View latest features and updates
Meet the newest members of our community
Ask, learn and connect
Search FAQ and Documentation
Latest updates on cyber threats
Hello,during the analysis of the report of the Immediate Threats test “GLOBEIMPOSTER RANSOMWARE WITH MEDUSALOCKER SPREADING VIA RDP” we verified that the access to a malicious URL has been correctly blocked. The related event registered by the SIEM reports:The action is blocked because “Not allowed to use this browser” The useragent reported in the event is “useragent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36”Our doubt is related to the fact that none of the reported browser version is currently installed on the host where the agent is running. We would like to ask if the agent uses an internal browser that is different from the default one used on the host? Thank you in advance!Lucio
Hi All, I would like to know if Cymulate has any module which is having the feature of dynamic web application assesment and penetration testing?
Our research team just published a new advanced scenario template for Command and Control attack tactical steps. A full description is available here but you can get an immediate preview of how it looks in Cymulate Advanced Scenarios interface. Preview of the Command & Control Template in Action After creating an assessment from the Top Credential Dumping Command & Control Template from the Advanced Scenario tab Check the results. : Get more information: Get mitigation guidance After mitigation, verify the implemented mitigation measures effectiveness at a click by re-running the assessment. The Command and Control template is the third of an ongoing series of templates covering additional attack categories. The two previous ones were credential dumping executions that lead to gaining an initial foothold through abusing credentials, and data exfiltration executions leading to data theft. Knowing the effectiveness of people, processes, and technology enables or
Dotrunpex – Demystifying new virtualized .net injector used in the wildDotRunpeX injector commonly comes as a second stage of the original infection.The typical first stages are very different variants of .NET loaders/downloaders.The first-stage loaders are primarily being delivered via phishing emails as malicious attachments (usually as a part of “.iso”, “.img”, “.zip”, and “.7z”) or via websites masquerading as regular program utilities.Apart from the most common infection vectors, the customers of dotRunpeX are not ashamed to abuse Google Ads or even target other potential attackers via trojanized malware builders.All of the trojanized programs contain the main .NET application enlarged with an overlay to avoid scanning with sandboxes very likely.The .NET applications with overlay are the typical first stages, behaving as dotnet loaders with simple obfuscation.These different variants of loaders use reflection to load the dotRunpeX injector in the second stage.Some of them are v
Cymulate’s honeypot network was able to track a massive load of exploitation of CVE-2022-27255 - RCE: with the the Suricata signature - “ET EXPLOIT Realtek eCos RSDK/MSDK Stack-based Buffer Overflow Attempt Inbound” ID: “2038669”CVE-2022-27255 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27255]: Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function that rewrites SDP data has a stack-based buffer overflow. This allows an attacker to remotely execute code without authentication via a crafted SIP packet that contains malicious SDP data.We think that these new attacks are related to the Infobyte demonstration on Defcon of a new vulnerability they found.The POC exploit provided by infobyte’s can be found on their github: https://github.com/infobyte/cve-2022-27255/tree/main/exploits_nexxtTheir github includes both analysis (test to see if you are vulnerable or not) and also the POC of the exploitation.This easily means that attackers follow all kinds of security confer
UPDATE: I just checked the console and now it appears to be connected. It looks like it takes about 10 to 15 minutes post-reboot to come up. Seems a bit long, but I’ll take it for now. :-) I recently installed the service based agent on three machines. Two are running Windows Server 2019 and the other is running Windows 10 Pro. The two machines running Windows Server are working properly. On the Windows 10 Pro machine, the service based agent will only connect to the gateway when the user account is logged on. Has anyone seen this? The PC is joined to an Azure AD domain, so it’s not a traditional AD setup. This agent is configured for the email assessments as well, while the other two are not. Any ideas on how to solve this, or is this expected behavior given how this machine is configured? Thanks.
I have installed the latest Cymulate service based agent on my Windows 10 box. I cannot seem to find the CLI anywhere on the system. Is it installed with the agent installation or do I need to grab it from someplace on the site? When I open CMD as an admin and run any of the “cymulate” commands, it tells me that the command cannot be found.
APT 32 initiates its attack by downloading and executing a VBA script. It then proceeds to execute commands using the Windows Event Log, downloads a file from the internet, and executes a batch script. APT 32 creates persistence in the registry run keys and verifies the success of the created persistence. Then attempts to discover domain admins, steal credentials from the local machine, and use them to attempt lateral movement. It also maps admin shares, logs key inputs, discovers the file and directory structure, receives system information, encrypts files, and compresses and exfiltrates data in parallel. Finally, it lists credential files stored in current user AppData folders, performs DLL Search Order Hijacking, enumerates non-default installed applications, installs and runs a service, and creates a new user.
Hi,When I attempt to add a user profile for testing with a domain user, after I click add, the cymulate interface comes back with “Could not save profile”The profile creation does not work. Tried with a couple of existing domain accounts and a new one.Does anyone know how to resolve this issue?Thanks,Richard
Hello cymulate communityWe are designing Phishing campaigns and we would like to "clone" landing pages or login pages from our corporate websites because trying to copy them with the design tools is practically impossible.My users are trained to be wary of poorly designed pages. How do you load "realistic" templates for your campaigns? Thanks
What do I need to do to setup the Web Gateway assessment to work with Zscaler proxy?
We have a client with the need to access GSuite but has a policy to deny outgoing IMAP.Is there any plan to support HTTP API access?
I am new to the Cymulate and want to integrate with the Microsoft SentinelWant to understand how to Work on The integrationplease share any Docmentation for the referencing purpose
We have been found that on system where Cymulate agent is installed and its https service is not getting up and showing red. It is shown that no authenticated client on the system.
Not sure how to do something in Cymulate?
Already have an account? Login
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.