p17860254
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Mongo query changes for T1156 and T1504

This commit is contained in:
Shreya 2020-07-29 14:51:00 +05:30
parent f378c5e896
commit 56975acf81
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
monkey/monkey_island/cc/services/attack/technique_reports/T1156.py
View File

@ -12,3 +12,15 @@ class T1156(PostBreachTechnique):
scanned_msg = "Monkey tried modifying bash startup files but failed."
used_msg = "Monkey successfully modified bash startup files."
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
@staticmethod
def get_pba_query(*args):
return [{'$match': {'telem_category': 'post_breach',
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION}},
{'$project': {'_id': 0,
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
'result': '$data.result'}},
{'$unwind': '$result'},
{'$match': {'$or': [{'result': {'$regex': r'\.bash'}},
{'result': {'$regex': r'\.profile'}}]}}]

11
monkey/monkey_island/cc/services/attack/technique_reports/T1504.py
View File

@ -12,3 +12,14 @@ class T1504(PostBreachTechnique):
scanned_msg = "Monkey tried modifying powershell startup files but failed."
used_msg = "Monkey successfully modified powershell startup files."
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
@staticmethod
def get_pba_query(*args):
return [{'$match': {'telem_category': 'post_breach',
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION}},
{'$project': {'_id': 0,
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
'result': '$data.result'}},
{'$unwind': '$result'},
{'$match': {'result': {'$regex': r'profile\.ps1'}}}]