Import Mitre Entreprise Att&ck data into Neo4j database
Purpose of this very simple tool is to :
- read JSON data from Mitre Att&ck
- import data into Neo4j database
This small project has been first been developed to easily query Mitre Att&ck data using Cypher Query Language.
Following python modules are required :
Modules could be installed using following commands:
$ pip install -r requirements.txt
Settings have to be defined directly into python script :
# open graph connection
graph_bolt = "bolt://127.0.0.1:7687"
graph_auth = ("neo4j","test")
Custom settings according to your Neo4j installation:
graph_boltcontains connection details provided using URIs such asbolt://<ip_address>:<port>graph_authcontains a 2-tuple of (<user>,<password>) to connect to Neo4j database
usage: attack2neo.py [-h] [-d] -f <filename> [-g] [-s] [-o] [-t] [-r]
optional arguments:
-h, --help show this help message and exit
-d, --debug enter debug mode
-f <filename> input file name
-g, --groups import Groups objects (type:intrusion-set)
-s, --softwares import Softwares objects (type:malware)
-o, --tools import Tools objects (type:tool)
-t, --techniques import Techniques objects (type:attack-pattern and
type:course-of-action)
-r, --relations import Relations objects (type:relationship)
where contains JSON data from Mitre Att&ck
The Mitre Entreprise Atta&ck database in JSON format could be found out at Mitre CTI Github
Let's first import data from Mitre Entreprise Att&ck:
$ ./attack2neo.py --debug -f mitre-enterprise-attack.json --groups --softwares --tools --relations
[...]
Group: "Dragonfly 2.0" -[alias]-> "Berserk Bear"
Group: "Dust Storm"
Group: "Elderwood" -[alias]-> "Elderwood Gang" -[alias]-> "Beijing Group" -[alias]-> "Sneaky Panda"
[...]
Software: "BUBBLEWRAP" -[alias]-> "Backdoor.APT.FakeWinHTTPHelper"
Software: "BabyShark"
Software: "Backdoor.Oldrea" -[alias]-> "Havex"
[...]
Tool: "Pass-The-Hash Toolkit"
Tool: "Ping" -[alias]-> "ping.exe"
Tool: "PoshC2"
[...]
Relation: "FIN5" -[uses]-> "PsExec"
Relation: "DarkHydrus" -[uses]-> "Cobalt Strike"
Relation: "Leviathan" -[uses]-> "BITSAdmin"
[...]
Then, we can query Neo4j database :
Find aliases for group "APT18":
MATCH (g:Group {name:"APT18"})
WITH g MATCH (g) - [:alias] -> (a:Alias)
RETURN g.name AS Name, a AS Alias
╒═══════╤════════════════════════════╕
│"Name" │"Alias" │
╞═══════╪════════════════════════════╡
│"APT18"│{"name":"Threat Group-0416"}│
├───────┼────────────────────────────┤
│"APT18"│{"name":"Dynamite Panda"} │
├───────┼────────────────────────────┤
│"APT18"│{"name":"TG-0416"} │
└───────┴────────────────────────────┘
Find groups who are using software "ASPXSpy":
MATCH (s:Software)
WHERE s.name = "ASPXSpy"
WITH s MATCH (s) <- [:uses] - (g:Group)
RETURN s.name AS Software, g.name AS Group
╒══════════╤═══════════════════╕
│"Software"│"Group" │
╞══════════╪═══════════════════╡
│"ASPXSpy" │"APT41" │
├──────────┼───────────────────┤
│"ASPXSpy" │"APT39" │
├──────────┼───────────────────┤
│"ASPXSpy" │"Night Dragon" │
├──────────┼───────────────────┤
│"ASPXSpy" │"Threat Group-3390"│
└──────────┴───────────────────┘
Find groups - and their aliases - who are using software "BISCUIT":
MATCH (s:Software {name:"BISCUIT"}) <-[*1..2]-> (g:Group)
RETURN s.name AS Software, g.name AS Group
╒══════════╤═══════════════╕
│"Software"│"Group" │
╞══════════╪═══════════════╡
│"BISCUIT" │"APT1" │
├──────────┼───────────────┤
│"BISCUIT" │"Comment Crew" │
├──────────┼───────────────┤
│"BISCUIT" │"Comment Group"│
├──────────┼───────────────┤
│"BISCUIT" │"Comment Panda"│
└──────────┴───────────────┘
Find all about a specifc group:
MATCH (n)-[r]-(m)
WHERE n.name='APT1'
RETURN n.name, TYPE(r), LABELS(m), m.name
╒════════╤═════════╤═════════════════╤═══════════════════════╕
│"n.name"│"TYPE(r)"│"LABELS(m)" │"m.name" │
╞════════╪═════════╪═════════════════╪═══════════════════════╡
│"APT1" │"uses" │["Software"] │"Seasalt" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Software"] │"PoisonIvy" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Tool"] │"xCmd" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Software"] │"WEBC2" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Tool"] │"Cachedump" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Tool"] │"Pass-The-Hash Toolkit"│
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Tool"] │"PsExec" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Tool"] │"Net" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Tool"] │"gsecdump" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Software"] │"BISCUIT" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Tool"] │"Lslsass" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Tool"] │"Mimikatz" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Tool"] │"ipconfig" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Tool"] │"Tasklist" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Software"] │"GLOOXMAIL" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Tool"] │"pwdump" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"uses" │["Software"] │"CALENDAR" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"alias" │["Alias","Group"]│"Comment Panda" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"alias" │["Alias","Group"]│"Comment Group" │
├────────┼─────────┼─────────────────┼───────────────────────┤
│"APT1" │"alias" │["Alias","Group"]│"Comment Crew" │
└────────┴─────────┴─────────────────┴───────────────────────┘
See Neo4j's Cypher queries cheatsheet to get some Neo4j and Cypher fundamentals.