forked from p15670423/monkey
Mongo query changes for T1156 and T1504
This commit is contained in:
parent
f378c5e896
commit
56975acf81
|
@ -12,3 +12,15 @@ class T1156(PostBreachTechnique):
|
|||
scanned_msg = "Monkey tried modifying bash startup files but failed."
|
||||
used_msg = "Monkey successfully modified bash startup files."
|
||||
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
|
||||
|
||||
@staticmethod
|
||||
def get_pba_query(*args):
|
||||
return [{'$match': {'telem_category': 'post_breach',
|
||||
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
|
||||
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
|
||||
'result': '$data.result'}},
|
||||
{'$unwind': '$result'},
|
||||
{'$match': {'$or': [{'result': {'$regex': r'\.bash'}},
|
||||
{'result': {'$regex': r'\.profile'}}]}}]
|
||||
|
|
|
@ -12,3 +12,14 @@ class T1504(PostBreachTechnique):
|
|||
scanned_msg = "Monkey tried modifying powershell startup files but failed."
|
||||
used_msg = "Monkey successfully modified powershell startup files."
|
||||
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
|
||||
|
||||
@staticmethod
|
||||
def get_pba_query(*args):
|
||||
return [{'$match': {'telem_category': 'post_breach',
|
||||
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
|
||||
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
|
||||
'result': '$data.result'}},
|
||||
{'$unwind': '$result'},
|
||||
{'$match': {'result': {'$regex': r'profile\.ps1'}}}]
|
||||
|
|
Loading…
Reference in New Issue