From 455c6628c325b740e9687985073c9d67a05c86af Mon Sep 17 00:00:00 2001
From: Eric Capuano <ecapuano@users.noreply.github.com>
Date: Fri, 26 Dec 2025 22:06:53 -0600
Subject: [PATCH] Add MongoDB log collection target for CVE-2025-14847 incident
 response

Adds MongoDBLogs.tkape to collect MongoDB log files from common Windows
installation paths, supporting detection and investigation of CVE-2025-14847
(MongoBleed) exploitation attempts.

Log paths covered:
- C:\Program Files\MongoDB\Server\*\log(s)\
- C:\data\log\
- C:\ProgramData\MongoDB\log\
- C:\MongoDB\log\

Updates ServerTriage.tkape to include MongoDB logs in the compound target
for generic server artifact collection.
---
 Targets/Compound/ServerTriage.tkape |  7 ++++-
 Targets/Logs/MongoDBLogs.tkape      | 44 +++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 Targets/Logs/MongoDBLogs.tkape

diff --git a/Targets/Compound/ServerTriage.tkape b/Targets/Compound/ServerTriage.tkape
index 9efe84b7b..c47a35c6d 100644
--- a/Targets/Compound/ServerTriage.tkape
+++ b/Targets/Compound/ServerTriage.tkape
@@ -1,6 +1,6 @@
 Description: A compound target for gathering artifacts common to servers.
 Author: Eric Capuano
-Version: 1.0
+Version: 1.1
 Id: 9bea625c-00bd-4389-a0a5-f648e8e267ce
 RecreateDirectories: true
 Targets:
@@ -8,6 +8,10 @@ Targets:
         Name: WebServers
         Category: Compound
         Path: WebServers.tkape
+    -
+        Name: MongoDB Logs
+        Category: Logs
+        Path: MongoDBLogs.tkape
     -
         Name: Exchange
         Category: Compound
@@ -30,4 +34,5 @@ Targets:
         Path: ManageEngineLogs.tkape
 
 # Documentation
+# v1.1 - Added MongoDB Logs target
 # A Target to run on generic servers when their role is unknown. Includes common server applications.
diff --git a/Targets/Logs/MongoDBLogs.tkape b/Targets/Logs/MongoDBLogs.tkape
new file mode 100644
index 000000000..f35e7a880
--- /dev/null
+++ b/Targets/Logs/MongoDBLogs.tkape
@@ -0,0 +1,44 @@
+Description: MongoDB Log Files (Windows)
+Author: Eric Capuano
+Version: 1.0
+Id: 2e5c341b-d10a-466d-a40e-abb478212e00
+RecreateDirectories: true
+Targets:
+    -
+        Name: MongoDB Logs (Program Files)
+        Category: Logs
+        Path: C:\Program Files\MongoDB\Server\*\log\
+        Recursive: true
+        FileMask: "*.log*"
+        Comment: "MongoDB log files in default MSI install log directory"
+    -
+        Name: MongoDB Logs (Program Files - logs folder)
+        Category: Logs
+        Path: C:\Program Files\MongoDB\Server\*\logs\
+        Recursive: true
+        FileMask: "*.log*"
+        Comment: "MongoDB log files when folder is named 'logs'"
+    -
+        Name: MongoDB Logs (C:\data\log)
+        Category: Logs
+        Path: C:\data\log\
+        Recursive: true
+        FileMask: "*.log*"
+        Comment: "Common default MongoDB log directory for manual installations"
+    -
+        Name: MongoDB Logs (ProgramData)
+        Category: Logs
+        Path: C:\ProgramData\MongoDB\log\
+        Recursive: true
+        FileMask: "*.log*"
+        Comment: "Log directory for MongoDB Windows service installations"
+    -
+        Name: MongoDB Logs (Alternate Install)
+        Category: Logs
+        Path: C:\MongoDB\log\
+        Recursive: true
+        FileMask: "*.log*"
+        Comment: "Common non-default install log directory"
+
+# Documentation
+# https://www.mongodb.com/docs/manual/reference/log-messages/