linkedin twitter patreon github

Neo4j

This is a living document that captures notes related to anything and all neo4j and cypher queries.

List Databases

show databases

Create New Database

create database spotless

Switch Database

:use spotless

Import Data from CSV and Define Relationships Between Nodes

Sample Data

Below is a sample CSV file with 3 columns, that represents Windows authentication information between different endpoints (think lateral movement detection/investigation/threat hunting):

Column

Meaning

SourceComputer

A computer that successfully authenticated to a DestinationComputer

DestinationComputer

A computer that SourceComputer authenticated to

DestinationUserName

A user name that was used to logon from SourceComputer to DestinationComputer

lateral-movement.csv
"SourceComputer","DestinationComputer","DestinationUserName"
"WS01","WS02","administrator"
"WS01","WS03","administrator"
"WS02","WS03","administrator"
"WS03","WS04","administrator"
"WS04","WS05","administrator"
"WS05","WS06","administrator"
"WS06","WS07","administrator"
"WS07","DB01","administrator"
"DB01","FS05","administrator"
"FS05","DC01","da-james"
"WS01","WS04","billy"
"WS02","WS04","sally"
"WS03","WS02","fred"
"WS03","WS02","james"
"WS01","WS02","james"

The file needs to be saved to the import folder of your database folder. In my case, the path is C:\Users\User\AppData\Local\Neo4j\Relate\Data\dbmss\dbms-8320b8a8-e54d-4742-a432-c8014b5968ec\import\lateral-movement.csv

Importing Nodes from CSV and Creating Relationships

LOAD CSV WITH HEADERS FROM 'file:///lateral-movement.csv' AS line
MERGE (a:Computer {Computer:line.SourceComputer} )
MERGE (b:Computer {Computer:line.DestinationComputer} )
MERGE (a) -[:LOGGED_IN {loggedAs:line.DestinationUserName}]-> (b)

Clean Database

match (a) -[r] -> () delete a, r; match (a) delete a

Match Nodes WHERE DestinationComputer Contains "WS"

MATCH p=()-[r:LOGGED_IN]->(m:Computer) where m.Computer CONTAINS "WS" RETURN p LIMIT 25

Match Nodes WHERE Relationship Contains "james"

MATCH p=()-[r:LOGGED_IN]->() where (r.loggedAs contains "james") RETURN p LIMIT 25

Match Nodes with 3 Hops Between Them

MATCH p=()-[r:LOGGED_IN*3]->() RETURN p LIMIT 25
PreviousAWS Accounts, Users, Groups, Roles, PoliciesNextDump Virtual Box Memory

Last updated