From 3b11637f160d4601271f8edb6039c9d0aa299b67 Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Mon, 11 Oct 2021 17:29:46 +0530
Subject: [PATCH] island: Change mongo query to include 'Modify Shell Startup
 Files' PBA in T1086's report

---
 .../cc/services/attack/technique_reports/T1086.py            | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
index d6085b09a..1d74bac61 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
@@ -40,7 +40,10 @@ class T1086(AttackTechnique):
         {
             "$match": {
                 "telem_category": "post_breach",
-                "data.command": {"$regex": r"\.ps1"},
+                "$or": [
+                    {"data.command": {"$regex": r"\.ps1"}},
+                    {"data.result": {"$regex": r"\.ps1"}},
+                ],
             },
         },
         {