island: Remove unneeded mongo queries in ATT&CK techniques maped to PBAs
This commit is contained in:
Shreya Malviya
parent
81252e2b6a
commit
e4f5f08a66
|
|
@ -12,24 +12,3 @@ class T1146(PostBreachTechnique):
|
||||||
"restored it back)."
|
"restored it back)."
|
||||||
)
|
)
|
||||||
pba_names = [POST_BREACH_CLEAR_CMD_HISTORY]
|
pba_names = [POST_BREACH_CLEAR_CMD_HISTORY]
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def get_pba_query(*args):
|
|
||||||
return [
|
|
||||||
{
|
|
||||||
"$match": {
|
|
||||||
"telem_category": "post_breach",
|
|
||||||
"data.name": POST_BREACH_CLEAR_CMD_HISTORY,
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"$project": {
|
|
||||||
"_id": 0,
|
|
||||||
"machine": {
|
|
||||||
"hostname": {"$arrayElemAt": ["$data.hostname", 0]},
|
|
||||||
"ips": [{"$arrayElemAt": ["$data.ip", 0]}],
|
|
||||||
},
|
|
||||||
"result": "$data.result",
|
|
||||||
}
|
|
||||||
},
|
|
||||||
]
|
|
||||||
|
|
|
||||||
|
|
@ -9,30 +9,3 @@ class T1156(PostBreachTechnique):
|
||||||
scanned_msg = "Monkey tried modifying bash startup files but failed."
|
scanned_msg = "Monkey tried modifying bash startup files but failed."
|
||||||
used_msg = "Monkey successfully modified bash startup files."
|
used_msg = "Monkey successfully modified bash startup files."
|
||||||
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
|
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def get_pba_query(*args):
|
|
||||||
return [
|
|
||||||
{
|
|
||||||
"$match": {
|
|
||||||
"telem_category": "post_breach",
|
|
||||||
"data.name": POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"$project": {
|
|
||||||
"_id": 0,
|
|
||||||
"machine": {
|
|
||||||
"hostname": {"$arrayElemAt": ["$data.hostname", 0]},
|
|
||||||
"ips": [{"$arrayElemAt": ["$data.ip", 0]}],
|
|
||||||
},
|
|
||||||
"result": "$data.result",
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{"$unwind": "$result"},
|
|
||||||
{
|
|
||||||
"$match": {
|
|
||||||
"$or": [{"result": {"$regex": r"\.bash"}}, {"result": {"$regex": r"\.profile"}}]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
]
|
|
||||||
|
|
|
||||||
|
|
@ -9,26 +9,3 @@ class T1504(PostBreachTechnique):
|
||||||
scanned_msg = "Monkey tried modifying PowerShell startup files but failed."
|
scanned_msg = "Monkey tried modifying PowerShell startup files but failed."
|
||||||
used_msg = "Monkey successfully modified PowerShell startup files."
|
used_msg = "Monkey successfully modified PowerShell startup files."
|
||||||
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
|
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def get_pba_query(*args):
|
|
||||||
return [
|
|
||||||
{
|
|
||||||
"$match": {
|
|
||||||
"telem_category": "post_breach",
|
|
||||||
"data.name": POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"$project": {
|
|
||||||
"_id": 0,
|
|
||||||
"machine": {
|
|
||||||
"hostname": {"$arrayElemAt": ["$data.hostname", 0]},
|
|
||||||
"ips": [{"$arrayElemAt": ["$data.ip", 0]}],
|
|
||||||
},
|
|
||||||
"result": "$data.result",
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{"$unwind": "$result"},
|
|
||||||
{"$match": {"result": {"$regex": r"profile\.ps1"}}},
|
|
||||||
]
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue