Vendor: QUSH

June 14, 2023 · View on GitHub

Product: Reveal

Rules	Models	MITRE ATT&CK® TTPs	Event Types	Parsers
251	109	40	8	8

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	nac-logon ↳qush-reveal-nac-logon print-activity ↳qush-reveal-print-activity remote-logon ↳qush-reveal-remote-logon web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1	T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services	41 Rules 23 Models
Compromised Credentials	file-write ↳qush-reveal-file-write-1 ↳qush-reveal-file-write nac-logon ↳qush-reveal-nac-logon remote-logon ↳qush-reveal-remote-logon web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1	T1003.002 - T1003.002 T1003.003 - T1003.003 T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	109 Rules 55 Models
Cryptomining	web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Data Access	file-write ↳qush-reveal-file-write-1 ↳qush-reveal-file-write	T1083 - File and Directory Discovery	24 Rules 13 Models
Data Exfiltration	dlp-alert ↳qush-reveal-dlp-alert file-write ↳qush-reveal-file-write-1 ↳qush-reveal-file-write web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1	T1020 - Automated Exfiltration T1041 - Exfiltration Over C2 Channel T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0010 - TA0010	38 Rules 21 Models
Lateral Movement	nac-logon ↳qush-reveal-nac-logon remote-logon ↳qush-reveal-remote-logon web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1	T1018 - Remote System Discovery T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.002 - Use Alternate Authentication Material: Pass the Hash T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting	43 Rules 16 Models
Malware	dlp-alert ↳qush-reveal-dlp-alert file-write ↳qush-reveal-file-write-1 ↳qush-reveal-file-write remote-logon ↳qush-reveal-remote-logon web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1	T1003.002 - T1003.002 T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1505.003 - Server Software Component: Web Shell T1547.001 - T1547.001 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	39 Rules 12 Models
Phishing	web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1	T1189 - Drive-by Compromise T1204.001 - T1204.001 T1534 - Internal Spearphishing T1566.002 - Phishing: Spearphishing Link T1598.003 - T1598.003	4 Rules
Privilege Escalation	remote-logon ↳qush-reveal-remote-logon	T1078 - Valid Accounts T1555.005 - T1555.005	2 Rules 1 Models
Ransomware	file-write ↳qush-reveal-file-write-1 ↳qush-reveal-file-write remote-logon ↳qush-reveal-remote-logon web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1486 - Data Encrypted for Impact	3 Rules
Workforce Protection	web-activity-allowed ↳qush-reveal-web-activity ↳qush-reveal-web-activity-1	T1071.001 - Application Layer Protocol: Web Protocols	4 Rules 2 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Exploit Public Fasing Application Replication Through Removable Media Phishing	User Execution	External Remote Services Valid Accounts Server Software Component: Web Shell Server Software Component Boot or Logon Autostart Execution	Valid Accounts Exploitation for Privilege Escalation Boot or Logon Autostart Execution	Valid Accounts Use Alternate Authentication Material Use Alternate Authentication Material: Pass the Hash Use Alternate Authentication Material: Pass the Ticket Valid Accounts: Local Accounts	OS Credential Dumping Steal or Forge Kerberos Tickets Credentials from Password Stores Steal or Forge Kerberos Tickets: Kerberoasting	File and Directory Discovery Remote System Discovery	Remote Services Use Alternate Authentication Material Replication Through Removable Media Internal Spearphishing	Email Collection	Web Service Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Physical Medium: Exfiltration over USB Exfiltration Over C2 Channel Exfiltration Over Physical Medium Automated Exfiltration Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Resource Hijacking Data Encrypted for Impact