Add Admin implication

WithSecureLabs · Aug 24, 2021 · 2a38886 · 2a38886
1 parent df6e6ab
commit 2a38886
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/lib/aws/attacks.py b/lib/aws/attacks.py
@@ -1231,7 +1231,7 @@ def compute(self, max_iterations=5):
         self.console.task("Removing all existing attacks",
                           db.run, args=["MATCH (p) WHERE p:Pattern "
                                         "   OR p.Arn = 'arn:aws:iam::{Account}:policy/Admin' "
-                                        "OPTIONAL MATCH (p)-[a:ATTACK]->() "
+                                        "OPTIONAL MATCH (p)-[a:ATTACK|ADMIN]->() "
                                         "DETACH DELETE p "
                                         "RETURN COUNT(a) AS deleted"
                                         ],
@@ -1248,6 +1248,11 @@ def compute(self, max_iterations=5):
                               '"Statement": [{"Effect": "Allow", "Action": "*", "Resource": "*"'
                               '}]}}]\''
                               '}) '
+                              "WITH admin MATCH (r:Resource) "
+                              " MERGE (admin)-[access:ADMIN]->(r) "
+                              " ON CREATE SET "
+                              "     access.Name = 'Admin Access', "
+                              "     access.Description = 'Implies all related actions and attacks' "
                           ],
                           done="Created pseudo Admin")
 

diff --git a/www/src/components/Graph.vue b/www/src/components/Graph.vue
@@ -261,7 +261,8 @@ export default {
           "WITH source, target " +
           "CALL apoc.algo.dijkstraWithDefaultWeight(source, target, 'TRANSITIVE>|ATTACK>', '', 0) " + 
           "YIELD path " +
-          "RETURN path"
+          "OPTIONAL MATCH admin=(:Admin)-->(target)" +
+          "RETURN path, admin"
       );
 
     },
@@ -276,7 +277,8 @@ export default {
           "OPTIONAL MATCH path=shortestPath((source)-[:TRANSITIVE|ATTACK*0..]->(target)) " +
           "WHERE (target:Resource OR target:Admin) " +
           "AND source <> target " +
-          "RETURN source, path"
+          "OPTIONAL MATCH admin=(source:Admin)-->()" +
+          "RETURN source, path, admin"
       );
     },
 
@@ -290,7 +292,8 @@ export default {
         `MATCH (target) WHERE ID(target) = ${id} ` +
           "OPTIONAL MATCH actions=(_)-[:ACTION]->(target) " +
           "WHERE (_:Resource OR _:External) " +
-          "RETURN target, actions"
+          "OPTIONAL MATCH admin=(:Admin)-->(target)" +
+          "RETURN target, admin, actions"
       );
     },
 
@@ -304,7 +307,8 @@ export default {
         `MATCH (source) WHERE ID(source) = ${id} ` +
           "OPTIONAL MATCH actions=(source)-[:ACTION]->(target) " +
           "WHERE target:Resource OR target:CatchAll " +
-          "RETURN source, actions"
+          "OPTIONAL MATCH admin=(source:Admin)-->()" +
+          "RETURN source, actions, admin"
       );
     },
 

diff --git a/www/src/config.js b/www/src/config.js
@@ -216,6 +216,18 @@ export default {
                 'text-rotation': 'autorotate'
             }
         },
+        {
+            selector: 'edge.ADMIN',
+            style: {
+                'opacity': '0.4',
+                'overlay-color': 'white',
+                'overlay-padding': '1px',
+                'overlay-opacity': '1px',
+                'target-arrow-shape': 'chevron',
+                'target-arrow-fill': 'filled',
+                'color': 'black',
+            }
+        },
         {
             selector: 'node.selected',
             style: {