From 2b789fca9030373fbae1fcd49c3c4a9f28f95ed0 Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Mon, 11 Oct 2021 15:14:40 +0530
Subject: [PATCH 01/12] island: Add mongo query for PBAs for T1086 reporting

---
 .../attack/technique_reports/T1086.py         | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
index 253dc3d8d..ac46670d8 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
@@ -10,7 +10,7 @@ class T1086(AttackTechnique):
     scanned_msg = ""
     used_msg = "Monkey successfully ran PowerShell commands on exploited machines in the network."
 
-    query = [
+    query_for_exploits = [
         {
             "$match": {
                 "telem_category": "exploit",
@@ -35,11 +35,28 @@ class T1086(AttackTechnique):
         {"$group": {"_id": "$machine", "data": {"$push": "$$ROOT"}}},
     ]
 
+    query_for_pbas = [
+        {
+            "$match": {
+                "telem_category": "post_breach",
+                "data.command": {"$regex": r"\.ps1"},
+            },
+        },
+        {
+            "$project": {
+                "_id": 0,
+                "machine.hostname": "$data.hostname",
+                "machine.ips": "$data.ip",
+                "info": "$data.result",
+            }
+        },
+    ]
+
     @staticmethod
     def get_report_data():
         @T1086.is_status_disabled
         def get_technique_status_and_data():
-            cmd_data = list(mongo.db.telemetry.aggregate(T1086.query))
+            cmd_data = list(mongo.db.telemetry.aggregate(T1086.query_for_exploits))
             if cmd_data:
                 status = ScanStatus.USED.value
             else:

From d82f61d524d68a8821fcbfd115a577801d42d1f0 Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Mon, 11 Oct 2021 15:22:33 +0530
Subject: [PATCH 02/12] island: Add telem category to data for T1086 reporting

---
 .../cc/services/attack/technique_reports/T1086.py        | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
index ac46670d8..670208e17 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
@@ -17,10 +17,11 @@ class T1086(AttackTechnique):
                 "data.info.executed_cmds": {"$elemMatch": {"powershell": True}},
             }
         },
-        {"$project": {"machine": "$data.machine", "info": "$data.info"}},
+        {"$project": {"telem_category": 1, "machine": "$data.machine", "info": "$data.info"}},
         {
             "$project": {
                 "_id": 0,
+                "telem_category": 1,
                 "machine": 1,
                 "info.finished": 1,
                 "info.executed_cmds": {
@@ -45,6 +46,7 @@ class T1086(AttackTechnique):
         {
             "$project": {
                 "_id": 0,
+                "telem_category": 1,
                 "machine.hostname": "$data.hostname",
                 "machine.ips": "$data.ip",
                 "info": "$data.result",
@@ -56,7 +58,10 @@ class T1086(AttackTechnique):
     def get_report_data():
         @T1086.is_status_disabled
         def get_technique_status_and_data():
-            cmd_data = list(mongo.db.telemetry.aggregate(T1086.query_for_exploits))
+            exploit_cmd_data = list(mongo.db.telemetry.aggregate(T1086.query_for_exploits))
+            pba_cmd_data = list(mongo.db.telemetry.aggregate(T1086.query_for_pbas))
+            cmd_data = exploit_cmd_data + pba_cmd_data
+
             if cmd_data:
                 status = ScanStatus.USED.value
             else:

From 7fa917581c842e53f85b418a544180f57e9de01c Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Mon, 11 Oct 2021 17:21:40 +0530
Subject: [PATCH 03/12] cc: Add another table for T1086 (PowerShell) used as
 PBAs

---
 .../attack/technique_reports/T1086.py         |  2 +-
 .../src/components/attack/techniques/T1086.js | 59 ++++++++++++++++---
 2 files changed, 53 insertions(+), 8 deletions(-)

diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
index 670208e17..d6085b09a 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
@@ -48,7 +48,7 @@ class T1086(AttackTechnique):
                 "_id": 0,
                 "telem_category": 1,
                 "machine.hostname": "$data.hostname",
-                "machine.ips": "$data.ip",
+                "machine.ips": [{"$arrayElemAt": ["$data.ip", 0]}],
                 "info": "$data.result",
             }
         },
diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
index 266c99eaf..e08aaf667 100644
--- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
@@ -1,6 +1,6 @@
 import React from 'react';
 import ReactTable from 'react-table';
-import {renderMachine, ScanStatus} from './Helpers'
+import {renderMachine, renderMachineFromSystemData, ScanStatus} from './Helpers'
 import MitigationsComponent from './MitigationsComponent';
 
 
@@ -10,9 +10,9 @@ class T1086 extends React.Component {
     super(props);
   }
 
-  static getPowershellColumns() {
+  static getPowershellColumnsForExploits() {
     return ([{
-      Header: 'Example Powershell commands used',
+      Header: 'PowerShell commands used on exploited machines',
       columns: [
         {
           Header: 'Machine',
@@ -32,18 +32,63 @@ class T1086 extends React.Component {
     }])
   }
 
+  static getPowershellColumnsForPBAs() {
+    return ([{
+      Header: 'PowerShell commands or scripts used as PBAs',
+      columns: [
+        {
+          Header: 'Machine',
+          id: 'machine',
+          accessor: x => renderMachineFromSystemData(x.machine),
+          style: {'whiteSpace': 'unset'},
+        },
+        {
+          Header: 'Information',
+          id: 'information',
+          accessor: x => x.info,
+          style: {'whiteSpace': 'unset'}
+        }
+      ]
+    }])
+  }
+
+  getPowershellDataPerCategory(category) {
+    let data = [];
+    for (let rowIdx in this.props.data.cmds) {
+      let row = this.props.data.cmds[rowIdx];
+      if (row.telem_category == category) {
+        data.push(row);
+      }
+    }
+
+    return data
+  }
+
   render() {
+    let data_from_exploits = this.getPowershellDataPerCategory("exploit");
+    let data_from_pbas = this.getPowershellDataPerCategory("post_breach");
+
     return (
       <div>
         <div>{this.props.data.message_html}</div>
         <br/>
         {this.props.data.status === ScanStatus.USED ?
+          <div>
           <ReactTable
-            columns={T1086.getPowershellColumns()}
-            data={this.props.data.cmds}
+            columns={T1086.getPowershellColumnsForExploits()}
+            data={data_from_exploits}
             showPagination={false}
-            defaultPageSize={this.props.data.cmds.length}
-          /> : ''}
+            defaultPageSize={data_from_exploits.length}
+          />
+          <br/>
+          <br/>
+          <ReactTable
+            columns={T1086.getPowershellColumnsForPBAs()}
+            data={data_from_pbas}
+            showPagination={false}
+            defaultPageSize={data_from_pbas.length}
+          />
+          </div> : ''}
         <MitigationsComponent mitigations={this.props.data.mitigations}/>
       </div>
     );

From 3b11637f160d4601271f8edb6039c9d0aa299b67 Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Mon, 11 Oct 2021 17:29:46 +0530
Subject: [PATCH 04/12] island: Change mongo query to include 'Modify Shell
 Startup Files' PBA in T1086's report

---
 .../cc/services/attack/technique_reports/T1086.py            | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
index d6085b09a..1d74bac61 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
@@ -40,7 +40,10 @@ class T1086(AttackTechnique):
         {
             "$match": {
                 "telem_category": "post_breach",
-                "data.command": {"$regex": r"\.ps1"},
+                "$or": [
+                    {"data.command": {"$regex": r"\.ps1"}},
+                    {"data.result": {"$regex": r"\.ps1"}},
+                ],
             },
         },
         {

From 363e42ad7b7f398bbbad7df1a0990b0e4416af44 Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Mon, 11 Oct 2021 17:30:29 +0530
Subject: [PATCH 05/12] cc: Change wording for header of PBAs' table in T1086's
 report

---
 .../cc/ui/src/components/attack/techniques/T1086.js             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
index e08aaf667..65f4a1300 100644
--- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
@@ -34,7 +34,7 @@ class T1086 extends React.Component {
 
   static getPowershellColumnsForPBAs() {
     return ([{
-      Header: 'PowerShell commands or scripts used as PBAs',
+      Header: 'PBAs that used PowerShell commands or scripts',
       columns: [
         {
           Header: 'Machine',

From 5a4f66d08084118520ac8f78a0c3af4c868dca65 Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Mon, 11 Oct 2021 17:40:52 +0530
Subject: [PATCH 06/12] CHANGELOG: Add entry for T1086 reporting changes

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 295f25371..0e358f3d5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
   as backdoor user". #1410
 - Resetting login credentials also cleans the contents of the database. #1495
 - ATT&CK report messages (more accurate now). #1483
+- T1086 (PowerShell) now also reports if ps1 scripts were run by PBAs. #1513
 
 ### Removed
 - Internet access check on agent start. #1402

From 748bca43e9d019ef67534fc05df7b3b14798f24d Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Mon, 11 Oct 2021 17:46:33 +0530
Subject: [PATCH 07/12] island: Fix eslint warnings (trailing comma and double
 quotes)

---
 .../cc/ui/src/components/attack/techniques/T1086.js         | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
index 65f4a1300..2cc8b0790 100644
--- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
@@ -40,7 +40,7 @@ class T1086 extends React.Component {
           Header: 'Machine',
           id: 'machine',
           accessor: x => renderMachineFromSystemData(x.machine),
-          style: {'whiteSpace': 'unset'},
+          style: {'whiteSpace': 'unset'}
         },
         {
           Header: 'Information',
@@ -65,8 +65,8 @@ class T1086 extends React.Component {
   }
 
   render() {
-    let data_from_exploits = this.getPowershellDataPerCategory("exploit");
-    let data_from_pbas = this.getPowershellDataPerCategory("post_breach");
+    let data_from_exploits = this.getPowershellDataPerCategory('exploit');
+    let data_from_pbas = this.getPowershellDataPerCategory('post_breach');
 
     return (
       <div>

From ee5585af755fbc3eab915ea6dcc5fc0668aeff9a Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Mon, 11 Oct 2021 17:59:54 +0530
Subject: [PATCH 08/12] cc: Modify T1086 reporting to segregate per category
 more efficiently

---
 .../src/components/attack/techniques/T1086.js | 23 +++++++++++++------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
index 2cc8b0790..960fa25ea 100644
--- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
@@ -52,21 +52,30 @@ class T1086 extends React.Component {
     }])
   }
 
-  getPowershellDataPerCategory(category) {
-    let data = [];
+  segregatePowershellDataPerCategory() {
+    let exploit_category_name = 'exploit';
+    let pba_category_name = 'post_breach';
+
+    let data_from_exploits = [];
+    let data_from_pbas = [];
+
     for (let rowIdx in this.props.data.cmds) {
       let row = this.props.data.cmds[rowIdx];
-      if (row.telem_category == category) {
-        data.push(row);
+      if (row.telem_category == exploit_category_name) {
+        data_from_exploits.push(row);
+      }
+      else if (row.telem_category == pba_category_name) {
+        data_from_pbas.push(row);
       }
     }
 
-    return data
+    return [data_from_exploits, data_from_pbas]
   }
 
   render() {
-    let data_from_exploits = this.getPowershellDataPerCategory('exploit');
-    let data_from_pbas = this.getPowershellDataPerCategory('post_breach');
+    let segregatedData = this.segregatePowershellDataPerCategory();
+    let data_from_exploits = segregatedData[0];
+    let data_from_pbas = segregatedData[1];
 
     return (
       <div>

From e3045c255a4620bc412cf3c0c467a45484da8666 Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Mon, 11 Oct 2021 18:02:17 +0530
Subject: [PATCH 09/12] cc: Change variables from snake case to camel case for
 consistency

---
 .../src/components/attack/techniques/T1086.js | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
index 960fa25ea..760170185 100644
--- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
@@ -53,29 +53,29 @@ class T1086 extends React.Component {
   }
 
   segregatePowershellDataPerCategory() {
-    let exploit_category_name = 'exploit';
-    let pba_category_name = 'post_breach';
+    let exploitCategoryName = 'exploit';
+    let pbaCategoryName = 'post_breach';
 
-    let data_from_exploits = [];
-    let data_from_pbas = [];
+    let dataFromExploits = [];
+    let dataFromPBAs = [];
 
     for (let rowIdx in this.props.data.cmds) {
       let row = this.props.data.cmds[rowIdx];
-      if (row.telem_category == exploit_category_name) {
-        data_from_exploits.push(row);
+      if (row.telem_category == exploitCategoryName) {
+        dataFromExploits.push(row);
       }
-      else if (row.telem_category == pba_category_name) {
-        data_from_pbas.push(row);
+      else if (row.telem_category == pbaCategoryName) {
+        dataFromPBAs.push(row);
       }
     }
 
-    return [data_from_exploits, data_from_pbas]
+    return [dataFromExploits, dataFromPBAs]
   }
 
   render() {
     let segregatedData = this.segregatePowershellDataPerCategory();
-    let data_from_exploits = segregatedData[0];
-    let data_from_pbas = segregatedData[1];
+    let dataFromExploits = segregatedData[0];
+    let dataFromPBAs = segregatedData[1];
 
     return (
       <div>
@@ -85,17 +85,17 @@ class T1086 extends React.Component {
           <div>
           <ReactTable
             columns={T1086.getPowershellColumnsForExploits()}
-            data={data_from_exploits}
+            data={dataFromExploits}
             showPagination={false}
-            defaultPageSize={data_from_exploits.length}
+            defaultPageSize={dataFromExploits.length}
           />
           <br/>
           <br/>
           <ReactTable
             columns={T1086.getPowershellColumnsForPBAs()}
-            data={data_from_pbas}
+            data={dataFromPBAs}
             showPagination={false}
-            defaultPageSize={data_from_pbas.length}
+            defaultPageSize={dataFromPBAs.length}
           />
           </div> : ''}
         <MitigationsComponent mitigations={this.props.data.mitigations}/>

From effd9dd957df24379bb31201412f838c9231608c Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Wed, 13 Oct 2021 13:37:39 +0530
Subject: [PATCH 10/12] island: Modify mongo query so 'Account Discovery' PBA
 also gets reported in T1086

---
 .../monkey_island/cc/services/attack/technique_reports/T1086.py  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
index 1d74bac61..1fd99500e 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
@@ -42,6 +42,7 @@ class T1086(AttackTechnique):
                 "telem_category": "post_breach",
                 "$or": [
                     {"data.command": {"$regex": r"\.ps1"}},
+                    {"data.command": {"$regex": "powershell"}},
                     {"data.result": {"$regex": r"\.ps1"}},
                 ],
             },

From 82eea6a8450f7683f19384b83d5a76b52ef3aa85 Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Wed, 13 Oct 2021 13:40:24 +0530
Subject: [PATCH 11/12] cc: Change wording for T1086 reporting

---
 .../cc/ui/src/components/attack/techniques/T1086.js           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
index 760170185..d0ee71f80 100644
--- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
@@ -12,7 +12,7 @@ class T1086 extends React.Component {
 
   static getPowershellColumnsForExploits() {
     return ([{
-      Header: 'PowerShell commands used on exploited machines',
+      Header: 'PowerShell commands used during exploitation',
       columns: [
         {
           Header: 'Machine',
@@ -34,7 +34,7 @@ class T1086 extends React.Component {
 
   static getPowershellColumnsForPBAs() {
     return ([{
-      Header: 'PBAs that used PowerShell commands or scripts',
+      Header: 'Post-breach actions that used PowerShell commands/scripts',
       columns: [
         {
           Header: 'Machine',

From cff393fa6362e234b83c9e78a8b93e251e715a17 Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Thu, 14 Oct 2021 12:54:21 +0530
Subject: [PATCH 12/12] island: Simplify tables' titles in T1086 report

---
 .../cc/ui/src/components/attack/techniques/T1086.js           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
index d0ee71f80..58fe16959 100644
--- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
@@ -12,7 +12,7 @@ class T1086 extends React.Component {
 
   static getPowershellColumnsForExploits() {
     return ([{
-      Header: 'PowerShell commands used during exploitation',
+      Header: 'Exploiters',
       columns: [
         {
           Header: 'Machine',
@@ -34,7 +34,7 @@ class T1086 extends React.Component {
 
   static getPowershellColumnsForPBAs() {
     return ([{
-      Header: 'Post-breach actions that used PowerShell commands/scripts',
+      Header: 'Post-Breach Actions',
       columns: [
         {
           Header: 'Machine',