From e4f5f08a669550e96e242449cd623dd45adc459a Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Wed, 6 Oct 2021 14:50:10 +0530 Subject: [PATCH] island: Remove unneeded mongo queries in ATT&CK techniques maped to PBAs --- .../attack/technique_reports/T1146.py | 21 --------------- .../attack/technique_reports/T1156.py | 27 ------------------- .../attack/technique_reports/T1504.py | 23 ---------------- 3 files changed, 71 deletions(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py index 98a725dcd..b85d4c728 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py @@ -12,24 +12,3 @@ class T1146(PostBreachTechnique): "restored it back)." ) pba_names = [POST_BREACH_CLEAR_CMD_HISTORY] - - @staticmethod - def get_pba_query(*args): - return [ - { - "$match": { - "telem_category": "post_breach", - "data.name": POST_BREACH_CLEAR_CMD_HISTORY, - } - }, - { - "$project": { - "_id": 0, - "machine": { - "hostname": {"$arrayElemAt": ["$data.hostname", 0]}, - "ips": [{"$arrayElemAt": ["$data.ip", 0]}], - }, - "result": "$data.result", - } - }, - ] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py index f9c5c5020..3244dbea3 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py @@ -9,30 +9,3 @@ class T1156(PostBreachTechnique): scanned_msg = "Monkey tried modifying bash startup files but failed." used_msg = "Monkey successfully modified bash startup files." pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION] - - @staticmethod - def get_pba_query(*args): - return [ - { - "$match": { - "telem_category": "post_breach", - "data.name": POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION, - } - }, - { - "$project": { - "_id": 0, - "machine": { - "hostname": {"$arrayElemAt": ["$data.hostname", 0]}, - "ips": [{"$arrayElemAt": ["$data.ip", 0]}], - }, - "result": "$data.result", - } - }, - {"$unwind": "$result"}, - { - "$match": { - "$or": [{"result": {"$regex": r"\.bash"}}, {"result": {"$regex": r"\.profile"}}] - } - }, - ] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py index edeb083b3..ddeaf9788 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py @@ -9,26 +9,3 @@ class T1504(PostBreachTechnique): scanned_msg = "Monkey tried modifying PowerShell startup files but failed." used_msg = "Monkey successfully modified PowerShell startup files." pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION] - - @staticmethod - def get_pba_query(*args): - return [ - { - "$match": { - "telem_category": "post_breach", - "data.name": POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION, - } - }, - { - "$project": { - "_id": 0, - "machine": { - "hostname": {"$arrayElemAt": ["$data.hostname", 0]}, - "ips": [{"$arrayElemAt": ["$data.ip", 0]}], - }, - "result": "$data.result", - } - }, - {"$unwind": "$result"}, - {"$match": {"result": {"$regex": r"profile\.ps1"}}}, - ]