p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

island: Add mongo query for PBAs for T1086 reporting

This commit is contained in:
Shreya Malviya 2021-10-11 15:14:40 +05:30
parent 356b3475cd
commit 2b789fca90
1 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
View File

@ -10,7 +10,7 @@ class T1086(AttackTechnique):
scanned_msg = "" scanned_msg = ""
used_msg = "Monkey successfully ran PowerShell commands on exploited machines in the network." used_msg = "Monkey successfully ran PowerShell commands on exploited machines in the network."
query = [ query_for_exploits = [
{ {
"$match": { "$match": {
"telem_category": "exploit", "telem_category": "exploit",
@ -35,11 +35,28 @@ class T1086(AttackTechnique):
{"$group": {"_id": "$machine", "data": {"$push": "$$ROOT"}}}, {"$group": {"_id": "$machine", "data": {"$push": "$$ROOT"}}},
] ]
query_for_pbas = [
{
"$match": {
"telem_category": "post_breach",
"data.command": {"$regex": r"\.ps1"},
},
},
{
"$project": {
"_id": 0,
"machine.hostname": "$data.hostname",
"machine.ips": "$data.ip",
"info": "$data.result",
}
},
]
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
@T1086.is_status_disabled @T1086.is_status_disabled
def get_technique_status_and_data(): def get_technique_status_and_data():
cmd_data = list(mongo.db.telemetry.aggregate(T1086.query)) cmd_data = list(mongo.db.telemetry.aggregate(T1086.query_for_exploits))
if cmd_data: if cmd_data:
status = ScanStatus.USED.value status = ScanStatus.USED.value
else: else: