Emulation Results
Last updated
Last updated
When the emulation is completed, the EVE agent sends the results to the Platform. The user can see the details of what happened during the emulation.
Once EVE identifies that a cyber-attack / emulation cannot be halted at the security controls level, the solution platform discloses this information along with potential remediation alternatives that it can provide for the organization’s security teams such as firewall, IDS/IPS, NDR, SIEM, EDR, AV, XDR, SOC or any other.
After the completion of the emulation, EVE provide a report detailing the obtained results and the success level of the attack simulation or emulation. The report include associated recommendations.
To view the results of an Emulation, follow the steps below:
The Emulation Report section will open, which presents in detail what was seen during the emulation. In this section the user can find different elements and actions on the emulation.
This mode allows the user to see the results of the emulation from an attacker's point of view.
The defense mode can be identified by the blue color in the margin of the other sections.
This mode allows the user to see the results of the emulation from the defense point of view.
EVE allows the download of direct reports in PDF format or xlsx. of the selected Emulation.
Displays the number of hosts that took part in the emulation, the count of Emulations performed and the emulation vector.
Four widgets display information on the percentage of successful and unsuccessful Emulations as well as the number of artifacts that were successfully and unsuccessfully executed.
The results of the emulation are presented in table form in general form as: Hostname, Advanced Results, Created, Updated and Status.
The results of the emulation detailed by artifacts are presented in the form of a table. The information presented corresponds to:
Hostname: Name of the Endpoint that received the artifact.
File: Name of the Artifact sent.
Package: Name of the package to which the artifact belongs.
Start: Information about the date and time when the emulation of the device was started. If the device is stopped by a security solution and prevents emulation, Not Start will be displayed.
Finish: Information about the date and time when the emulation of the artifact was finished. If the artifact is stopped by some security solution and prevents emulation, Not Finish will be displayed.
Emulation Status: in this column will display the message Success if the artifact was executed on the Endpoint. The message Fail will show that the artifact did not run on the Endpoint.
Actions. Click the Actions option to display information about the sample selected. The following information is presented: Name : Name of the sample. Start emulation: Timestamp of the emulation start. Finish emulation: Timestamp of the emulation end. Status : Complete emulation of the sample [true/false]. Callback : Configured in the sample load [true/false]. C2 : callback communication to EVE server. Interpretation of the Sample: A short description of the overall state of cybersecurity based on the emulation result. This is just based on the EVE results and should not be considered as a final state. Show emulation msg. Click on the button to obtain details on the operations EVE perform managing the samples. A successful emulation operation (without considering the results of the vectors) will this play the artifact step messages. Depending on the type of emulation, these messages will show: Phase one: Downloaded artifact. Phase two: Downloaded artifact persists. Phase three: Artifact moved to temporary folder. Phase four: Artifact moved to temporary folder persists. Phase five: Executed Artifact. Phase six: Artifact execution persists. Follow Actions: For each sample, basic resolution mitigations will be presented for each vector. These resolutions are related to the File Level Results Table meaning that only will display information about the vectors that were vulnerated from the attackers perspective or not stopped from the Defense perspective. Usually, Network and Endpoint vector will show the same resolution mitigations that include: Ø MD5, SHA1, SHA256. Ø String based YARA Rule. Ø MITRE ATT&CK Mitigations. EVE is able to display success/failure scenarios within the MITRE ATT&CK framework on a tactical and technical basis in the web interface. This has to do with the success rate of the samples based on each vector. The Techniques and sub-Techniques are mapped to the related Mitigations provided by MITRE. For more information go to: https://attack.mitre.org/mitigations/enterprise/ Ø Callback resolution mitigations will be presented only for zero-day samples. or the information added in this filed included on the sample load.
Package Description. The description of the package sent in the emulation is displayed.
MITRE Attack Applied Describes each of the MITRE ATT&CK Tactics used in the package.
Attack Life Cycle Graphically shows in which phases of the life cycle of an attack the emulation package is active. This graph is merely illustrative and do not necessarily show that all the attack life cycle presented was performed.
On the Emulations "On Demand table", click on the button corresponding to the desired Emulation in the Reports column .
By default, the attack view and perspective are shown. It can be found by the red color in the margin of the other sections and by the top button is in "Attack Mode".
To switch to defense mode click on the "Attack Mode" button to change it to "Defense Mode".
Click on the button to display a window with the count of sent, with errors and successful Emulations.
Network Vector: in this column will show with the indicator if the artifact was not able to breach the network vector. The indicator states that the artifact was able to breach the network vector. To breach the network vector means that the sample was able to download on the endpoint.
Endpoint Vector: in this column will show with the indicator if the artifact was not able to breach the Endpoint vector. The indicator states that the artifact was able to breach the Endpoint vector and survived on the endpoint the default time.
Execution: in this column will show with the indicator if the artifact was not able to run on the Endpoint the default time. The indicator states that the artifact was able to execute on the Endpoint the entire default time.
C2 : will show with the indicator if the EVE Platform did not receive a callback from the artifact upon emulation. The indicator states that the EVE Platform did receive a callback from the artifact upon emulation. For more information on samples with callback functionality.
