Skip to main content

Cymulate v2

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Multi-Vector Cyber Attack, Breach and Attack Simulation. This integration was integrated and tested with API version 1 of cymulate

Configure cymulate_v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for cymulate_v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API tokenTrue
    Base URLFalse
    Fetch incidentsFalse
    Fetch categoryChoose one or more categories to fetch.False
    Incident typeFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    Max FetchMaximal number of incidents to fetch. Max value can be no grater than 35.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Fetch Incidents command#

Retrieves new incidents every interval (default is 1 minute). The fetch incident command will retrieve incidents from all selected modules chosen in the configuration page by the user. The next run will be calculated by the latest timestamp of all modules, to avoid duplications. NOTE: We fetch only one module per fetch call.

cymulate-exfiltration-template-list#


Retrieve the exfiltration template list.

Base Command#

cymulate-exfiltration-template-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.Exfiltration.Template.idStringTemplate ID.
Cymulate.Exfiltration.Template.nameStringTemplate name.

Command Example#

!cymulate-exfiltration-template-list

Context Example#

{
"Cymulate": {
"Exfiltration": {
"Templates": [
{
"id": "5df0e79b85a00138dc648e75",
"name": "Cymulate Best Practice"
},
{
"id": "5df0e7d585a00138dc648e8f",
"name": "Cloud Services"
},
{
"id": "5df0e80885a00138dc648ea7",
"name": "Network Protocols"
},
{
"id": "5df0e82e85a00138dc648ebb",
"name": "Email"
},
{
"id": "5df25b3696fa2af420a379b9",
"name": "Physical"
}
]
}
}
}

Human Readable Output#

Exfiltration templates list:#

idname
5df0e79b85a00138dc648e75Cymulate Best Practice
5df0e7d585a00138dc648e8fCloud Services
5df0e80885a00138dc648ea7Network Protocols
5df0e82e85a00138dc648ebbEmail
5df25b3696fa2af420a379b9Physical

cymulate-exfiltration-start#


Create a new exfiltration assessment.

Base Command#

cymulate-exfiltration-start

Input#

Argument NameDescriptionRequired
template_idThe ID of the template to run the exfiltration Assessment with. Can be retrieved using Cymulate's UI, or using cymulate-exfiltration-template-list command.Required
agent_nameagent name to run simulation attacks.Required
schedulewhether to schedule the automated assessment periodically. Possible values are: true, false.Required
schedule_loopLoop size of the scheduled agent. For example: to run the agent only once, use the value 'one-time'. Possible values are: one-time, daily, weekly, monthly.Required

Context Output#

PathTypeDescription
Cymulate.Exfiltration.idStringNew exfiltration assessment creation ID.
Cymulate.Exfiltration.successBooleanNew exfiltration assessment creation success status.

Command Example#

!cymulate-exfiltration-start template_id="5df0e79b85a00138dc648e75" agent_name="Cymulate_agent" schedule="false" schedule_loop="one-time"

Context Example#

{
"Cymulate": {
"Exfiltration": {
"id": "id_1",
"success": true
}
}
}

Human Readable Output#

Starting exfiltration assessment:#

idsuccess
id_1true

cymulate-exfiltration-stop#


Stop a running exfiltration assessment.

Base Command#

cymulate-exfiltration-stop

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.Exfiltration.dataStringNew exfiltration assessment stopping data.
Cymulate.Exfiltration.successBooleanNew exfiltration assessment stopping success status.

Command Example#

!cymulate-exfiltration-stop

Context Example#

{
"Cymulate": {
"Exfiltration": {
"data": "ok",
"success": true
}
}
}

Human Readable Output#

Stopping exfiltration assessment:#

datasuccess
oktrue

cymulate-exfiltration-status#


Get exfiltration assessment status.

Base Command#

cymulate-exfiltration-status

Input#

Argument NameDescriptionRequired
assessment_idAssessment ID.Required

Context Output#

PathTypeDescription
Cymulate.Exfiltration.idStringNew exfiltration assessment stop ID.
Cymulate.Exfiltration.inProgressBooleanWhether the assessment is in progress.
Cymulate.Exfiltration.progressNumberPercentage of the progress of the assessment.
Cymulate.Exfiltration.categoriesStringCategories.

Command Example#

!cymulate-exfiltration-status assessment_id="id_2"

Context Example#

{
"Cymulate": {
"Exfiltration": {
"categories": [
"http",
"https",
"dns",
"dns-tunneling",
"icmp",
"outlook",
"device",
"telnet",
"sftp",
"slack",
"googledrive",
"onedrive",
"port_scanning",
"msteams",
"gmail",
"gitlab",
"azure_blob",
"aws_s3_bucket",
"github",
"googlestorage",
"browsinghttps",
"browsinghttp"
],
"id": "id_2",
"inProgress": false,
"progress": 0
}
}
}

Human Readable Output#

Exfiltration assessment status:#

categoriesidinProgressprogress
http,
https,
dns,
dns-tunneling,
icmp,
outlook,
device,
telnet,
sftp,
slack,
googledrive,
onedrive,
port_scanning,
msteams,
gmail,
gitlab,
azure_blob,
aws_s3_bucket,
github,
googlestorage,
browsinghttps,
browsinghttp
id_2false0

cymulate-email-gateway-template-list#


Retrieve the email gateway template list.

Base Command#

cymulate-email-gateway-template-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.EmailGateway.Template.idStringTemplate ID.
Cymulate.EmailGateway.Template.nameStringTemplate name.

Command Example#

!cymulate-email-gateway-template-list

Context Example#

{
"Cymulate": {
"EmailGateway": {
"Templates": [
{
"id": "5c6920853659191ccf6858fc",
"name": "free assessment"
},
{
"id": "5c6920853659191ccf6858fb",
"name": "cymulate best practice"
},
{
"id": "5db5ab6e79a0bf2feedaf9a7",
"name": "cymulate best practice - high risk"
},
{
"id": "5c6968e43659191ccf685929",
"name": "office payloads"
},
{
"id": "5c6968ec3659191ccf68592a",
"name": "executables payloads"
},
{
"id": "5c73b2ce3febfc300976c6e3",
"name": "exploits"
},
{
"id": "5c7f96963febfc300976c7be",
"name": "malwares"
},
{
"id": "5c7f977bc9545f79ea8b03c0",
"name": "ransomwares"
}
]
}
}
}

Human Readable Output#

Email gateway templates list:#

idname
5c6920853659191ccf6858fcfree assessment
5c6920853659191ccf6858fbcymulate best practice
5db5ab6e79a0bf2feedaf9a7cymulate best practice - high risk
5c6968e43659191ccf685929office payloads
5c6968ec3659191ccf68592aexecutables payloads
5c73b2ce3febfc300976c6e3exploits
5c7f96963febfc300976c7bemalwares
5c7f977bc9545f79ea8b03c0ransomwares

cymulate-email-gateway-start#


Create a new email gateway assessment.

Base Command#

cymulate-email-gateway-start

Input#

Argument NameDescriptionRequired
template_idThe ID of the template to run the email gateway assessment with. Can be retrieved using Cymulate's UI, or using cymulate-email-gateway-template-list command.Required
agent_emailagent email.Required
schedulewhether to schedule the automated assessment periodically. Possible values are: true, false.Required
schedule_loopLoop size of the scheduled agent. For example: to run the agent only once, use the value 'one-time'. Possible values are: one-time, daily, weekly, monthly.Required

Context Output#

PathTypeDescription
Cymulate.EmailGateway.idStringNew email gateway assessment creation ID.
Cymulate.EmailGateway.successBooleanNew email gateway assessment creation success status.

Command Example#

!cymulate-email-gateway-start template_id="5c6920853659191ccf6858fc" agent_email="test@cymulate.com" schedule="false" schedule_loop="one-time"

Context Example#

{
"Cymulate": {
"EmailGateway": {
"id": "id_3",
"success": true
}
}
}

Human Readable Output#

Starting email gateway assessment:#

idsuccess
id_3true

cymulate-email-gateway-stop#


Stop a running exfiltration assessment.

Base Command#

cymulate-email-gateway-stop

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.EmailGateway.dataStringEmail gateway assessment stopping data.
Cymulate.EmailGateway.successBooleanEmail gateway assessment stopping success status.

Command Example#

!cymulate-email-gateway-stop

Context Example#

{
"Cymulate": {
"EmailGateway": {
"data": "ok",
"success": true
}
}
}

Human Readable Output#

Stopping email gateway assessment:#

datasuccess
oktrue

cymulate-email-gateway-status#


Get the email gateway assessment status.

Base Command#

cymulate-email-gateway-status

Input#

Argument NameDescriptionRequired
assessment_idAssessment ID.Required

Context Output#

PathTypeDescription
Cymulate.EmailGateway.idStringEmail gateway assessment ID.
Cymulate.EmailGateway.successBooleanWhether the assessment was successful.
Cymulate.EmailGateway.inProgressBooleanWhether the assessment is in progress.
Cymulate.EmailGateway.progressNumberPercentage of the progress of the assessment.
Cymulate.EmailGateway.addressesStringAddresses connected to the assessment.

Command Example#

!cymulate-email-gateway-status assessment_id="id_4"

Context Example#

{
"Cymulate": {
"EmailGateway": {
"addresses": [
"test@cymulate.com"
],
"categories": [
"worm"
],
"id": "id_4",
"inProgress": false,
"progress": 0
}
}
}

Human Readable Output#

Email gateway assessment status:#

addressescategoriesidinProgressprogress
test@cymulate.comwormid_4false0

cymulate-endpoint-security-template-list#


Retrieve the endpoint security template list.

Base Command#

cymulate-endpoint-security-template-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.EndpointSecurity.Template.idStringTemplate ID.
Cymulate.EndpointSecurity.Template.nameStringTemplate name.

Command Example#

!cymulate-endpoint-security-template-list

Context Example#

{
"Cymulate": {
"EndpointSecurity": {
"Templates": [
{
"id": "5c87a26f548a3c7c4c184a5e",
"name": "Free Assessment"
},
{
"id": "5c97a50c5727c58a295d0459",
"name": "Cymulate Best Practice"
},
{
"id": "5e98461d312a740ee4839700",
"name": "DLL Side loading"
},
{
"id": "5c87a314548a3c7c4c184a5f",
"name": "Cymulate Behavior-based"
},
{
"id": "5c87a314548a3c7c4c184a60",
"name": "Cymulate Signature-based"
}
]
}
}
}

Human Readable Output#

Endpoint security templates list:#

idname
5c87a26f548a3c7c4c184a5eFree Assessment
5c97a50c5727c58a295d0459Cymulate Best Practice
5e98461d312a740ee4839700DLL Side loading
5c87a314548a3c7c4c184a5fCymulate Behavior-based
5c87a314548a3c7c4c184a60Cymulate Signature-based

cymulate-endpoint-security-start#


Create a new endpoint security assessment.

Base Command#

cymulate-endpoint-security-start

Input#

Argument NameDescriptionRequired
template_idThe ID of the template to run the endpoint security assessment with. Can be retrieved using Cymulate's UI, or using cymulate-endpoint-security-template-list command.Required
agent_nameagent name.Required
schedulewhether to schedule the automated assessment periodically. Possible values are: true, false.Required
schedule_loopLoop size of the scheduled agent. For example: to run the agent only once, use the value 'one-time'. Possible values are: one-time, daily, weekly, monthly.Required

Context Output#

PathTypeDescription
Cymulate.EndpointSecurity.idStringNew endpoint security assessment creation ID.
Cymulate.EndpointSecurity.successBooleanNew endpoint security assessment creation success status.

Command Example#

!cymulate-endpoint-security-start template_id="5e98461d312a740ee4839700" agent_name="Cymulate_agent" schedule="false" schedule_loop="one-time"

Context Example#

{
"Cymulate": {
"EndpointSecurity": {
"id": "id_5",
"success": true
}
}
}

Human Readable Output#

Starting endpoint security assessment:#

idsuccess
id_5true

cymulate-endpoint-security-stop#


Stop a running endpoint security assessment.

Base Command#

cymulate-endpoint-security-stop

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.EndpointSecurity.dataStringEndpoint security assessment stopping data.
Cymulate.EndpointSecurity.successBooleanEndpoint Security assessment stopping success status.

Command Example#

!cymulate-endpoint-security-stop

Context Example#

{
"Cymulate": {
"EndpointSecurity": {
"data": "ok",
"success": true
}
}
}

Human Readable Output#

Stopping endpoint security assessment:#

datasuccess
oktrue

cymulate-endpoint-security-status#


Get the endpoint security assessment status.

Base Command#

cymulate-endpoint-security-status

Input#

Argument NameDescriptionRequired
assessment_idAssessment ID.Required

Context Output#

PathTypeDescription
Cymulate.EndpointSecurity.idStringEndpoint security assessment ID.
Cymulate.EndpointSecurity.inProgressBooleanWhether the assessment is in progress.
Cymulate.EndpointSecurity.progressNumberPercentage of the progress of the assessment.
Cymulate.EndpointSecurity.categoriesStringAssessment categories.

Command Example#

!cymulate-endpoint-security-status assessment_id="id_6"

Context Example#

{
"Cymulate": {
"EndpointSecurity": {
"categories": [
"ransomware"
],
"id": "id_6",
"inProgress": true,
"progress": 90
}
}
}

Human Readable Output#

Endpoint security assessment status:#

categoriesidinProgressprogress
ransomwareid_6false0

cymulate-waf-template-list#


Retrieve the WAF template list.

Base Command#

cymulate-waf-template-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.WAF.Template.idStringTemplate ID.
Cymulate.WAF.Template.nameStringTemplate name.

Command Example#

!cymulate-waf-template-list

Context Example#

{
"Cymulate": {
"WAF": {
"Templates": [
{
"id": "5edf7ddfef621bbc252498f3",
"name": "free assessment"
},
{
"id": "5edf7547ef621bbc25248d97",
"name": "Cymulate Best Practice"
},
{
"id": "5ee0726cef621bbc25251d7a",
"name": "SQL Injection"
},
{
"id": "5ee0726cef621bbc25251d7d",
"name": "XSS"
},
{
"id": "5eea1fb754b285889325b818",
"name": "Command Injection"
},
{
"id": "5eea1fb754b285889325b81b",
"name": "File Inclusion"
},
{
"id": "5fb65327f6ce656dbc7f9cf1",
"name": "SSRF"
},
{
"id": "600d258cbd15e73c5882b306",
"name": "david test"
}
]
}
}
}

Human Readable Output#

WAF templates list:#

idname
5edf7ddfef621bbc252498f3free assessment
5edf7547ef621bbc25248d97Cymulate Best Practice
5ee0726cef621bbc25251d7aSQL Injection
5ee0726cef621bbc25251d7dXSS
5eea1fb754b285889325b818Command Injection
5eea1fb754b285889325b81bFile Inclusion
5fb65327f6ce656dbc7f9cf1SSRF
600d258cbd15e73c5882b306david test

cymulate-waf-start#


Create a new web application firewall assessment.

Base Command#

cymulate-waf-start

Input#

Argument NameDescriptionRequired
template_idThe ID of the template to run the WAF assessment with. Can be retrieved using Cymulate's UI, or using cymulate-waf-template-list command.Required
sitesWebsites to run the assessment on. Can be a single website URL or a list of URLs.Required
schedulewhether to schedule the automated assessment periodically. Possible values are: true, false.Required
schedule_loopLoop size of the scheduled agent. For example: to run the agent only once, use the value 'one-time'. Possible values are: one-time, daily, weekly, monthly.Required

Context Output#

PathTypeDescription
Cymulate.WAF.idStringWeb application firewall assessment creation ID.
Cymulate.WAF.successBooleanWeb application firewall assessment creation success status.

Command Example#

!cymulate-waf-start template_id="5ee0726cef621bbc25251d7a" sites="http://cymulatelabs.com" schedule="false" schedule_loop="one-time"

Context Example#

{
"Cymulate": {
"WAF": {
"id": "604630cbb9eb930a0fa86ab5",
"success": true
}
}
}

Human Readable Output#

Starting WAF assessment:#

idsuccess
604630cbb9eb930a0fa86ab5true

cymulate-waf-stop#


Stop a running web application firewall assessment.

Base Command#

cymulate-waf-stop

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.WAF.dataStringWeb application firewall assessment stopping data.
Cymulate.WAF.successBooleanWeb application firewall assessment stopping success status.

Command Example#

!cymulate-waf-stop

Context Example#

{
"Cymulate": {
"WAF": {
"data": "no running attack",
"success": true
}
}
}

Human Readable Output#

Stopping WAF assessment:#

datasuccess
no running attacktrue

cymulate-waf-status#


Get the web application firewall assessment status.

Base Command#

cymulate-waf-status

Input#

Argument NameDescriptionRequired
assessment_idAssessment ID.Required

Context Output#

PathTypeDescription
Cymulate.WAF.idStringWeb application firewall assessment ID.
Cymulate.WAF.inProgressBooleanWhether the assessment is in progress.
Cymulate.WAF.progressNumberPercentage of the progress of the assessment.
Cymulate.WAF.categoriesStringAssessment categories.

Command Example#

!cymulate-waf-status assessment_id="5ff31ef451647c20338bd235"

Context Example#

{
"Cymulate": {
"WAF": {
"categories": [
"XML Injection",
"Command Injection",
"File Inclusion",
"XSS",
"XML Injection",
"SQL Injection"
],
"id": "5ff31ef451647c20338bd235",
"inProgress": false,
"progress": 0
}
}
}

Human Readable Output#

WAF assessment status:#

categoriesidinProgressprogress
XML Injection,
Command Injection,
File Inclusion,
XSS,
XML Injection,
SQL Injection
5ff31ef451647c20338bd235false0

cymulate-immediate-threat-start#


Create a new immediate threats assessment.

Base Command#

cymulate-immediate-threat-start

Input#

Argument NameDescriptionRequired
browsing_addressBrowsing address.Optional
mail_addressAgent email address.Optional
edr_addressEDR address.Optional
template_idThe ID of the template to run the immediate threat assessment with. Can be retrieved using Cymulate's UI.Required

Context Output#

PathTypeDescription
Cymulate.ImmediateThreats.idStringImmediate threats assessment creation ID.
Cymulate.ImmediateThreats.successStringNew exfiltration assessment creation success status.

Command Example#

!cymulate-immediate-threat-start edr_address="Cymulate_agent" template_id="603270ce63aa15930631b938"

Context Example#

{
"Cymulate": {
"ImmediateThreats": {
"id": [
"id_7"
],
"success": true
}
}
}

Human Readable Output#

Starting immediate-threats assessment:#

idsuccess
id_7true

cymulate-immediate-threat-stop#


Stop a running immediate threats assessment.

Base Command#

cymulate-immediate-threat-stop

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.ImmediateThreats.dataStringImmediate threats assessment stopping data.
Cymulate.ImmediateThreats.successStringImmediate threats assessment stopping success status.

Command Example#

!cymulate-immediate-threat-stop

Context Example#

{
"Cymulate": {
"ImmediateThreats": {
"data": "ok",
"success": true
}
}
}

Human Readable Output#

Stop immediate-threats assessment:#

datasuccess
oktrue

cymulate-immediate-threat-status#


Get immediate threats assessment status.

Base Command#

cymulate-immediate-threat-status

Input#

Argument NameDescriptionRequired
assessment_idAssessment ID.Required

Context Output#

PathTypeDescription
Cymulate.ImmediateThreats.idStringWeb application firewall assessment ID.
Cymulate.ImmediateThreats.categoriesStringAssessment categories.
Cymulate.ImmediateThreats.inProgressBooleanWhether the assessment is in progress.
Cymulate.ImmediateThreats.progressNumberPercentage of the progress of the assessment.

Command Example#

!cymulate-immediate-threat-status assessment_id="id_8"

Context Example#

{
"Cymulate": {
"ImmediateThreats": {
"categories": [
"antivirus"
],
"id": "id_8",
"inProgress": true,
"progress": 90
}
}
}

Human Readable Output#

Immediate-threats assessment status:#

categoriesidinProgressprogress
antivirusid_8true90

cymulate-phishing-awareness-contacts-group-list#


Get a list of contact groups.

Base Command#

cymulate-phishing-awareness-contacts-group-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.Phishing.Groups.idStringThe ID of the phishing content group.
Cymulate.Phishing.Groups.nameStringName of the phishing content group.
Cymulate.Phishing.Groups.clientStringThe client of the phishing content group.
Cymulate.Phishing.Groups.canDeleteBooleanWhether this group can be deleted.

Command Example#

!cymulate-phishing-awareness-contacts-group-list

Context Example#

{
"Cymulate": {
"Phishing": {
"Groups": [
{
"__v": 0,
"canDelete": true,
"client": "Cymulate",
"id": "id_a",
"name": "qmasters_01"
},
{
"__v": 0,
"canDelete": true,
"client": "Cymulate",
"id": "id_b",
"name": "qmasters_02"
},
{
"__v": 0,
"canDelete": true,
"client": "Cymulate",
"id": "id_c",
"name": "qmasters_03"
},
{
"__v": 0,
"canDelete": true,
"client": "Cymulate",
"id": "id_d",
"name": "new_group_01"
},
{
"__v": 0,
"canDelete": true,
"client": "Cymulate",
"id": "id_e",
"name": "test_group_02"
}
]
}
}
}

Human Readable Output#

Phishing awareness contact groups:#

__vcanDeleteclientidname
0trueCymulateid_aqmasters_01
0trueCymulateid_bqmasters_02
0trueCymulateid_cqmasters_03
0trueCymulateid_dnew_group_01
0trueCymulateid_etest_group_02

cymulate-phishing-awareness-contacts-group-create#


Create new contacts group.

Base Command#

cymulate-phishing-awareness-contacts-group-create

Input#

Argument NameDescriptionRequired
group_nameThe name of the new group to create.Required

Context Output#

PathTypeDescription
Cymulate.Phishing.Groups.successBooleanWhether the creation of the new group was successful.
Cymulate.Phishing.Groups.idStringThe ID of the new phishing content group.

Command Example#

!cymulate-phishing-awareness-contacts-group-create group_name="test_group_01"

Context Example#

{
"Cymulate": {
"Phishing": {
"Groups": {
"id": "id_9",
"success": true
}
}
}
}

Human Readable Output#

Phishing awareness contact group created:#

idsuccess
id_9true

cymulate-phishing-awareness-contacts-get#


Get contacts group using a group ID.

Base Command#

cymulate-phishing-awareness-contacts-get

Input#

Argument NameDescriptionRequired
group_idGroup ID.Required

Context Output#

PathTypeDescription
Cymulate.Phishing.Groups.idStringThe ID of the phishing content group.
Cymulate.Phishing.Groups.nameStringName of the phishing content group.
Cymulate.Phishing.Groups.clientStringThe client of the phishing content group.
Cymulate.Phishing.Groups.canDeleteBooleanWhether this group can be deleted.

Command Example#

!cymulate-phishing-awareness-contacts-get group_id="id_abcd"

Context Example#

{
"Cymulate": {
"Phishing": {
"Groups": [
{
"address": "jamesb@cymulate.com",
"color": "#ffbb00",
"firstName": "James",
"id": "id_1a",
"lastName": "Bond"
},
{
"address": "Billg@cymulate.com",
"color": "#34a853",
"firstName": "Bill",
"id": "id_a2",
"lastName": "Gates"
},
{
"address": "davidb@cymulate.com",
"color": "#00a1f1",
"firstName": "David ",
"id": "id_a3",
"lastName": "Ben-Gurion"
}
]
}
}
}

Human Readable Output#

Phishing awareness contact groups:#

addresscolorfirstNameidlastName
jamesb@cymulate.com#ffbb00Jamesid_1aBond
Billg@cymulate.com#34a853Billid_a2Gates
davidb@cymulate.com#00a1f1Davidid_a3Ben-Gurion

cymulate-lateral-movement-template-list#


Retrieve lateral movement template list.

Base Command#

cymulate-lateral-movement-template-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.LateralMovement.Template.idStringTemplate ID.
Cymulate.LateralMovement.Template.nameStringTemplate name.

Command Example#

!cymulate-lateral-movement-template-list

Context Example#

{
"Cymulate": {
"LateralMovement": {
"Templates": [
{
"id": "5e2f0c1054d53d6b115eefa7",
"name": "SMB Pass The Hash"
},
{
"id": "5e2f0c5f54d53d6b115ef0a1",
"name": "Kerberoasting and Cracking on DCOM and WMI"
},
{
"id": "5e2f0c9754d53d6b115ef190",
"name": "LLMNR Poisoning on SMB"
},
{
"id": "5e2f0d2c54d53d6b115ef345",
"name": "SMB And Credentials Harvesting"
},
{
"id": "5e41746171895006ef394607",
"name": "test1"
},
{
"id": "5e44020d3f46e106e9ec706c",
"name": "Prueba completa"
},
{
"id": "5e4a5792b1bdb606ed1f9407",
"name": "lab1"
}
]
}
}
}

Human Readable Output#

Lateral movement templates list:#

idname
5e2f0c1054d53d6b115eefa7SMB Pass The Hash
5e2f0c5f54d53d6b115ef0a1Kerberoasting and Cracking on DCOM and WMI
5e2f0c9754d53d6b115ef190LLMNR Poisoning on SMB
5e2f0d2c54d53d6b115ef345SMB And Credentials Harvesting
5e41746171895006ef394607test1
5e44020d3f46e106e9ec706cPrueba completa
5e4a5792b1bdb606ed1f9407lab1

cymulate-lateral-movement-start#


Create a new lateral movement assessment.

Base Command#

cymulate-lateral-movement-start

Input#

Argument NameDescriptionRequired
agent_nameAgent name to run the assessment with.Required
template_idThe ID of the template to run the lateral movement with. Can be retrieved using Cymulate's UI, or using cymulate-lateral-movement-template-list command.Required
upload_to_cymulateWhether to upload the result to Cymulate. Possible values are: true, false. Default is false.Required
scheduleWhether to schedule the automated assessment periodically. Possible values are: true, false.Required
schedule_loopLoop size of the scheduled agent. For example: to run the agent only once, use the value 'one-time'. Possible values are: one-time, daily, weekly, monthly.Required

Context Output#

PathTypeDescription
Cymulate.LateralMovement.idStringLateral movement assessment creation ID.
Cymulate.LateralMovement.successBooleanNew exfiltration assessment creation success status.

Command Example#

!cymulate-lateral-movement-start agent_name="Cymulate_agent" template_id="5e41746171895006ef394607" upload_to_cymulate="false" schedule="false" schedule_loop="one-time"

Context Example#

{
"Cymulate": {
"LateralMovement": {
"id": "id_987",
"success": true
}
}
}

Human Readable Output#

Starting lateral movement assessment:#

idsuccess
id_987true

cymulate-lateral-movement-stop#


Stop a running lateral movement assessment.

Base Command#

cymulate-lateral-movement-stop

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.LateralMovement.dataStringLateral movement assessment stopping data.
Cymulate.LateralMovement.successBooleanLateral Movement assessment creation success status.

Command Example#

!cymulate-lateral-movement-stop

Context Example#

{
"Cymulate": {
"LateralMovement": {
"data": "ok",
"success": true
}
}
}

Human Readable Output#

Stopping lateral movement assessment:#

datasuccess
oktrue

cymulate-lateral-movement-status#


Get lateral movement assessment status.

Base Command#

cymulate-lateral-movement-status

Input#

Argument NameDescriptionRequired
assessment_idAssessment ID.Required

Context Output#

PathTypeDescription
Cymulate.LateralMovement.idStringLateral movement assessment ID.
Cymulate.LateralMovement.inProgressBooleanIndicates whether the assessment is in progress.

Command Example#

!cymulate-lateral-movement-status assessment_id="id_876"

Context Example#

{
"Cymulate": {
"LateralMovement": {
"id": "id_876",
"inProgress": false
}
}
}

Human Readable Output#

Lateral movement assessment status:#

idinProgress
id_876false

cymulate-agent-list#


Retrieve all agents.

Base Command#

cymulate-agent-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cymulate.Agent.agentAddressStringThe agent's address.
Cymulate.Agent.agentMethodStringThe agent's methods.
Cymulate.Agent.agentNameStringAgent name.
Cymulate.Agent.commentStringComments.

Command Example#

!cymulate-agent-list

Context Example#

{
"Cymulate": {
"Agent": [
{
"agentAddress": "test@cymulate.com",
"agentMethod": "smtp",
"comment": ""
},
{
"agentAddress": "Cymulate_agent ",
"agentMethod": "http",
"agentName": "Cymulate_agent",
"comment": ""
}
]
}
}

Human Readable Output#

Agents list:#

agentAddressagentMethodagentName
test@cymulate.comsmtp
Cymulate_agenthttpCymulate_agent

cymulate-simulations-list#


Retrieve a list of all simulations by ID.

Base Command#

cymulate-simulations-list

Input#

Argument NameDescriptionRequired
moduleModule to retrieve events to. Possible values are: web-gateway, exfiltration, email-gateway, endpoint-security, waf, kill-chain, immediate-threats, phishing-awareness, lateral-movement.Required
attack_idAttack ID. Can be retrieved using cymulate-simulations-id-list command.Required

Context Output#

PathTypeDescription
Cymulate.Simulations.Attack_TypeStringAttack payload
Cymulate.Simulations.ClassificationStringAttack classification.
Cymulate.Simulations.Content_TypeStringContent type.
Cymulate.Simulations.ModuleStringEvent's module.
Cymulate.Simulations.PhraseStringAttack description.
Cymulate.Simulations.Phrase_TitleStringAttack name.
Cymulate.Simulations.StatusStringAttack status
Cymulate.Simulations.PrevStatusStringAttack Previous status
Cymulate.Simulations.RiskStringAttack risk level.
Cymulate.Simulations.SourceStringAttack Source
Cymulate.Simulations.UserStringUser committed the attack ot was attacked.
Cymulate.Simulations.Attack_VectorStringAttack vector
Cymulate.Simulations.Source_Email_AddressStringSource email address.
Cymulate.Simulations.Md5StringMD5 attached to the attack.
Cymulate.Simulations.Sha256StringSha256 attached to the attack.
Cymulate.Simulations.Sha1StringSha1 attached to the attack.
Cymulate.Simulations.MitigationStringMitigation details.
Cymulate.Simulations.Mitigation_DetailsStringMitigation details.
Cymulate.Simulations.DescriptionStringAttack description
Cymulate.Simulations.IdStringAttack ID.

Command Example#

!cymulate-simulations-list module="waf" attack_id="id_001"

Context Example#

{
"Cymulate": {
"Simulations": {
"Action": " http://Google.com/",
"Category": "SQL Injection",
"Database": "DB Agnostic",
"Display_Url": " http://Google.com/",
"FullRequest": "N/A",
"Id": "id_001",
"Input": "password",
"Method": "post",
"Mitigation": "Create a WAF Security rule to block incoming requests that contains. Validate that the specific input url is protected with the MSSQL Blind signature pack (SQL Injection)",
"Module": "Web Application Firewall",
"Payload": "This is a payload",
"Platform": "OS Agnostic",
"PrevStatus": "blocked",
"Risk": "high",
"Source": " http://Google.com",
"Status": "blocked",
"SubCategoryType": "MSSQL Blind",
"Timestamp": "2021-02-28 16:33:41",
"Url": " http://Google.com/",
"date": "2021-02-28T14:33:41.559Z"
}
}
}

Human Readable Output#

Displaying 20/193 simulations:#

ActionCategoryDatabaseDisplay_UrlFullRequestIdInputMethodMitigationModulePayloadPlatformPrevStatusRiskSourceStatusSubCategoryTypeTimestampUrldate
http://Google.com/signupSQL InjectionDB Agnostichttp://Google.com/signupN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains. Validate that the specific input/url is protected with the Oracle SQL Injection signature pack (SQL Injection)Web Application FirewallAND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=3)) AND 'i'='iOS Agnosticblockedhighhttp://Google.comblockedOracle SQL Injection2021-02-28 16:33:41http://Google.com/signup2021-02-28T14:33:41.475Z
http://Google.com/team/dudiSQL InjectionDB Agnostichttp://Google.com/team/dudiN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains.. The rule could be a Regular expression that needs to be implemented or an update of your WAF.Validate that the specific input url is protected with the Generic Blind Injection signature pack (SQL Injection)Web Application Firewall1) or benchmark(10000000,MD5(1))#OS Agnosticblockedhighhttp://Google.comblockedGeneric Blind Injection2021-02-28 16:33:41http://Google.com/team/dudi2021-02-28T14:33:41.476Z
http://Google.com/SQL InjectionDB Agnostichttp://Google.com/N/Aid_001telpostCreate a WAF Security rule to block incoming requests that contains:1.The rule could be a Regular expression that needs to be implemented or an update of your WAF.Validate that the specific input/url is protected with the General SQL Injection signature pack (SQL Injection)Web Application Firewall1' and non_existant_table = '1OS Agnosticblockedhighhttp://Google.comblockedGeneral SQL Injection2021-02-28 16:33:41http://Google.com/2021-02-28T14:33:41.478Z
http://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%95SQL InjectionDB Agnostichttp://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%95N/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains:..The rule could be a Regular expression that needs to be implemented or an update of your WAF.Validate that the specific input/url is protected with the Passive SQL Injection signature pack (SQL Injection)Web Application Firewall' or 1=1 /OS Agnosticblockedhighhttp://Google.comblockedPassive SQL Injection2021-02-28 16:33:41http://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%952021-02-28T14:33:41.478Z
http://Google.com/contactSQL InjectionDB Agnostichttp://Google.com/contactN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains..The rule could be a Regular expression that needs to be implemented or an update of your WAF.Validate that the specific input/url is protected with the Passive SQL Injection signature pack (SQL Injection)Web Application Firewall' group by userid having 1=1--OS Agnosticblockedhighhttp://Google.comblockedPassive SQL Injection2021-02-28 16:33:41http://Google.com/contact2021-02-28T14:33:41.476Z
http://Google.com/SQL InjectionDB Agnostichttp://Google.com/N/Aid_001telpostCreate a WAF Security rule to block incoming requests that contains.The rule could be a Regular expression that needs to be implemented or an update of your WAF.Validate that the specific input/url is protected with the MSSQL Injection signature pack (SQL Injection)Web Application Firewall) waitfor delay '0:0:20'OS Agnosticblockedhighhttp://Google.comblockedMSSQL Injection2021-02-28 16:33:41http://Google.com/2021-02-28T14:33:41.479Z
http://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%95SQL InjectionDB Agnostichttp://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%95N/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains.Validate that the specific input/url is protected with the Passive SQL Injection signature pack (SQL Injection)Web Application Firewall' or 1=1--OS Agnosticblockedhighhttp://Google.comblockedPassive SQL Injection2021-02-28 16:33:41http://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%952021-02-28T14:33:41.481Z
http://Google.com/SQL InjectionDB Agnostichttp://Google.com/N/Aid_001hiddenpostCreate a WAF Security rule to block incoming requests that contains:.Validate that the specific input/url is protected with the Passive SQL Injection signature pack (SQL Injection)Web Application Firewall' OR 'something' like 'some%'OS Agnosticblockedhighhttp://Google.comblockedPassive SQL Injection2021-02-28 16:33:41http://Google.com/2021-02-28T14:33:41.480Z
http://Google.com/team/rubaSQL InjectionDB Agnostichttp://Google.com/team/rubaN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains.The rule could be a Regular expression that needs to be implemented or an update of your WAF.Validate that the specific input/url is protected with the Passive SQL Injection signature pack (SQL Injection)Web Application Firewall' union select from users where login = char(114,111,111,116);OS Agnosticblockedhighhttp://Google.comblockedPassive SQL Injection2021-02-28 16:33:41http://Google.com/team/ruba2021-02-28T14:33:41.481Z
http://Google.com/team/rubaSQL InjectionDB Agnostichttp://Google.com/team/rubaN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains. The rule could be a Regular expression that needs to be implemented or an update of your WAF.Validate that the specific input/url is protected with the General SQL Injection signature pack (SQL Injection)Web Application Firewall' AND 1=utl_inaddr.get_host_address((SELECT SYS.DATABASE_NAME FROM DUAL)) AND 'i'='iOS Agnosticblockedhighhttp://Google.comblockedGeneral SQL Injection2021-02-28 16:33:41http://Google.com/team/ruba2021-02-28T14:33:41.479Z
http://Google.com/contactSQL InjectionDB Agnostichttp://Google.com/contactN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains.Validate that the specific input/url is protected with the Generic Blind Injection signature pack (SQL Injection)Web Application Firewall;waitfor delay '0:0:TIME'--OS Agnosticblockedhighhttp://Google.comblockedGeneric Blind Injection2021-02-28 16:33:41http://Google.com/contact2021-02-28T14:33:41.480Z
http://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%95SQL InjectionDB Agnostichttp://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%95N/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains. The rule could be a Regular expression that needs to be implemented or an update of your WAF.Validate that the specific input/url is protected with the MSSQL Injection signature pack (SQL Injection)Web Application Firewallwaitfor delay '0:0:20' /OS Agnosticblockedhighhttp://Google.comblockedMSSQL Injection2021-02-28 16:33:41http://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%952021-02-28T14:33:41.481Z
http://Google.com/team/dudiSQL InjectionDB Agnostichttp://Google.com/team/dudiN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains:.Validate that the specific input/url is protected with the Mysql Injection signature pack (SQL Injection)Web Application Firewall1or1=1OS Agnosticblockedhighhttp://Google.comblockedMysql Injection2021-02-28 16:33:41http://Google.com/team/dudi2021-02-28T14:33:41.483Z
http://Google.com/team/dudiSQL InjectionDB Agnostichttp://Google.com/team/dudiN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains.Validate that the specific input/url is protected with the Generic Blind Injection signature pack (SQL Injection)Web Application Firewall) or sleep(TIME)='OS Agnosticblockedhighhttp://Google.comblockedGeneric Blind Injection2021-02-28 16:33:41http://Google.com/team/dudi2021-02-28T14:33:41.483Z
http://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%95SQL InjectionDB Agnostichttp://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%95N/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains.Validate that the specific input/url is protected with the Passive SQL Injection signature pack (SQL Injection)Web Application Firewall@var select @var as var into temp end --OS Agnosticblockedhighhttp://Google.comblockedPassive SQL Injection2021-02-28 16:33:41http://Google.com/team/%d7%94%d7%9e%d7%a8%d7%a4%d7%90%d7%95%d7%aa-%d7%a9%d7%9c%d7%a0%d7%952021-02-28T14:33:41.485Z
http://Google.com/team/rubaSQL InjectionDB Agnostichttp://Google.com/team/rubaN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains.Validate that the specific input/url is protected with the Oracle SQL Injection signature pack (SQL Injection)Web Application FirewallAND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=1)) AND 'i'='iOS Agnosticblockedhighhttp://Google.comblockedOracle SQL Injection2021-02-28 16:33:41http://Google.com/team/ruba2021-02-28T14:33:41.482Z
http://Google.com/signupSQL InjectionDB Agnostichttp://Google.com/signupN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains.Validate that the specific input/url is protected with the Mysql Injection signature pack (SQL Injection)Web Application Firewallcreate table myfile (input TEXT); load data infile filepath into table myfileOS Agnosticblockedhighhttp://Google.comblockedMysql Injection2021-02-28 16:33:41http://Google.com/signup2021-02-28T14:33:41.484Z
http://Google.com/contactSQL InjectionDB Agnostichttp://Google.com/contactN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains. The rule could be a Regular expression that needs to be implemented or an update of your WAF.Validate that the specific input/url is protected with the MSSQL Injection signature pack (SQL Injection)Web Application Firewalland 0=benchmarkOS Agnosticblockedhighhttp://Google.comblockedMSSQL Injection2021-02-28 16:33:41http://Google.com/contact2021-02-28T14:33:41.486Z
http://Google.com/SQL InjectionDB Agnostichttp://Google.com/N/Aid_001telpostCreate a WAF Security rule to block incoming requests that contains.Validate that the specific input/url is protected with the MSSQL Injection signature pack (SQL Injection)Web Application Firewall; exec master..xp_cmdshell 'ping 1.2.3.4'--OS Agnosticblockedhighhttp://Google.comblockedMSSQL Injection2021-02-28 16:33:41http://Google.com/2021-02-28T14:33:41.485Z
http://Google.com/signupSQL InjectionDB Agnostichttp://Google.com/signupN/Aid_001passwordpostCreate a WAF Security rule to block incoming requests that contains.Validate that the specific input/url is protected with the MSSQL Injection signature pack (SQL Injection)Web Application Firewallinsert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) --OS AgnosticN/Ahighhttp://Google.comblockedMSSQL Injection2021-02-28 16:33:41http://Google.com/signup2021-02-28T14:33:41.487Z

cymulate-simulations-id-list#


Retrieve a list of all simulations IDs.

Base Command#

cymulate-simulations-id-list

Input#

Argument NameDescriptionRequired
moduleModule to retrieve simulations IDs to. Possible values are: web-gateway, exfiltration, email-gateway, endpoint-security, waf, kill-chain, immediate-threats, phishing-awareness, lateral-movement.Required
from_dateFrom which date to fetch data. Format: YYYY-MM-DD, for example: March 1st 2021 should be written: 2021-03-01. .Required
to_dateEnd date to fetch data. Format: YYYY-MM-DD, for example: March 1st 2021 should be written: 2021-03-01. If no argument is given, default is now.Optional

Context Output#

PathTypeDescription
Cymulate.Simulations.IDStringAttack ID.
Cymulate.Simulations.TimestampStringAttack timestamp
Cymulate.Simulations.AgentStringAgent connected to the attack.
Cymulate.Simulations.TemplateStringAttack template.

Command Example#

!cymulate-simulations-id-list module="kill-chain" from_date="2021-01-01"

Context Example#

{
"Cymulate": {
"Simulations": [
{
"Agent": "Cymulate_agent_2",
"ID": "id_b1",
"Template": "Cobalt Group",
"Timestamp": "2021-03-01 10:15:58.230000"
},
{
"Agent": "Cymulate_agent_2",
"ID": "id_b2",
"Template": "Cobalt Group",
"Timestamp": "2021-02-25 16:56:33.871000"
},
{
"Agent": "info@cymulate.com",
"ID": "id_b3",
"Template": "Cobalt Group",
"Timestamp": "2021-02-23 11:00:50.988000"
}
]
}
}

Human Readable Output#

Displaying 3/3 Attack IDs:#

AgentIDTemplateTimestamp
Cymulate_agent_2id_b1Cobalt Group2021-03-01 10:15:58.230000
Cymulate_agent_2id_b2Cobalt Group2021-02-25 16:56:33.871000
info@cymulate.comid_b3Cobalt Group2021-02-23 11:00:50.988000