery_collector.py9 symbols
gcp-hound.py6 symbols
collectors/gke_collector.py6 symbols

For agents

$ claude mcp add GCP-Hound \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page