๐ Advanced GCP Attack Surface Analysis & Privilege Escalation Discovery
Visualize complex GCP attack paths with the power of BloodHound
GCP-Hound's BloodHound-compatible graph export feature relies on the excellent bhopengraph library by @p0dalirius.
Many thanks to the author for providing an easy, schema-flexible way to generate and export complex attack graphs!
GCP-Hound is an open-source security enumeration and privilege escalation discovery tool designed specifically for Google Cloud Platform environments. Built to integrate seamlessly with BloodHound's OpenGraph framework, it transforms complex GCP IAM relationships into interactive attack graphs.
This project began as a personal learning journey into GCP-focused penetration testing and red teaming techniques. While GCP-Hound already provides substantial reconnaissance and analysis capabilities, it remains a work-in-progress tool that will continue evolving with new features and improvements over time.
The tool may currently lack many advanced features, but I'm committed to gradually improving and expanding its capabilities based on community feedback and real-world testing scenarios.
Search Functionality: The BloodHound Community Edition UI currently does not support search for custom start/end nodes with GCP data. Analysis must be performed via direct Cypher queries. This is a limitation of the BloodHound platform, not GCP-Hound, and will be addressed if native support becomes available.
- API Coverage: GCP-Hound relies on Google Cloud APIs for enumeration. Some APIs or services may be disabled in target projects by default, resulting in partial data collection. Enabling additional APIs (e.g., via the gcloud CLI) may improve coverage, but this tool is strictly read-only and does not modify cloud configurations.
-
- User and Group Enumeration: Unlike Azure Entra ID (AAD) or on-premises Active Directory, GCP does not reliably expose APIs to enumerate all users or groups within an organization or project by default. Enumeration of users and groups is only possible if the executing account has sufficient permissions (such as admin privileges or delegated directory roles). Otherwise, group/user visibility is limited or unavailable.
- Environment Scope: The tool has primarily been tested in lab and CTF settings. Results in large-scale or production GCP organizations may be incomplete or contain gaps.
- Edge/Description Accuracy: Some edge relationship descriptions are generated heuristically and may be imprecise in certain contexts due to the diversity of real-world GCP configurations.
- Some edge types/descriptions are still experimental and may change.
- Parsing of large GCP environments can result in missed entities if project-level APIs are disabled or throttled.
- ๐ Comprehensive GCP Enumeration โ Projects, service accounts, storage buckets, BigQuery datasets, logging resources
- ๐ฅ Identity & Access Analysis โ Users, groups, Google Workspace integration
- ๐จ Advanced Privilege Escalation Detection โ Service account key analysis, impersonation chains, and log access paths
- โธ๏ธ Container Security โ GKE cluster enumeration and Kubernetes RBAC analysis
- ๐ Secret Management โ Secret Manager enumeration and access analysis
- ๐ป Compute Infrastructure โ VM instances, disks, and compute resource discovery
- ๐ Network Mapping โ VPC, subnets, firewall rules, and network topology
- ๐ข Organizational Structure โ Folder hierarchy and project organization mapping
- ๐ Logging Resource Discovery โ Log sinks, log buckets, and log metrics with attack edge modeling
- ๐จ Professional BloodHound Integration โ Custom GCP icons and OpenGraph compatibility
- Pub/Sub Enumeration - Topics, subscriptions, and messaging analysis
- Cloud Functions Deep Analysis - Serverless function security assessment
- Service Account Key Analysis โ Detect dangerous key creation/management permissions
- Impersonation Chain Discovery โ Map cross-account privilege escalation paths
- Log Privilege Analysis โ Detect paths allowing unintended or CRITICAL access to logging resources (sinks, buckets, metrics, log streams)
- Risk-Based Scoring โ CRITICAL, HIGH, MEDIUM risk classifications (currently not 100% accurate)
- Multi-Hop Attack Chains โ Complex privilege escalation and log access paths
- Custom GCP Icons - Beautiful, distinct icons for each GCP resource type
- OpenGraph Compatibility - Full BloodHound v8.0+ support
- Interactive Visualizations - Explore attack paths through BloodHound's interface
- Python 3.9 or higher
- Access to target GCP environment(s)
- BloodHound (8.0 or higher) Community Edition or Enterprise (optional, for visualization)
git clone https://github.com/F41zK4r1m/GCP-Hound.git
cd GCP-Hound
python3 -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate
pip install -r requirements.txt
export GCP_CREDS="path/to/key.json"
gcloud auth application-default login
gcloud auth login
To enable custom GCP icons and node types in BloodHound:
python3 register_gcp_nodes.py -s http://localhost:8080 -u admin -p password
This step is required only once per BloodHound instance and enables:
- โ Custom GCP icons in the BloodHound UI
- โ Enhanced visualization experience
python3 gcp-hound.py
python3 gcp-hound.py -v
python3 gcp-hound.py -p my-gcp-project
python3 gcp-hound.py -d
python3 gcp-hound.py -o /path/to/output
python3 gcp-hound.py -i service@project.iam.gserviceaccount.com
python3 gcp-hound.py -q
- Generated file:
./output/gcp-bhopengraph.json - Upload via BloodHound UI file import
- Explore interactive attack graphs
GCP-Hound performs analysis in 6 comprehensive phases:
- ๐ Authentication & Project Discovery โ Validate credentials and discover projects
- ๐ API Capability Assessment โ Determine available GCP APIs and permissions
- ๐๏ธ Resource Enumeration โ Discover service accounts, storage, BigQuery, GKE, compute, and logging resources
- ๐ Privilege Analysis โ Analyze service account permissions, logging access, and key access capabilities
- ๐จ Privilege Escalation Detection โ Identify critical attack paths and escalation opportunities, including logging-based risks
- ๐ BloodHound Export โ Generate OpenGraph JSON with custom GCP visualizations
After analysis completes:
- Locate the generated file:
./output/gcp-bhopengraph.json - Open BloodHound web interface
- Navigate to "Data Collection" โ "File Ingest"
- Upload the JSON file
- Explore your GCP attack surface!
GCP-Hound currently enumerates 23 distinct GCP node types across the Google Cloud ecosystem:
| Category | Node Types | Description |
|---|---|---|
| Identity & Access | GCPUser, GCPGroup, GCPServiceAccount, GCPServiceAccountKey, GCPGoogleManagedSA,CanSignBlob, CanSignJWT |
User identities, groups, and service accounts |
| Organization | GCPProject, GCPFolder, GCPOrganization |
Organizational structure and hierarchy |
| Compute & Containers | GCPInstance, GCPCluster, GCPNode |
Compute Engine VMs and GKE clusters |
| Storage & Data | GCPBucket, GCPDataset, GCPSecret, GCPFunction |
Storage, BigQuery, Secret Manager, Cloud Functions |
| Networking | GCPNetwork, GCPVPC, GCPSubnet, GCPFirewall, GCPRole |
Network infrastructure and roles |
| Additional Services | GCPPubSubTopic, GCPCloudFunction, GCPKMSKey |
Messaging, serverless, and encryption |
| Logging & Monitoring | GCPLogSink, GCPLogBucket, GCPLogMetric |
Logging sinks, log buckets, and log metrics |
Note: While GCPPubSubTopic is registered as a node type, Pub/Sub enumeration is not yet implemented in the current collectors.
| Edge Type | Risk Level | Description |
|---|---|---|
CanCreateKeys |
CRITICAL | Ability to create service account keys (direct privilege escalation) |
CanImpersonate |
HIGH | Service account impersonation capabilities |
CanReadSecrets and CanReadSecretsInProject |
HIGH | shows which account hold privileged access to secrets |
CanListKeys |
MEDIUM | Ability to enumerate existing service account keys |
ContainsServiceAccount |
LOW | Project ownership of service accounts |
OwnsStorageBucket |
MEDIUM | Resource ownership relationships |
HasGoogleOwnedSA |
INFO | Indicates that a GCP project relies on a Google-managed service account for certain internal operations or APIs. |
CanModifyBucketPoliciesInProject |
HIGH | Indicates that an identity (user, SA) has permissions to modify storage bucket policies at the project scope, supporting privilege escalation scenarios. |
BelongsTo |
INFO | Resource-to-project associations |
GCP-Hound focuses on discovering privilege escalation opportunities through:
- Service Account Key Creation โ Direct credential access โ Full service account privileges
- Cross-Project Impersonation โ Privilege escalation across GCP projects
- Storage Bucket Access โ Data exfiltration or modification capabilities
- BigQuery Data Access โ Sensitive data exposure and analysis
- ๐ Service Accounts โ Green user-secret icon
- ๐ Projects โ Red folder-open icon
- ๐๏ธ Storage Buckets โ Blue database icon
- ๐ BigQuery Datasets โ Purple chart-bar icon
- ๐ค Users โ Brown user-circle icon
- ๐ฃ Log Sinks โ Purple stream icon
- ๐จ Log Buckets โ Teal inbox icon
- ๐ Log Metrics โ Gold chart-line icon
- CanCreateKeys - CRITICAL service account key creation
- CanImpersonate - HIGH-risk service account impersonation
- CanSignBlob - HIGH-risk, where identity (user or service account) has the
iam.serviceAccounts.signBlobpermission on service account. - CanSignJWT - HIGH-risk, where
iam.serviceAccounts.signJwtpermission allows an identity to sign a JSON Web Token (JWT) using a target service account's identity - CanListKeys - MEDIUM key enumeration capabilities
- BelongsTo - Resource ownership relationships
Show all critical attack paths:
MATCH (n)-[r]->(m)
WHERE r.riskLevel = "CRITICAL"
RETURN n, r, m
Show complete GCP attack surface:
MATCH (n:GCPResource)-[r]->(m:GCPResource)
RETURN n, r, m LIMIT 100
- Basic Node Enumeration
// List all service accounts
MATCH (sa:GCPServiceAccount) RETURN sa LIMIT 25
// List all GCP projects
MATCH (p:GCPProject) RETURN p LIMIT 25
// List all GCP resources
MATCH (res:GCPResource) RETURN res LIMIT 25
// Show all accounts with secret access
MATCH p = ()-[r]->()
WHERE type(r) IN ["CanReadSecrets", "CanReadSecretsInProject"]
RETURN p
LIMIT 50
// Show owner/editor secret access
MATCH p = (sa)-[r:CanReadSecretsInProject]->(proj)
WHERE r.role IN ["roles/owner", "roles/editor"]
RETURN p
// Show service account with secret access
MATCH p = (sa:GCPServiceAccount)-[r]->(target)
WHERE type(r) IN ["CanReadSecrets", "CanReadSecretsInProject"]
RETURN p
// Show users with secret access
MATCH p = (user:GCPUser)-[r]->(target)
WHERE type(r) IN ["CanReadSecrets", "CanReadSecretsInProject"]
RETURN p
// List all storage buckets
MATCH (b:GCPBucket) RETURN b LIMIT 25
// List all BigQuery datasets
MATCH (d:GCPDataset) RETURN d LIMIT 25
// List all log sinks
MATCH (ls:GCPLogSink) RETURN ls LIMIT 25
// List all log buckets
MATCH (lb:GCPLogBucket) RETURN lb LIMIT 25
// Find all users or service accounts with access to log sinks
MATCH (a)-[r:CanAccessLogStream|CanViewSensitiveLogs]->(ls:GCPLogSink) RETURN a, r, ls
- Relationship Discovery
// Show project-to-service-account relationships
MATCH p=(project:GCPProject)-[r:ContainsServiceAccount]->(sa:GCPServiceAccount) RETURN p LIMIT 25
// Explore all service account relationships
MATCH (sa:GCPServiceAccount)-[r]->(target) RETURN sa, r, target LIMIT 25
// Show all GCP resource relationships
MATCH (res:GCPResource)-[r]->(target) RETURN res, r, target LIMIT 50
// Find bucket ownership relationships
MATCH p=(project:GCPProject)-[r:OwnsStorageBucket]->(bucket:GCPBucket) RETURN p LIMIT 25
- Critical Security Analysis
// CRITICAL: Find service account key creation privileges
MATCH (source)-[r:CanCreateKeys]->(target) RETURN source, r, target
// HIGH RISK: Service account impersonation paths
MATCH (sa:GCPServiceAccount)-[r:CanImpersonate]->(target) RETURN sa, r, target LIMIT 25
// List key enumeration capabilities
MATCH (source)-[r:CanListKeys]->(target) RETURN source, r, target LIMIT 25
// Show all privilege escalation edges
MATCH (n)-[r]->(m)
WHERE type(r) IN ['CanCreateKeys', 'CanImpersonate', 'CanListKeys','CanSignBlob','CanSignJWT']
RETURN n, r, m LIMIT 100
[*] Phase 1: Authentication & Project Discovery
โ
Authenticated as: user@example-project.iam.gserviceaccount.com
โ
Discovered 1 accessible projects
[*] Phase 2: Identity Enumeration
โ
Found 7 service accounts
โ
Discovered 2 users, 1 groups
[*] Phase 3: Resource Discovery
โ
Enumerated 1 storage buckets
โ
Found 1 BigQuery datasets
[*] Phase 4: Service Account Key Access Analysis
๐จ CRITICAL: Can create keys for 7 service accounts - PRIVILEGE ESCALATION POSSIBLE
[*] Phase 5: Comprehensive Privilege Escalation Analysis
๐ CRITICAL escalation targets: 7
โ ๏ธ HIGH-risk escalation targets: 7
[*] Phase 6: BloodHound Integration
โ
Generated OpenGraph JSON with custom GCP icons
โ
FINAL RESULT: 10 nodes, 24 edges
๐ File: ./output/gcp-bhopengraph.json
Contributions are welcome! This project is a learning exercise, and I appreciate:
- Bug reports and feature requests
- Code contributions and improvements
- Documentation enhancements
- Testing in different GCP environments
Please feel free to:
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request
- Work on integrating with AD objects - Connect GCP identities with Active Directory
- Work on adding more recon features and detailing - Expand enumeration capabilities
- Expand detail level for logging privilege analysis, relationship mapping
- Pub/Sub & Messaging - Topics, subscriptions, and Cloud Tasks enumeration
- Advanced Serverless - Cloud Functions, Cloud Run, and App Engine analysis
- Enhanced Networking - Load balancers, CDN, and interconnect discovery
GCP-Hound/
โโโ bloodhound/
โ โโโ __init__.py
โ โโโ json_builder.py
โ
โโโ collectors/
โ โโโ __init__.py
โ โโโ bigquery_collector.py
โ โโโ bucket_collector.py
โ โโโ cloudfunctions_collector.py
โ โโโ cloudsql_collector.py
โ โโโ compute_collector.py
โ โโโ discovery.py
โ โโโ edge_builder.py
โ โโโ folder_collector.py
โ โโโ gke_collector.py
โ โโโ iam_collector.py
โ โโโ logging_collector.py
โ โโโ org_collector.py
โ โโโ privesc_analyzer.py
โ โโโ project_collector.py
โ โโโ pubsub_collector.py
โ โโโ sa_key_analyzer.py
โ โโโ secret_collector.py
โ โโโ service_account_collector.py
โ โโโ user_collector.py
โ โโโ users_groups_collector.py
โ โโโ util.py
โ
โโโ utils/
| โโโ id_utils.py
โ โโโ auth.py
โ
โโโ .gitignore
โโโ LICENSE
โโโ README.md
โโโ gcp-hound.py
โโโ gcp-model.json
โโโ register_gcp_nodes.py
โโโ requirements.txt
- ๐ Issues: GitHub Issues
- ๐ฌ Discussions: GitHub Discussions
๐ฏ Enhance your GCP security posture with GCP-Hound!
Built as a learning project for the cybersecurity community