This repository has been archived by the owner on Dec 14, 2023. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 85
/
Copy pathcypher.cna
147 lines (115 loc) · 4.41 KB
/
cypher.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Cypher.cna
# Generates Cypher query to get ANGRYPUPPY attack path.
#
# Authors: Calvin Hedler (@001SPARTaN) and Vincent Yiu (@vysecurity)
alias cypher{
generateCypher();
blog($1, "[*] Sent Cypher queries to Event Log");
}
beacon_command_register("cypher", "Obtains a set of cypher queries for visualisations from current active beacons",
"Synopsis: cypher\n\n" .
"Obtains a set of cypher queries for visualisations from current active beacons\nOutputs to event log");
sub generateCypher {
# check in every beacon
@items = @();
foreach $session (beacons()){
$user = $session["user"];
$computer = $session["computer"];
if ("*" isin $user){
$user = substr($user, 0, -2);
}
if ((uc($user) !isin @items)){
if ($user ne "SYSTEM"){
# if user is not in items
push(@items, uc($user));
}
}
if ((uc($computer) !isin @items)){
# if computer is not items
if ("*" isin $session["user"]){
push(@items, uc($computer));
}
}
}
# QUERY for all nodes we have currently
elog("");
elog("\cD==============================================");
elog("\cD====================CYPHER====================");
elog("\cD==============================================");
$query = "MATCH (n) WHERE (";
foreach $a (@items){
$query = $query . "n.name =~ \"" . $a . "@.*\") OR (";
}
$query = $query . ") RETURN n";
elog("\cB[*] Show all beacon nodes");
elog("\c9" . $query);
elog("");
# QUERY for ALL paths from Current sessions
# WITH ['GBARNES','RL-DESKTOP18'] as samAccountNames
# UNWIND samAccountNames as userNames
# MATCH (n:User)
# WHERE n.name STARTS WITH userNames
# WITH n
# MATCH (g1:Group)
# WHERE g1.name STARTS WITH "DOMAIN ADMINS@"
# MATCH p = allShortestPaths((n)-[r:MemberOf|AdminTo|HasSession*1..]->(g1))
# RETURN p
$query = "WITH [";
foreach $a (@items){
$query = $query . "'" . $a . "',";
}
$query = substr($query, 0, -1);
$query = $query . "] as samAccountNames UNWIND samAccountNames as userNames MATCH (n) WHERE n.name STARTS WITH userNames WITH n MATCH (g1:Group) WHERE g1.name STARTS WITH \"DOMAIN ADMINS@\" MATCH p = allShortestPaths((n)-[r:MemberOf|AdminTo|HasSession*1..]->(g1)) RETURN p";
elog("\cB[*] (B->DA - No ACL) Query all beacon nodes to Domain Admins");
elog("\c9" . $query);
elog("");
# QUERY FOR SHORTEST PATH for ANGRYPUPPY
# WITH ['GBARNES','RL-DESKTOP18'] as samAccountNames
# UNWIND samAccountNames as userNames
# MATCH (n:User)
# WHERE n.name STARTS WITH userNames
# WITH n
# MATCH (g1:Group)
# WHERE g1.name STARTS WITH "DOMAIN ADMINS@"
# MATCH p = allShortestPaths((n)-[r:MemberOf|AdminTo|HasSession*1..]->(g1))
# RETURN p
# ORDER BY LENGTH(p) ASC
# LIMIT 1
$query = "WITH [";
foreach $a (@items){
$query = $query . "'" . $a . "',";
}
$query = substr($query, 0, -1);
$query = $query . "] as samAccountNames UNWIND samAccountNames as userNames MATCH (n) WHERE n.name STARTS WITH userNames WITH n MATCH (g1:Group) WHERE g1.name STARTS WITH \"DOMAIN ADMINS@\" MATCH p = allShortestPaths((n)-[r:MemberOf|AdminTo|HasSession*1..]->(g1)) RETURN p ORDER BY LENGTH(p) ASC LIMIT 1";
elog("\cB[*] (B->DA - No ACL) Query all beacon nodes to generate ANGRYPUPPY path");
elog("\c9" . $query);
elog("");
############################
############################
######### A C L ############
############################
############################
$query = "WITH [";
foreach $a (@items){
$query = $query . "'" . $a . "',";
}
$query = substr($query, 0, -1);
$query = $query . "] as samAccountNames UNWIND samAccountNames as userNames MATCH (n) WHERE n.name STARTS WITH userNames WITH n MATCH (g1:Group) WHERE g1.name STARTS WITH \"DOMAIN ADMINS@\" MATCH p = allShortestPaths((n)-[r*1..]->(g1)) RETURN p";
elog("\cB[*] (B->DA - ACL) Query all beacon nodes to Domain Admins");
elog("\c9" . $query);
elog("");
# QUERY FOR SHORTEST PATH for ANGRYPUPPY ACL
$query = "WITH [";
foreach $a (@items){
$query = $query . "'" . $a . "',";
}
$query = substr($query, 0, -1);
$query = $query . "] as samAccountNames UNWIND samAccountNames as userNames MATCH (n) WHERE n.name STARTS WITH userNames WITH n MATCH (g1:Group) WHERE g1.name STARTS WITH \"DOMAIN ADMINS@\" MATCH p = allShortestPaths((n)-[r*1..]->(g1)) RETURN p ORDER BY LENGTH(p) ASC LIMIT 1";
elog("\cB[*] (B->DA - ACL) Query all beacon nodes to generate ANGRYPUPPY path");
elog("\c9" . $query);
return $query;
}
sub init {
# Initialise
}
init()