Added hash parsing to the T1021 remote services attack technique.

This commit is contained in:
VakarisZ 2019-08-22 09:28:53 +03:00
parent 6a1bc4ba96
commit 9b23be44ed
1 changed files with 2 additions and 6 deletions

View File

@ -22,18 +22,14 @@ class T1021(AttackTechnique):
'attempt_cnt': {'$size': '$data.attempts'},
'attempts': {'$filter': {'input': '$data.attempts',
'as': 'attempt',
'cond': {'$and': [{'$eq': ['$$attempt.result', True]},
{'$or': [{'$ne': ['$$attempt.password', '']},
{'$ne': ['$$attempt.ssh_key', '']}]}]
}
'cond': {'$eq': ['$$attempt.result', True]}
}
}
}
}]
scanned_query = {'telem_category': 'exploit',
'data.attempts': {'$elemMatch': {'$or': [{'password': {'$ne': ''}},
{'ssh_key': {'$ne': ''}}]}}}
'data.attempts': {'$elemMatch': {'result': True}}}
@staticmethod
def get_report_data():