
Import Mitre Att&ck into Neo4j database

Primary LanguagePython


Import Mitre Entreprise Att&ck data into Neo4j database


Purpose of this very simple tool is to :

This small project has been first been developed to easily query Mitre Att&ck data using Cypher Query Language.


Following python modules are required :

Modules could be installed using following commands:

$ pip install -r requirements.txt


Settings have to be defined directly into python script :

# open graph connection
graph_bolt = "bolt://"
graph_auth = ("neo4j","test")

Custom settings according to your Neo4j installation:

  • graph_bolt contains connection details provided using URIs such as bolt://<ip_address>:<port>
  • graph_auth contains a 2-tuple of (<user>,<password>) to connect to Neo4j database


usage: attack2neo.py [-h] [-d] -f <filename> [-g] [-s] [-o] [-t] [-r]

optional arguments:
  -h, --help        show this help message and exit
  -d, --debug       enter debug mode
  -f <filename>     input file name
  -g, --groups      import Groups objects (type:intrusion-set)
  -s, --softwares   import Softwares objects (type:malware)
  -o, --tools       import Tools objects (type:tool)
  -t, --techniques  import Techniques objects (type:attack-pattern and
  -r, --relations   import Relations objects (type:relationship)

where contains JSON data from Mitre Att&ck

Mitre Att&ck database

The Mitre Entreprise Atta&ck database in JSON format could be found out at Mitre CTI Github


Let's first import data from Mitre Entreprise Att&ck:

$ ./attack2neo.py --debug -f mitre-enterprise-attack.json --groups --softwares --tools --relations
Group: "Dragonfly 2.0" -[alias]-> "Berserk Bear"
Group: "Dust Storm"
Group: "Elderwood" -[alias]-> "Elderwood Gang" -[alias]-> "Beijing Group" -[alias]-> "Sneaky Panda"
Software: "BUBBLEWRAP" -[alias]-> "Backdoor.APT.FakeWinHTTPHelper"
Software: "BabyShark"
Software: "Backdoor.Oldrea" -[alias]-> "Havex"
Tool: "Pass-The-Hash Toolkit"
Tool: "Ping" -[alias]-> "ping.exe"
Tool: "PoshC2"
Relation: "FIN5" -[uses]-> "PsExec"
Relation: "DarkHydrus" -[uses]-> "Cobalt Strike"
Relation: "Leviathan" -[uses]-> "BITSAdmin"

Then, we can query Neo4j database using Neo4j Browser:



Under visualization folder, there are files attack2neo.html and attack2neo.js to provide simple HTML tool to visualize your Neo4j Cypher queries using neovis.js library.

Settings have to be defined directly into javascript file :

server_url: "bolt://localhost:7687",
server_user: "neo4j",
server_password: "test",
initial_cypher: "MATCH (n)-[r]-(m) RETURN n,r,m"

Custom settings according to your Neo4j installation:

  • server_url contains connection details provided using URIs such as bolt://<ip_address>:<port>
  • server_user contains user value to connect to Neo4j database
  • server_password contains password value to connect to Neo4j database
  • initial_cypher contains Cypher query to be run


Queries samples

Find aliases for group "APT18":

MATCH (g:Group {name:"APT18"}) 
WITH g MATCH (g) - [:alias] -> (a:Alias)
RETURN g.name AS Name, a AS Alias

│"Name" │"Alias"                     │
│"APT18"│{"name":"Threat Group-0416"}│
│"APT18"│{"name":"Dynamite Panda"}   │
│"APT18"│{"name":"TG-0416"}          │

Find groups who are using software "ASPXSpy":

MATCH (s:Software)
WHERE s.name = "ASPXSpy" 
WITH s MATCH (s) <- [:uses] - (g:Group)
RETURN s.name AS Software, g.name AS Group

│"Software"│"Group"            │
│"ASPXSpy" │"APT41"            │
│"ASPXSpy" │"APT39"            │
│"ASPXSpy" │"Night Dragon"     │
│"ASPXSpy" │"Threat Group-3390"│

Find groups - and their aliases - who are using software "BISCUIT":

MATCH (s:Software {name:"BISCUIT"}) <-[*1..2]-> (g:Group)
RETURN s.name AS Software, g.name AS Group

│"Software"│"Group"        │
│"BISCUIT" │"APT1"         │
│"BISCUIT" │"Comment Crew" │
│"BISCUIT" │"Comment Group"│
│"BISCUIT" │"Comment Panda"│

Find all about a specifc group:

MATCH (n)-[r]-(m)
WHERE n.name='APT1'
RETURN n.name, TYPE(r), LABELS(m), m.name

│"n.name"│"TYPE(r)"│"LABELS(m)"      │"m.name"               │
│"APT1"  │"uses"   │["Software"]     │"Seasalt"              │
│"APT1"  │"uses"   │["Software"]     │"PoisonIvy"            │
│"APT1"  │"uses"   │["Tool"]         │"xCmd"                 │
│"APT1"  │"uses"   │["Software"]     │"WEBC2"                │
│"APT1"  │"uses"   │["Tool"]         │"Cachedump"            │
│"APT1"  │"uses"   │["Tool"]         │"Pass-The-Hash Toolkit"│
│"APT1"  │"uses"   │["Tool"]         │"PsExec"               │
│"APT1"  │"uses"   │["Tool"]         │"Net"                  │
│"APT1"  │"uses"   │["Tool"]         │"gsecdump"             │
│"APT1"  │"uses"   │["Software"]     │"BISCUIT"              │
│"APT1"  │"uses"   │["Tool"]         │"Lslsass"              │
│"APT1"  │"uses"   │["Tool"]         │"Mimikatz"             │
│"APT1"  │"uses"   │["Tool"]         │"ipconfig"             │
│"APT1"  │"uses"   │["Tool"]         │"Tasklist"             │
│"APT1"  │"uses"   │["Software"]     │"GLOOXMAIL"            │
│"APT1"  │"uses"   │["Tool"]         │"pwdump"               │
│"APT1"  │"uses"   │["Software"]     │"CALENDAR"             │
│"APT1"  │"alias"  │["Alias","Group"]│"Comment Panda"        │
│"APT1"  │"alias"  │["Alias","Group"]│"Comment Group"        │
│"APT1"  │"alias"  │["Alias","Group"]│"Comment Crew"         │

See Neo4j's Cypher queries cheatsheet to get some Neo4j and Cypher fundamentals.