island: Remove unneeded mongo queries in ATT&CK techniques maped to PBAs
This commit is contained in:
parent
81252e2b6a
commit
e4f5f08a66
|
@ -12,24 +12,3 @@ class T1146(PostBreachTechnique):
|
|||
"restored it back)."
|
||||
)
|
||||
pba_names = [POST_BREACH_CLEAR_CMD_HISTORY]
|
||||
|
||||
@staticmethod
|
||||
def get_pba_query(*args):
|
||||
return [
|
||||
{
|
||||
"$match": {
|
||||
"telem_category": "post_breach",
|
||||
"data.name": POST_BREACH_CLEAR_CMD_HISTORY,
|
||||
}
|
||||
},
|
||||
{
|
||||
"$project": {
|
||||
"_id": 0,
|
||||
"machine": {
|
||||
"hostname": {"$arrayElemAt": ["$data.hostname", 0]},
|
||||
"ips": [{"$arrayElemAt": ["$data.ip", 0]}],
|
||||
},
|
||||
"result": "$data.result",
|
||||
}
|
||||
},
|
||||
]
|
||||
|
|
|
@ -9,30 +9,3 @@ class T1156(PostBreachTechnique):
|
|||
scanned_msg = "Monkey tried modifying bash startup files but failed."
|
||||
used_msg = "Monkey successfully modified bash startup files."
|
||||
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
|
||||
|
||||
@staticmethod
|
||||
def get_pba_query(*args):
|
||||
return [
|
||||
{
|
||||
"$match": {
|
||||
"telem_category": "post_breach",
|
||||
"data.name": POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
||||
}
|
||||
},
|
||||
{
|
||||
"$project": {
|
||||
"_id": 0,
|
||||
"machine": {
|
||||
"hostname": {"$arrayElemAt": ["$data.hostname", 0]},
|
||||
"ips": [{"$arrayElemAt": ["$data.ip", 0]}],
|
||||
},
|
||||
"result": "$data.result",
|
||||
}
|
||||
},
|
||||
{"$unwind": "$result"},
|
||||
{
|
||||
"$match": {
|
||||
"$or": [{"result": {"$regex": r"\.bash"}}, {"result": {"$regex": r"\.profile"}}]
|
||||
}
|
||||
},
|
||||
]
|
||||
|
|
|
@ -9,26 +9,3 @@ class T1504(PostBreachTechnique):
|
|||
scanned_msg = "Monkey tried modifying PowerShell startup files but failed."
|
||||
used_msg = "Monkey successfully modified PowerShell startup files."
|
||||
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
|
||||
|
||||
@staticmethod
|
||||
def get_pba_query(*args):
|
||||
return [
|
||||
{
|
||||
"$match": {
|
||||
"telem_category": "post_breach",
|
||||
"data.name": POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
||||
}
|
||||
},
|
||||
{
|
||||
"$project": {
|
||||
"_id": 0,
|
||||
"machine": {
|
||||
"hostname": {"$arrayElemAt": ["$data.hostname", 0]},
|
||||
"ips": [{"$arrayElemAt": ["$data.ip", 0]}],
|
||||
},
|
||||
"result": "$data.result",
|
||||
}
|
||||
},
|
||||
{"$unwind": "$result"},
|
||||
{"$match": {"result": {"$regex": r"profile\.ps1"}}},
|
||||
]
|
||||
|
|
Loading…
Reference in New Issue