From 9c0c2986316a655b882d857dafa5c685bd9bc6f6 Mon Sep 17 00:00:00 2001
From: Shreya <shreya.malviya@gmail.com>
Date: Fri, 26 Jun 2020 18:22:58 +0530
Subject: [PATCH] Mongo search logic changes + used/scanned/unscanned message
 changes

---
 .../cc/services/attack/technique_reports/T1053.py        | 9 +++++----
 .../cc/services/attack/technique_reports/T1168.py        | 9 +++++----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1053.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1053.py
index f2b5c6884..8484e78ed 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1053.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1053.py
@@ -9,12 +9,13 @@ __author__ = "shreyamalviya"
 
 class T1053(AttackTechnique):
     tech_id = "T1053"
-    unscanned_msg = "Monkey did not try scheduling a job."
-    scanned_msg = "Monkey tried scheduling a job on the system but failed."
-    used_msg = "Monkey scheduled a job on the system."
+    unscanned_msg = "Monkey did not try scheduling a job on Windows."
+    scanned_msg = "Monkey tried scheduling a job on the Windows system but failed."
+    used_msg = "Monkey scheduled a job on the Windows system."
 
     query = [{'$match': {'telem_category': 'post_breach',
-                         'data.name': POST_BREACH_JOB_SCHEDULING}},
+                         'data.name': POST_BREACH_JOB_SCHEDULING,
+                         'data.command': {'$regex': 'schtasks'}}},
              {'$project': {'_id': 0,
                            'machine': {'hostname': '$data.hostname',
                                        'ips': ['$data.ip']},
diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1168.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1168.py
index 5c04d7e90..41afbc302 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1168.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1168.py
@@ -9,12 +9,13 @@ __author__ = "shreyamalviya"
 
 class T1168(AttackTechnique):
     tech_id = "T1168"
-    unscanned_msg = "Monkey did not try scheduling a job."
-    scanned_msg = "Monkey tried scheduling a job on the system but failed."
-    used_msg = "Monkey scheduled a job on the system."
+    unscanned_msg = "Monkey did not try scheduling a job on Linux."
+    scanned_msg = "Monkey tried scheduling a job on the Linux system but failed."
+    used_msg = "Monkey scheduled a job on the Linux system."
 
     query = [{'$match': {'telem_category': 'post_breach',
-                         'data.name': POST_BREACH_JOB_SCHEDULING}},
+                         'data.name': POST_BREACH_JOB_SCHEDULING,
+                         'data.command': {'$regex': 'crontab'}}},
              {'$project': {'_id': 0,
                            'machine': {'hostname': '$data.hostname',
                                        'ips': ['$data.ip']},