GithubHelp home page GithubHelp logo

attack2neo's Introduction

attack2neo

Import Mitre Entreprise Att&ck data into Neo4j database

Purpose

Purpose of this very simple tool is to :

This small project has been first been developed to easily query Mitre Att&ck data using Cypher Query Language.

Requirements

Following python modules are required :

Modules could be installed using following commands:

$ pip install -r requirements.txt

Configuration

Settings have to be defined directly into python script :

# open graph connection
graph_bolt = "bolt://127.0.0.1:7687"
graph_auth = ("neo4j","test")

Custom settings according to your Neo4j installation:

  • graph_bolt contains connection details provided using URIs such as bolt://<ip_address>:<port>
  • graph_auth contains a 2-tuple of (<user>,<password>) to connect to Neo4j database

Usage

usage: attack2neo.py [-h] [-d] -f <filename> [-g] [-s] [-o] [-t] [-r]

optional arguments:
  -h, --help        show this help message and exit
  -d, --debug       enter debug mode
  -f <filename>     input file name
  -g, --groups      import Groups objects (type:intrusion-set)
  -s, --softwares   import Softwares objects (type:malware)
  -o, --tools       import Tools objects (type:tool)
  -t, --techniques  import Techniques objects (type:attack-pattern and
                    type:course-of-action)
  -r, --relations   import Relations objects (type:relationship)

where contains JSON data from Mitre Att&ck

Mitre Att&ck database

The Mitre Entreprise Atta&ck database in JSON format could be found out at Mitre CTI Github

Sample

Let's first import data from Mitre Entreprise Att&ck:

$ ./attack2neo.py --debug -f mitre-enterprise-attack.json --groups --softwares --tools --relations
[...]
Group: "Dragonfly 2.0" -[alias]-> "Berserk Bear"
Group: "Dust Storm"
Group: "Elderwood" -[alias]-> "Elderwood Gang" -[alias]-> "Beijing Group" -[alias]-> "Sneaky Panda"
[...]
Software: "BUBBLEWRAP" -[alias]-> "Backdoor.APT.FakeWinHTTPHelper"
Software: "BabyShark"
Software: "Backdoor.Oldrea" -[alias]-> "Havex"
[...]
Tool: "Pass-The-Hash Toolkit"
Tool: "Ping" -[alias]-> "ping.exe"
Tool: "PoshC2"
[...]
Relation: "FIN5" -[uses]-> "PsExec"
Relation: "DarkHydrus" -[uses]-> "Cobalt Strike"
Relation: "Leviathan" -[uses]-> "BITSAdmin"
[...]

Then, we can query Neo4j database using Neo4j Browser:

attack2neo

Visualization

Under visualization folder, there are files attack2neo.html and attack2neo.js to provide simple HTML tool to visualize your Neo4j Cypher queries using neovis.js library.

Settings have to be defined directly into javascript file :

server_url: "bolt://localhost:7687",
server_user: "neo4j",
server_password: "test",
initial_cypher: "MATCH (n)-[r]-(m) RETURN n,r,m"

Custom settings according to your Neo4j installation:

  • server_url contains connection details provided using URIs such as bolt://<ip_address>:<port>
  • server_user contains user value to connect to Neo4j database
  • server_password contains password value to connect to Neo4j database
  • initial_cypher contains Cypher query to be run

attack2neo

Queries samples

Find aliases for group "APT18":

MATCH (g:Group {name:"APT18"}) 
WITH g MATCH (g) - [:alias] -> (a:Alias)
RETURN g.name AS Name, a AS Alias

╒═══════╤════════════════════════════╕
│"Name" │"Alias"                     │
╞═══════╪════════════════════════════╡
│"APT18"│{"name":"Threat Group-0416"}│
├───────┼────────────────────────────┤
│"APT18"│{"name":"Dynamite Panda"}   │
├───────┼────────────────────────────┤
│"APT18"│{"name":"TG-0416"}          │
└───────┴────────────────────────────┘

Find groups who are using software "ASPXSpy":

MATCH (s:Software)
WHERE s.name = "ASPXSpy" 
WITH s MATCH (s) <- [:uses] - (g:Group)
RETURN s.name AS Software, g.name AS Group

╒══════════╤═══════════════════╕
│"Software"│"Group"            │
╞══════════╪═══════════════════╡
│"ASPXSpy" │"APT41"            │
├──────────┼───────────────────┤
│"ASPXSpy" │"APT39"            │
├──────────┼───────────────────┤
│"ASPXSpy" │"Night Dragon"     │
├──────────┼───────────────────┤
│"ASPXSpy" │"Threat Group-3390"│
└──────────┴───────────────────┘

Find groups - and their aliases - who are using software "BISCUIT":

MATCH (s:Software {name:"BISCUIT"}) <-[*1..2]-> (g:Group)
RETURN s.name AS Software, g.name AS Group

╒══════════╤═══════════════╕
│"Software"│"Group"        │
╞══════════╪═══════════════╡
│"BISCUIT" │"APT1"         │
├──────────┼───────────────┤
│"BISCUIT" │"Comment Crew" │
├──────────┼───────────────┤
│"BISCUIT" │"Comment Group"│
├──────────┼───────────────┤
│"BISCUIT" │"Comment Panda"│
└──────────┴───────────────┘

Find all about a specifc group:

MATCH (n)-[r]-(m)
WHERE n.name='APT1'
RETURN n.name, TYPE(r), LABELS(m), m.name

╒════════╤═════════╤═════════════════╤═══════════════════════╕
│"n.name"│"TYPE(r)"│"LABELS(m)"      │"m.name"               │
╞════════╪═════════╪═════════════════╪═══════════════════════╡
│"APT1"  │"uses"   │["Software"]     │"Seasalt"              │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Software"]     │"PoisonIvy"            │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Tool"]         │"xCmd"                 │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Software"]     │"WEBC2"                │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Tool"]         │"Cachedump"            │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Tool"]         │"Pass-The-Hash Toolkit"│
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Tool"]         │"PsExec"               │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Tool"]         │"Net"                  │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Tool"]         │"gsecdump"             │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Software"]     │"BISCUIT"              │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Tool"]         │"Lslsass"              │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Tool"]         │"Mimikatz"             │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Tool"]         │"ipconfig"             │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Tool"]         │"Tasklist"             │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Software"]     │"GLOOXMAIL"            │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Tool"]         │"pwdump"               │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"uses"   │["Software"]     │"CALENDAR"             │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"alias"  │["Alias","Group"]│"Comment Panda"        │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"alias"  │["Alias","Group"]│"Comment Group"        │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1"  │"alias"  │["Alias","Group"]│"Comment Crew"         │
└────────┴─────────┴─────────────────┴───────────────────────┘

See Neo4j's Cypher queries cheatsheet to get some Neo4j and Cypher fundamentals.

attack2neo's People

Contributors

vmapps avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

gisdev01 f0r3ns1cat0r jerry185 netscylla timb-machine-mirrors alistairwgillespie bigbrobro bcp-infosec-repo mwilco03 kentmanley cmitatakis netwrkspider prakashar11 jxfis

attack2neo's Issues

ClientError Invalid input

Hello,

I faced a ClientError while trying to execute the script:

> python attack2neo.py --debug -f mitre-enterprise-attack.json --groups --softwares --tools --techniques --relations
Technique: "Password Filter DLL Mitigation"
Technique: "Space after Filename Mitigation"
Technique: "HISTCONTROL Mitigation"
Technique: "Credentials in Files Mitigation"
[...]
Group: "APT34"
Traceback (most recent call last):
  File "attack2neo.py", line 160, in <module>
    build_relations(obj)
  File "attack2neo.py", line 69, in build_relations
    source = m.match( build_label(obj['source_ref']), name=gnames[obj['source_ref']] ).first()
  File "Python310\lib\site-packages\py2neo\matching.py", line 94, in first
    return self.graph.evaluate(*self._query_and_parameters())
  File "Python310\lib\site-packages\py2neo\database.py", line 395, in evaluate
    return self.begin(autocommit=True).evaluate(cypher, parameters, **kwparameters)
  File "Python310\lib\site-packages\py2neo\database.py", line 876, in evaluate
    return self.run(cypher, parameters, **kwparameters).evaluate(0)
  File "Python310\lib\site-packages\py2neo\database.py", line 823, in run
    return Cursor(self.connector.run(statement=cypher,
  File "Python310\lib\site-packages\py2neo\internal\connectors.py", line 292, in run
    return self._run_1(statement, parameters, graph, keys, entities)
  File "Python310\lib\site-packages\py2neo\internal\connectors.py", line 255, in _run_1
    cx.fetch()
  File "Python310\lib\site-packages\neobolt\direct.py", line 422, in fetch
    return self._fetch()
  File "Python310\lib\site-packages\neobolt\direct.py", line 464, in _fetch
    response.on_failure(summary_metadata or {})
  File "Python310\lib\site-packages\neobolt\direct.py", line 755, in on_failure
    handler(metadata)
  File "Python310\lib\site-packages\py2neo\internal\connectors.py", line 288, in _fail
    raise GraphError.hydrate(metadata)
py2neo.database.ClientError: SyntaxError: Invalid input '{': expected "+" or "-" (line 1, column 35 (offset: 34))
"MATCH (_:Software) WHERE _.name = {1} RETURN _"

I tried to install py2neo==5.0b1, but the version is not available:

> pip install py2neo==5.0b1
ERROR: Could not find a version that satisfies the requirement py2neo==5.0b1 (from versions: 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.3.0, 2020.0.0, 2020.1.0, 2020.1.1, 2021.0.0, 2021.0.1, 2021.1.0, 2021.1.1, 2021.1.2, 2021.1.3, 2021.1.4, 2021.1.5, 2021.2.0, 2021.2.1, 2021.2.2, 2021.2.3)
ERROR: No matching distribution found for py2neo==5.0b1

Thanks for the tool.

I hit an issue. It might be due to using newer version of Neo4j and it seems to with support library.

Error below.

py2neo.database.ClientError: SyntaxError: The old parameter syntax {param} is no longer supported. Please use $param instead (line 1, column 32 (offset: 31))
"MATCH (_:Group) WHERE _.name = {1} RETURN _"

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.