From 56975acf81476d45a8f55817e383f16379c94f49 Mon Sep 17 00:00:00 2001
From: Shreya <shreya.malviya@gmail.com>
Date: Wed, 29 Jul 2020 14:51:00 +0530
Subject: [PATCH] Mongo query changes for T1156 and T1504

---
 .../cc/services/attack/technique_reports/T1156.py    | 12 ++++++++++++
 .../cc/services/attack/technique_reports/T1504.py    | 11 +++++++++++
 2 files changed, 23 insertions(+)

diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py
index f09b70391..2841ed0ad 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py
@@ -12,3 +12,15 @@ class T1156(PostBreachTechnique):
     scanned_msg = "Monkey tried modifying bash startup files but failed."
     used_msg = "Monkey successfully modified bash startup files."
     pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
+
+    @staticmethod
+    def get_pba_query(*args):
+        return [{'$match': {'telem_category': 'post_breach',
+                            'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION}},
+                {'$project': {'_id': 0,
+                              'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
+                                          'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
+                              'result': '$data.result'}},
+                {'$unwind': '$result'},
+                {'$match': {'$or': [{'result': {'$regex': r'\.bash'}},
+                                    {'result': {'$regex': r'\.profile'}}]}}]
diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py
index db1ea8aa5..8d8956e6b 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py
@@ -12,3 +12,14 @@ class T1504(PostBreachTechnique):
     scanned_msg = "Monkey tried modifying powershell startup files but failed."
     used_msg = "Monkey successfully modified powershell startup files."
     pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
+
+    @staticmethod
+    def get_pba_query(*args):
+        return [{'$match': {'telem_category': 'post_breach',
+                            'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION}},
+                {'$project': {'_id': 0,
+                              'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
+                                          'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
+                              'result': '$data.result'}},
+                {'$unwind': '$result'},
+                {'$match': {'result': {'$regex': r'profile\.ps1'}}}]