Cypheroth is a automated, extensible toolset that runs cypher queries against Bloodhound’s Neo4j backend and saves output to spreadsheets.
This is a bash script that automates running cypher queries against Bloodhound data stored in a Neo4j database.
I found myself re-running the same queries through the Neo4j web interface on multiple assessments and figured there must be an easier way.
The list of cypher queries to run is fully extensible. The formatting example below shows how to add your own.
Please share any additional useful queries so I can add them to this project!
Demo
Prereqs
cypher-shell
command comes bundled with Neo4j, and is required for this script to functioncypher-shell
is not found, you may have an outdated version of Neo4jssconvert
command is present, the script will combine all .csv output to sheets within a .xls fileOn Windows we recommend using WSL to run this script, while the neo4j database runs on Windows. You will just need to install the cypher-shell
package in WSL (Linux).
Usage
Flags:
-u Neo4J Username (Required)
-p Neo4J Password (Required)
-d Fully Qualified Domain Name (Required) (Case Sensitive)
-a Bolt address (Optional) (Default: localhost:7687)
-t Query Timeout (Optional) (Default: 30s)
-v Verbose mode (Optional) (Default:FALSE)
-h Help text and usage example (Optional)
Example with Defaults:
./cypheroth.sh -u neo4j -p BloodHound -d TESTLAB.LOCAL
Example with All Options:
./cypheroth.sh -u neo4j -p hunter2 -d BigTech.corp -a 10.0.0.1:7687 -t 5m -v true
Files are added to a subdirectory named after the FQDN.
Cypher Queries
There are nearly 60 queries in the script currently. This is a sample of the information you’ll receive:
To add additional queries, edit the queries
array within cypheroth.sh and add a line using the following format:
Description;Cypher Query;Output File
If adding a query that requires the Domain value to be set, save it as $DOMAIN.
All Usernames;MATCH (u:User) RETURN u.name;usernames.csv
All Domain Admins;MATCH (u:User) MATCH (g:Group {name:’DOMAIN ADMINS@$DOMAIN’}) RETURN u.displayname;domainAdmins.csv
Analyze Several Domains
If you need to analyze several domains, you can run multiple instances of Cypheroth in parallel with each one working on its domain. You can use the following script for example (10 in parallel).
#!/usr/bin/env bash
DOMAINS=(domA.example.net domB.example.net […])
parallel -j10 –lb ./cypheroth.sh -d {} ::: “${DOMAINS[@]}”
Troubleshooting
If you are running an outdated version of cypher-shell
you may receive the following error:
DateTime is not supported as a return type in Bolt protocol version
1. Please make sure driver supports at least protocol version
2. Driver upgrade is most likely required.
To fix, update Neo4j to the latest version.
Credit: Chris Farrell (@seajay)
Acknowledgments
#cypher_queries
channel for assistanceKali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…