F8SEC

RESEARCH LAB

Dynamic correlation · detonation pipeline

WIN-DET
LNX-x86
LNX-ARM
LNX-MIPS
INETSIM
API
IDLE

Sample Loader

ALL TRIAGE MTA URLSCAN EXE ELF DLL PS1
Enter query or select a filter

Select a sample

Research Lab — Workflow
  1. 1 Telemetry bar — all four VM dots and INETSIM must be green. If any are red the det VM is offline; start it in PVE before proceeding.
  2. 2 Click ✓ Preflight (shell panel header) — 5 zero-trust checks: network isolation, kernel lockdown, snapshot anchor, detonation VM integrity (821-824 stopped + vmbr8-only), and pivot-block (vmbr8→eth0 forward blocked). All five must pass before detonating.
  3. 3 Browse the Loader — filter by EXE / ELF / DLL or source (Triage / MTA / urlscan). Click any row to open the full correlation view: MalwareBazaar metadata, Triage scores, C2 configs, and MTA cross-references.
  4. 4 Select VM + Detonate — pick the target platform in the detail header (821 Win / 822 LNX-x86 / 823 ARM / 824 MIPS) then click ⚗ Detonate. The pipeline downloads the sample from MalwareBazaar, SCPs it to the research VM, rolls back the det VM to its clean snapshot, and executes under Sysmon / strace with full PCAP on the isolated INetSim network.
  5. 5 Watch the shell panel — live JSON progress lines stream from the script. Default observation window is 90 s. The det VM is automatically rolled back to its clean snapshot on exit.
  6. 6 Report populates automatically — the PCAP is sent to SIFT (10.90.90.22) for Zeek analysis (conn.log / dns.log / http.log). If SIFT is offline the IOCs are marked zeek_pending and can be retriggered via POST /api/detonation/<run_id>/reanalyze once SIFT is back. An LLM analyst brief (Ollama llama3.1:8b) is then written to the DB.
Det VMs are isolated on vmbr8 (INetSim only — no real internet egress). The Research Shell (right panel) runs Claude CLI on the research VM and has full internet access for OSINT.

Research Shell

Claude CLI · research.vm (10.90.90.23) · full internet access