Mongo query changes for T1156 and T1504

monkey/monkey_island/cc/services/attack/technique_reports/T1156.py

@@ -12,3 +12,15 @@ class T1156(PostBreachTechnique):
     scanned_msg = "Monkey tried modifying bash startup files but failed."
     used_msg = "Monkey successfully modified bash startup files."
     pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
+
+    @staticmethod
+    def get_pba_query(*args):
+        return [{'$match': {'telem_category': 'post_breach',
+                            'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION}},
+                {'$project': {'_id': 0,
+                              'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
+                                          'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
+                              'result': '$data.result'}},
+                {'$unwind': '$result'},
+                {'$match': {'$or': [{'result': {'$regex': r'\.bash'}},
+                                    {'result': {'$regex': r'\.profile'}}]}}]

monkey/monkey_island/cc/services/attack/technique_reports/T1504.py

@@ -12,3 +12,14 @@ class T1504(PostBreachTechnique):
     scanned_msg = "Monkey tried modifying powershell startup files but failed."
     used_msg = "Monkey successfully modified powershell startup files."
     pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
+
+    @staticmethod
+    def get_pba_query(*args):
+        return [{'$match': {'telem_category': 'post_breach',
+                            'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION}},
+                {'$project': {'_id': 0,
+                              'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
+                                          'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
+                              'result': '$data.result'}},
+                {'$unwind': '$result'},
+                {'$match': {'result': {'$regex': r'profile\.ps1'}}}]