diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py index f09b70391..2841ed0ad 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py @@ -12,3 +12,15 @@ class T1156(PostBreachTechnique): scanned_msg = "Monkey tried modifying bash startup files but failed." used_msg = "Monkey successfully modified bash startup files." pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION] + + @staticmethod + def get_pba_query(*args): + return [{'$match': {'telem_category': 'post_breach', + 'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION}}, + {'$project': {'_id': 0, + 'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]}, + 'ips': [{'$arrayElemAt': ['$data.ip', 0]}]}, + 'result': '$data.result'}}, + {'$unwind': '$result'}, + {'$match': {'$or': [{'result': {'$regex': r'\.bash'}}, + {'result': {'$regex': r'\.profile'}}]}}] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py index db1ea8aa5..8d8956e6b 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py @@ -12,3 +12,14 @@ class T1504(PostBreachTechnique): scanned_msg = "Monkey tried modifying powershell startup files but failed." used_msg = "Monkey successfully modified powershell startup files." pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION] + + @staticmethod + def get_pba_query(*args): + return [{'$match': {'telem_category': 'post_breach', + 'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION}}, + {'$project': {'_id': 0, + 'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]}, + 'ips': [{'$arrayElemAt': ['$data.ip', 0]}]}, + 'result': '$data.result'}}, + {'$unwind': '$result'}, + {'$match': {'result': {'$regex': r'profile\.ps1'}}}]