2_ds_qush_reveal.md
June 14, 2023 · View on GitHub
| Use-Case | Event Types/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Data Leak | dlp-alert ↳qush-reveal-dlp-alert file-write ↳qush-reveal-file-write-1 ↳qush-reveal-file-write print-activity ↳qush-reveal-print-activity usb-insert ↳qush-reveal-usb-insert web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1 | T1020 - Automated Exfiltration T1041 - Exfiltration Over C2 Channel T1052 - Exfiltration Over Physical Medium T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1091 - Replication Through Removable Media T1114.001 - T1114.001 T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage TA0010 - TA0010 |
|
| Privilege Abuse | file-upload ↳qush-reveal-file-upload-1 ↳qush-reveal-file-upload file-write ↳qush-reveal-file-write-1 ↳qush-reveal-file-write remote-logon ↳qush-reveal-remote-logon web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1 | T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 |
|
| Privileged Activity | file-upload ↳qush-reveal-file-upload-1 ↳qush-reveal-file-upload file-write ↳qush-reveal-file-write-1 ↳qush-reveal-file-write remote-logon ↳qush-reveal-remote-logon web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1 | T1021 - Remote Services T1068 - Exploitation for Privilege Escalation T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1102 - Web Service |
|