Neo4j is a great way to visualize the json data that was exported using Invoke-RpcFuzzer. Using Cypher queries, it is possible to show the relationships between RPC-interfaces, endpoints, methods, and so on.
First, you will need a Neo4j instance with a running database, the easiest way to do this is by spinning up a docker container.
password="Password123"
docker run \
--publish=7474:7474 --publish=7687:7687 \
--env NEO4J_AUTH=neo4j/$password \
--volume=$HOME/neo4j/data:/data \
neo4jOr, you can download Neo4j desktop for the supported OS: https://neo4j.com/download/.
By default, this tool creates a few nodes and relations based on the given input data. The nodes are:
RpcServer
RpcInterface
Endpoint
Method
AllowsInput
AccessDenied
Error
Parameter
FunctionCall
highPrivilegedFileOp
ACL
The relations are:
HAS_INTERFACE
WITH_METHOD
HAS_ENDPOINT
EXPOSES_METHOD
CONSUMES
PRODUCES
OUTPUTS
INPUTS
CALLS_FUNCTION
HIGH_PRIVILEGED_FILE_OP
HAS_ACL
You can import the pre defined Cypher queries. These can be found here.
Tip: LLM is great for making Cypher queries
Show relations between the RPC server, endpoints, methods and the allowed input
//Show relations between the RPC server, endpoints, methods and the allowed RPC calls
MATCH (rpcServer:RpcServer)-[:HAS_INTERFACE]->(rpcInterface:RpcInterface)
MATCH (rpcInterface:RpcInterface)-[:HAS_ENDPOINT]->(endpoint:Endpoint)
MATCH (rpcInterface)-[:WITH_METHOD]->(method)
MATCH (method)-[:ALLOWS_INPUT]->(allowsinput:AllowsInput)
RETURN rpcServer, rpcInterface, endpoint, method, allowsinput, allowsinput.EndpointExample result:
Show relations between parameters
Some RPC methods within the same interface have a output parameter that can be used in another RPC method as input.
//Parameters
MATCH
(method1:Method)-[:HAS_PARAMETER]->(param:Parameter {Direction: "Output"}),
(method2:Method)-[:HAS_PARAMETER]->(param2:Parameter {Direction: "Input"})
WHERE
param.Type = param2.Type
MERGE (method1)-[:PRODUCES]->(param)
MERGE (method2)-[:CONSUMES]->(param)
RETURN method1, param, method2The following example output shows that the RPC method on the left procuces a Parameter NtCoreLib.Ndr.Marshal.NdrUInt3264 that three other RPC methods take as input parameter (consume):
Show high privileged file operations (Coerce)
It is possible to export the Process Monitor events to a CSV file and import that data to Neo4j. To show the relations between a allowed input and a procudes function call, we can use the following Cypher query:
//Get high privileged file operation function call
MATCH (rpcServer:RpcServer)-[:HAS_INTERFACE]->(rpcInterface:RpcInterface)
MATCH (rpcInterface:RpcInterface)-[:HAS_ENDPOINT]->(endpoint:Endpoint)
MATCH (rpcInterface)-[:WITH_METHOD]->(method)
MATCH (method)-[:ALLOWS_INPUT]->(allowsinput:AllowsInput)
MATCH (allowsinput)-[:HIGH_PRIVILEGED_FILE_OP]->(highPrivilegedFileOp:HighPrivilegedFileOp)
RETURN rpcServer, rpcInterface, endpoint, method, allowsinput, allowsinput.Endpoint,highPrivilegedFileOpExample output shows how the input of a remote UNC path lead to a CreateFile event in Windows as a user under NT\Authority without impersonation.
Show relations between input and Function calls
// Show all allowed input results that have a function call
MATCH (rpcServer:RpcServer)-[:HAS_INTERFACE]->(rpcInterface:RpcInterface)
MATCH (rpcInterface:RpcInterface)-[:HAS_ENDPOINT]->(endpoint:Endpoint)
MATCH (rpcInterface)-[:WITH_METHOD]->(method)
MATCH (method)-[:ALLOWS_INPUT]->(allowsinput:AllowsInput)
MATCH (allowsinput)-[:CALLS_FUNCTION]->(functionCall:FunctionCall)
RETURN rpcServer, endpoint, method, allowsinput, allowsinput.Endpoint,functionCallExample output
