Ask a Question
Question everything. Help others. Impart wisdom
What http methods is used in Data Exfiltration ?
Hello Teams,I’m a MSSP , my client sent me a issues that their DLP vendor said their solution can only detect data is tried to exfiltrate by http get methods.I can find Browsing HTTP/HTTPS this channel is using http get response to exfiltrate data to Cymulate.But, what about other channels?In attack logs , I can see onedirve、github ,these channels are using API call : PUT https://xxxx.xxxxxIt seems using http put methods , right?Could you help me to clarified for what http methods will be used in each channels?That’s my client and their DLP vendor wondering to know , then they will try to optimize their solution.
What kind of an account need to run Cymulate Agent
Prior to configure the Cymulate agent we are going to create a separate domain account just for the purpose of these testing. What kind of an account is preferred, User account with local admin privileges or Service account with elevated privileges ?
Web Gateway agent
Hello,during the analysis of the report of the Immediate Threats test “GLOBEIMPOSTER RANSOMWARE WITH MEDUSALOCKER SPREADING VIA RDP” we verified that the access to a malicious URL has been correctly blocked. The related event registered by the SIEM reports:The action is blocked because “Not allowed to use this browser” The useragent reported in the event is “useragent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36”Our doubt is related to the fact that none of the reported browser version is currently installed on the host where the agent is running. We would like to ask if the agent uses an internal browser that is different from the default one used on the host? Thank you in advance!Lucio
Immediate Threats - Crowdstrike Doesn't show file execution logs
Hi All, I was analyzing few immediate threat reports and saw some binaries were executed by Cymulate and not prevented by Crowdstrike. But a hash search in CS doesn’t show any signs of the file execution? Why does this happen? Is this something to do with the file exclusion?
Service based agent connection
UPDATE: I just checked the console and now it appears to be connected. It looks like it takes about 10 to 15 minutes post-reboot to come up. Seems a bit long, but I’ll take it for now. :-) I recently installed the service based agent on three machines. Two are running Windows Server 2019 and the other is running Windows 10 Pro. The two machines running Windows Server are working properly. On the Windows 10 Pro machine, the service based agent will only connect to the gateway when the user account is logged on. Has anyone seen this? The PC is joined to an Azure AD domain, so it’s not a traditional AD setup. This agent is configured for the email assessments as well, while the other two are not. Any ideas on how to solve this, or is this expected behavior given how this machine is configured? Thanks.
Accessing the CLI
I have installed the latest Cymulate service based agent on my Windows 10 box. I cannot seem to find the CLI anywhere on the system. Is it installed with the agent installation or do I need to grab it from someplace on the site? When I open CMD as an admin and run any of the “cymulate” commands, it tells me that the command cannot be found.
Add profile to service based agent - Could not save profile
Hi,When I attempt to add a user profile for testing with a domain user, after I click add, the cymulate interface comes back with “Could not save profile”The profile creation does not work. Tried with a couple of existing domain accounts and a new one.Does anyone know how to resolve this issue?Thanks,Richard
Agent Not Elevated - Service agent needs to be elevated to run Advanced Scenarios
When I attempt to run advanced scenarios, such as “ Domain Password Strength Evaluation”, the agent needs to be elevated. As it is not, the scenario fails to run.Does this need the service account that runs on the cymulate server to use a domain account and one specifically with privileged rights?What is the recommended approach and is there a tech note to cover this?Thanks,Richard
Cloning real landing pages
Hello cymulate communityWe are designing Phishing campaigns and we would like to "clone" landing pages or login pages from our corporate websites because trying to copy them with the design tools is practically impossible.My users are trained to be wary of poorly designed pages. How do you load "realistic" templates for your campaigns? Thanks
Where to find Client ID for Cymulate portal
Hello Team,I am in process of setting up SSO for Azure and it required Client ID from Cymulate portal.As per the instruction, it should be next to Name and it is a combination of numbers and letters but I could not see it anywhere. Can you please share your thoughts on this one?
[Endpoint Security Module] Access is denied
Hello everyone!I have launched an Endpoint Security Assessment which has failed. The main error is “Access is denied”:An error occurred trying to start process 'C:\Program Files\Cymulate\Agent\Executor\36.0\CymulateEDRScenarioExecutor.exe' with working directory 'C:\Program Files\Cymulate\Agent\Executor\36.0'. Access is denied.I have slightly debugged the problem and I can confirm that the user exists on the machine as well as the exceptions made in the EDR are the following:ProgramData\Cymulate\Agent\** Program Files\Cymulate\Executor\** Program Files\Cymulate\CLI\** Program Files\Cymulate\Service\** Program Files\Cymulate\Agent\*Has anyone else experienced this error on Endpoint Security Module or in another one? How could I debug deeper this error?Thank you very much!
Service Based Agent - Reconnect
Morning, Does any know what would happen in the below scenario should the agent lose connectivity to the network when running an Endpoint Security assessmentWould it reconnect and continue when a network is available? Would it have to be on the same network for the assessment to start ruining against from where it left off? Is there a time limit to how long before it would give up and not try reconnecting?Any help/ knowledge shared would be greatly appreciated.
Agent log disk space
Hello!Are there any best practice to manage agent logs on Windows machines?Specifically we are interested into best practices to manage the disk space, because we verified that after an year the disk is full and we need to decide which logs can be deleted.Moreover is there a configuration in the Agent or in the platform that can be set to overwrite past logs. Thank you,Lucio
Configurate the Hopper template
HiRef to this guide If I don´t define any Scope Range and leave the field empty, will the agent scan and try to reach every singel network/IP it can find? Or the agent will never leave the server that the agent was installed. So final question is it require to fill the scope or exclude range?
Abort a running Hopper assessment
Hi Is it possible to abort a (lateral movement) Hopper assessment after launch?And what will happen with the Hopper “agent” if the agent was able to jumpe to let say 3 server? Will the agent kill the Hopper “process” it self if don´t get some kind of “keep-alive” signal back from “mother” Hopper. Or the Hopper will continued to doing task until it don´t get any feedback.
Already have an account? Login
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Login to the community
No account yet? Create an account
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.