Includes detailed action result with attack start & end time, log & alert time and attack module based details (payloads, terminal log, file name, sha256, md5, sha1).
Protocol based results are also available.
About
Action Details endpoint returns simulation result based on actions using action ID, threat ID, simulation ID and simulation run ID. Action ID's can be obtained from Action Details List.
Action prevention / detection result, protocol based result.
Action name, description, attack start / end time, Mitre ATT&CK Tactic / Technique, Unified Kill Chain Phase and Stage, affected platforms / os, attack module / category are included.
Module based informations are also included like payloads, process results. If the simulation is enriched with detection analysis, there will be detection analysis result that contains log analysis and alert analysis results.
Example
Get action details for action id: 2421, threat id: 4168, simulation id: 1 and simulation run id: 3
curl --request GET \
--url https://api.picussecurity.com/v1/simulations/1/run/3/threats/4168/actions/2421 \
--header 'Accept: application/json' \
--header 'Authorization: Bearer access_token'
{
"action_id": 2421,
"action_name": "Execute Mimikatz DPAPI module",
"description": "The Mimikatz DPAPI module provides capability to extract Windows stored (and protected) credential data using DPAPI. DPAPI is the official Windows method to protect (encrypt) local data (usually passwords).",
"started_at": 1654793193000,
"completed_at": 1654793197000,
"frameworks": {
"mitre": {
"tactic_id": "TA0006",
"tactic": "Credential Access",
"technique": "OS Credential Dumping",
"technique_id": "T1003"
},
"ukc": {
"phase": "Credential Access",
"stage": "Network Propagation"
}
},
"affected_platforms": [
{
"platform": "Windows 10",
"architecture": "64-bit",
"os": "Windows"
},
{
"platform": "Windows 8.1",
"architecture": "64-bit",
"os": "Windows"
},
{
"platform": "Windows 7",
"architecture": "64-bit",
"os": "Windows"
}
],
"affected_os": [
"Windows"
],
"display_id": 11679,
"category": "Attack Scenario",
"attack_module": "Endpoint Scenario",
"node_id": 2,
"prevention": "unblocked",
"has_detection_analysis": true,
"detection_analysis": {
"has_log_analysis": true,
"has_alert_analysis": true,
"log_result": "Not Logged",
"alert_result": "Alerted",
"integration_based_results": [
{
"product_name": "Crowdstrike",
"integration_id": 110,
"status": "Completed",
"has_log_analysis": false,
"has_alert_analysis": true,
"alert": {
"alert_result": "Not Alerted"
}
},
{
"product_name": "Sentinel One",
"integration_id": 134,
"status": "Completed",
"has_log_analysis": true,
"log": {
"log_result": "Not Logged"
},
"has_alert_analysis": true,
"alert": {
"alert_result": "Alerted",
"alerted_time": 1654793196880
}
}
]
},
"module_based_results": {
"process_results": [
{
"id": 5081,
"name": "Process 1",
"command": "mimikatz220x64.exe \"dpapi::chrome /in:\\\"C:\\Users\\**\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\\\"\" \"exit\"",
"log_content": ".#####. mimikatz 2.2.0 (x64) #17763 Apr 15 2019 01:18:12\r\n .## ^ ##. \"A La Vie, A L'Amour\" - (oe.eo)\r\n ## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )\r\n ## \\ / ## > http://blog.gentilkiwi.com/mimikatz\r\n '## v ##' Vincent LE TOUX ( [email protected] )\r\n '#####' > http://pingcastle.com / http://mysmartlogon.com ***/\r\n\r\nmimikatz(commandline) # dpapi::chrome /in:\"C:\\Users\\NG-Det1\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\"\r\nERROR kuhl_m_dpapi_chrome_isTableExist ; sqlite3_prepare_v2: malformed database schema (logins) - near \"AUTOINCREMENT\": syntax error\r\nERROR kuhl_m_dpapi_chrome_isTableExist ; sqlite3_prepare_v2: malformed database schema (logins) - near \"AUTOINCREMENT\": syntax error\r\nERROR kuhl_m_dpapi_chrome ; Neither the table 'logins' or the table 'cookies' exist!\r\n\r\nmimikatz(commandline) # exit\r\nBye!"
}
]
}
}
Node Id
There is a node id for each action. Same action can be included more than one times in one threat. Node id is used to distinguish actions from each other.
- Node id is optional. If you not passing node id, endpoint will get first action.
- If threat contains multi same action, you can pass node id to getting specific action result.