BloodCheck
BloodCheck enables Red and Blue Teams to manage multiple Neo4j databases and run Cypher queries against a BloodHound dataset.
Installation
From Source
BloodCheck requires Python 3.7 (and above), and Neo4j 3.5.x to be installed.
The Neo4j binary can be downloaded from the Neo4j website.
Once downloaded, the Neo4j setup can be carried out by running the following command as administrator:
<neo4j_path>\neo4j-community-<neo4j_version>\bin\neo4j.bat install-service
You can check the Neo4j installation path using the following command:
<neo4j_path>\neo4j-community-<neo4j_version>\bin\neo4j.bat status -Verbose
If it's pointing to another installation path, change the NEO4J_HOME environment variable:
set NEO4J_HOME=<neo4j_path>\neo4j-community-<neo4j_version>
echo %NEO4J_HOME%
To update the Neo4j service, run the update-service command:
<neo4j_path>\neo4j-community-<neo4j_version>\bin\neo4j.bat update-service
In order to install the pip requirements, run the following commands:
cd BloodCheck
pip3 install -r requirements.txt
If you have issues installing the Pandas' package, you can use the following command:
pip3 install --trusted-host pypi.python.org pip pandas
Once all dependencies have been installed, the configuration file config.py must be initialized (using the config.py.sample sample file) with the associated program variables.
Finally, uncomment the #dbms.active_database=graph.db line in the neo4j.conf Neo4j configuration file, located in the <neo4j_path>\neo4j-community-<neo4j_version>\conf directory.
Docker
In order to run BloodCheck using Docker, you first need to build the Docker image using the following command:
cd BloodCheck
docker build --tag bloodcheck .
BloodCheck can then be run as follows:
docker run -ti bloodcheck
|________|___________________|_
| |B|L|O|O|D|C|H|E|C|K| |________________
|________|___________________|_| ,
| | | ,
usage: BloodCheck.py [-h] [-c CONFIGFILE] [-dG] [-dL] [-dP] [-dR] [-dS] [-oI OWNEDINJECTFILE] [-oU OWNEDUNDOFILE] [-oW] [-qA] [-qF QUERYFILE] [-qD QUERYDIRECTORY] [-qS QUERYSUBDIRECTORY] [-o OUTPUTDIRECTORY] [-s] [-v]
optional arguments:
-h, --help show this help message and exit
-c CONFIGFILE, --config CONFIGFILE
define Neo4j configuration file
-dG, --generate generate Neo4j database
-dL, --list list Neo4j database
-dP, --purge purge Neo4j database
-dR, --restart restart Neo4j local service
-dS, --switch switch Neo4j database
-oI OWNEDINJECTFILE, --inject OWNEDINJECTFILE
inject owned principales
-oU OWNEDUNDOFILE, --undo OWNEDUNDOFILE
undo the owned principales injection
-oW, --wipe wipe all owned principales
-qA, --analytics run Neo4j database analytics
-qF QUERYFILE, --query QUERYFILE
run cypher query
-qD QUERYDIRECTORY, --dir QUERYDIRECTORY
run all cypher queries from directory
-qS QUERYSUBDIRECTORY, --subdir QUERYSUBDIRECTORY
run all cypher queries from all subdirectories
-o OUTPUTDIRECTORY, --output OUTPUTDIRECTORY
output results in specified directory
-s, --save save results to files
-v, --verbose increase output verbosity
Usage
Help
Running BloodCheck.py -h will print the help message and list all available options:
$ python BloodCheck.py -h
|________|___________________|_
| |B|L|O|O|D|C|H|E|C|K| |________________
|________|___________________|_| ,
| | | ,
usage: BloodCheck.py [-h] [-c CONFIGFILE] [-dG] [-dL] [-dP] [-dR] [-dS] [-oI OWNEDINJECTFILE] [-oU OWNEDUNDOFILE] [-oW] [-qA] [-qF QUERYFILE] [-qD QUERYDIRECTORY] [-qS QUERYSUBDIRECTORY] [-o OUTPUTDIRECTORY] [-s] [-v]
optional arguments:
-h, --help show this help message and exit
-c CONFIGFILE, --config CONFIGFILE
define Neo4j configuration file
-dG, --generate generate Neo4j database
-dL, --list list Neo4j database
-dP, --purge purge Neo4j database
-dR, --restart restart Neo4j local service
-dS, --switch switch Neo4j database
-oI OWNEDINJECTFILE, --inject OWNEDINJECTFILE
inject owned principales
-oU OWNEDUNDOFILE, --undo OWNEDUNDOFILE
undo the owned principales injection
-oW, --wipe wipe all owned principales
-qA, --analytics run Neo4j database analytics
-qF QUERYFILE, --query QUERYFILE
run cypher query
-qD QUERYDIRECTORY, --dir QUERYDIRECTORY
run all cypher queries from directory
-qS QUERYSUBDIRECTORY, --subdir QUERYSUBDIRECTORY
run all cypher queries from all subdirectories
-o OUTPUTDIRECTORY, --output OUTPUTDIRECTORY
output results in specified directory
-s, --save save results to files
-v, --verbose increase output verbosity
Configuration file
BloodCheck requires a configuration file config.py to be initialized (see section Installation From Source).
You can also specify an alternate configuration file using the -c parameter:
$ python BloodCheck.py -c configuration_file.py
Neo4j databases management
To generate a clean Neo4j database (named 'CleanNeo4jDB') that can be used with BloodHound, specify its name using the following command:
$ python BloodCheck.py -dG
|________|___________________|_
| |B|L|O|O|D|C|H|E|C|K| |________________
|________|___________________|_| ,
| | | ,
[!] Access to Neo4j installation path [OK]
Please input the new Database name: CleanNeo4jDB
[!] Creating database 'CleanNeo4jDB'
All Neo4j databases can be listed with the -dL parameter:
$ python BloodCheck.py -dL
To switch to a specific Neo4j database (which requires the Neo4j service to be restarted), use the -dS option:
$ python BloodCheck.py -dS
To restart the Neo4j local service, use the -dR parameter:
$ python BloodCheck.py -dR
Parameters can be stacked. For instance, if you want to switch to another database and restart the Neo4j service, use the following command:
$ python BloodCheck.py -dS -dR
To purge (delete) a specific Neo4j database, use the -dP parameter:
$ python BloodCheck.py -dP
Inject owned
One feature of BloodCheck is the ability to inject owned principales via batch processing, using the following command:
$ python BloodCheck.py -oI owned_file.txt
The content of the specified owned file is as follow:
owned principale;wave
owned principale;wave
To undo the owned principales injection, just run BloodCheck with the -oU option followed with the previously provided owned file:
$ python BloodCheck.py -oU owned_file.txt
To wipe all owned principales attributes, use the -oW parameter:
$ python BloodCheck.py -oW
Cypher query
BloodCheck also enables cypher queries to be run against a BloodHound Neo4j database using yaml templates.
To run a specific cypher query against the BloodHound instance, just run the following command:
$ python BloodCheck.py -qF query_file.yml
The command below can be used to run all cypher queries from a directory:
$ python BloodCheck.py -qD query_directory
Use the -qS parameter to run all cypher queries from all subdirectories:
$ python BloodCheck.py -qS query_directory
Only the first 10 entries of each query results will be returned to the standard output.
Results can be saved to files using the -s parameter. By default, output results will be saved to the _output directory. This can be overridden by specifying the output directory using the -o option.
The cypher query yaml template consists of the following required sections:
Description: <Description of the cypher query>
Hash: <SHA256 hash of the cypher query>
Headers:
- <First header>
- <Second header>
- ...
Query: '
<Cypher query to run>
'
For instance, the following template will returned a table of all users with Name, Description, pwdlastset attribute value and the enabling state:
Description: Users descriptions
Hash: 56DA67064F47AA4C06F68CD3A683462BCF0B93424D3360AEB95C0962549693AC
Headers:
- Name
- Description
- pwdlastset
- Enabled
Query: '
MATCH (u:User)
WHERE u.description is not null
RETURN u.name AS `Name`, u.description AS `Description`, u.pwdlastset AS `pwdlastset`, u.enabled AS `Enabled`
'
Note that the cypher query must not contain any additional quotes. Otherwise the following error would occur:
Error while parsing a block mapping
in "yamlfile.yml", line 1, column 1
expected <block end>, but found '<scalar>
Finally, there are some builtins analytics cypher queries that can be run against the BloodHound instance using the following command:
$ python BloodCheck.py -qA
Those builtins analytics cypher queries retrieve the nodes distributions, the number and name of available domains, as well as all the principals marked as owned.
Contribution
If you want to contribute and make BloodCheck better, your help is very welcome.
You can use it and give me feedbacks.
Pull requests are also welcomed! So, if you have some improvements to provide, or a new cypher query to add to the project, please do ;)
Credits
This project would not have been possible without the amazing work of @_wald0, @CptJesus, and @harmj0y on the BloodHound project.
A big shout out also for @Haus3c and its amazing BloodHound Cypher Cheatsheet.
3 May 31, 2022
7 Aug 24, 2022
2 Apr 15, 2022
6 Oct 20, 2022
2 Aug 06, 2022
275 Jan 02, 2023
2 Jul 23, 2022
1 Nov 12, 2021
353 Jan 04, 2023
46 Dec 10, 2022
1 Jan 23, 2022
2 Feb 18, 2022
4 Dec 01, 2022
23 Dec 02, 2022
1.3k Dec 30, 2022
1k Jan 02, 2023
0 Aug 31, 2022
5 Nov 05, 2022
8 Aug 15, 2022
1 Nov 02, 2021