SBM Labs

Cyber Security Collaboration Project

Google Rapid Response. Introduction.
23 Nov 2017

How do you collect evidences during security incident investigation? Where do you store it? Who has access to it?

I am going to make a short overview of one useful forensic framework. Get acquainted - Google Rapid Response.

1. Installation.

Simple PHP Backdoor
05 Jul 2017

Your web-site was defaced and position in search results was dropped? Unfortunately you was hacked.

Let's look at real case of success attack.

1. Check web-server logs.

First of all you can search for suspicious POST requests. Read more...

Spam-Infected Website
08 Jun 2017

Suddenly your monitoring system has detected a lot of messages in mail service queue. Possible your host is spam-infected. First of all check who initiates sending of e-mails. In our case it was unknown script error2.php.

Let's check script content.

As you see script error2.php was obfuscated. It was used associated array and base64 decoder in order to get decoded string that will be passed to eval function. Read more...

Skype Account Compromise
23 Mar 2017

Let's look at case when your Skype account was hacked. For example, in order to get financial help using contact list.

What about Skype recommendations?

Ok. But what should we do if attacker has changed password and updated security info? Read more...

MISP - Threat Sharing Platform. API.
01 Mar 2017

Let's look at MISP API and its usage.

You can download and use PyMISP (Python library) in order to access MISP via REST API. Using PyMISP you can create/edit/delete events and its attributes. For more information visit official page on GitHub.

1. Installation.

MISP - Threat Sharing Platform. Events.
13 Jan 2017

In the article "MISP - Threat Sharing Platform. Installation." we have discussed the ways to get MISP instance. Now let's look at event creation process and integration with third party sources of IOCs.

There are three steps in event creation process.

1. Add event.

MISP - Threat Sharing Platform. Installation.
15 Dec 2016

Do you know MISP?

MISP (Malware Information Sharing Platform) is a platform for storing, correlating and sharing indicators of compromises. More information you can find on MISP Project site.

Now we are going to install MISP. We will use Ubuntu 16.04 Server and official installation guide.

As a result you will see the next web UI. Read more...

Brute-Force LDAP accounts with Patator
18 Sep 2016

Despite the use of password policy ldap users can use use dictionary passwords. Our aim is to test ldap accounts for its security. We will use tool patator for analysis. It's python script.

First of all we need to download patator.

Then we need to install ldap-utils.

Attack to encrypted Google Chrome cookies
29 Jul 2016

As possible you know Google Chrome cookies are encrypted. Encryption mechanisms rely on Windows Crypto API and use authentication data of current user session. Such implementation doesn't require any additional requests to user but has weakness. Let's try to simulate attack to Chrome cookies.

1. Download and install software.

Wi-Fi Attack. WPA2 Pre-Shared Key Cracking.
12 Jun 2016

In this article we will study how attacker can get access to Wi-Fi access point protected with WPA2 PSK. We will use Kali Linux distribution and penetration tools such as aircrack-ng and crunch.

1. Get wireless network interface.

# iwconfig

2. Turn wireless card into monitor mode.

Malware. Basic Static Analysis. Part 2.
17 Oct 2015

We have started basic static malware analysis in the previous article. Let's continue.

1. Analysis of imported/exported functions.

There are a lot of useful libraries used by developers. These libraries can be linked by applications in different ways.

Static linking.

Malware. Basic Static Analysis. Part 1.
12 Sep 2015

Let's look at basic static malware analysis. Technique that is described below can be useful in cases when you have detected unknown executable file and strange host activity. At the same time your antivirus software has not detected any threat. Guided by this technique you can perform quick file analysis and mitigate risks if necessary.

1. Check the file by several antivirus engines.

Memory dump analysis. Volatility.
15 Aug 2015

We have reviewed how to obtain memory dump on remote host using winpmem in the last article. Let's look at utility volatility in order to understand how we can analyze it.

–°onsider the real case when Intrusion Detection System has detected connection of internal host to external host in Internet with low reputation (MALWARE_IP).

First of all we need to obtain memory dump on potentially infected host. Read more...

Memory dump analysis. WinPmem.
29 Jul 2015

You can get much useful information from operated system memory dump analysis during incident investigation: list of running processes, alive network connections, registry entries and so on. We are going to review on of the ways how to get memory dump on the remote host.

1. Connection to remote host.

First of all we need to check status of "Remote Registry" service on the remote host. Read more...

Centralized logs collection and analysis. Elasticsearch indices management.
16 May 2015

We have reviewed Centralized logs collection and analysis. Elasticsearch integration with correlation engine earlier. Let's look at how we can manage and monitor Elasticsearch indices.

Assume that we have several locations: loc1, loc2 and loc3. The following nodes are installed in each location:

- Client nodes (Logstash) for receiving, filtering, normalization

Centralized logs collection and analysis. Elasticsearch integration with correlation engine.
28 Apr 2015

We have discussed Elasticsearch cluster configuration in the last article. Let's review how to perform Elasticsearch integration with correlation engine.

We will set tag "corr" for critical events and send them to correlation engine. We will use Syslog protocol and OSSEC correlation engine for this task.

We have configured collection of Linux security log earlier. Read more...

Centralized logs collection and analysis. Elasticsearch cluster configuration.
24 Apr 2015

We have discussed Centralized logs collection and analysis. Elasticsearch, Logstash and Kibana. Introduction. in the last article. Let's review cluster configuration now.

For example, we have information systems that are located at three geographically distant datacenters. We are going to perform centralized logs collection of OS Linux using Syslog protocol.

Now we will discuss design of Elasticsearch cluster.

Centralized logs collection and analysis. Elasticsearch, Logstash and Kibana. Introduction.
28 Mar 2015

One day information security specialist begin to implement solution for centralized logs collection and analysis. Let's review how to perform it using open source software ELK Stack. This solution is not SIEM but it can be integrated with correlation engine. As a result it's possible to receive the tool for security incident response.

ELK Stack consists of 3 components (Elasticsearch, Logstash and Kibana) and allows to create failover and distributed cluster for data. Read more...

Automated Malware Analysis in Sandbox
14 Mar 2015

Let's consider the case when you have discovered spread of the malware (for example, over Skype) and your antivirus does not detect it. So you need fast malware analysis in order to perform adequate measures for deleting threat from infected computers and prevent its spread.

We are going to use Sandboxie ( and Buster Sandbox Analyzer ( The essence of this analysis is launching malware in isolated environment and tracking its activity. Read more...

Bro Network Security Monitor use cases
07 Feb 2015

We have examined how to install Bro framework for network traffic analysis earlier. Let's create several Bro scripts now in order to test its functionality.

You should send copy of network traffic from the hosts to Internet before NAT to Bro network interface.

1. Detect connections to attacker server.

Bro framework for network traffic analysis
17 Jan 2015

Let's review network traffic analysis tool Bro Network Security Monitor (

1. Bro installation.

Create test virtual machine and install Centos 6.6.

Download Bro binary package and install it. Bro (full) package version 2.3.2 was used in this article. Read more...

Implementation of Enterprise Mobility Management. First steps
29 Nov 2014

1. Determine the risks associated to the use of mobile devices for business purposes (BYOD).

- Loss or theft of the device.
- Insecure configuration.
- Malware.

2. Determine requirements to Enterprise Mobility Management (EMM).

Pentester tools. Mozilla Firefox + Burp Suite + Tor
10 May 2014

Burp Suite is a set of tools integrated in one platform for the web applications security audit. Let's configure Burp Suite to work with browser Mozilla Firefox and anonymizer Tor.

We will use Ubuntu Desktop 12.04 LTS.

Configuration of Mozilla Firefox.

Protection of CMS Joomla administration panel
30 Mar 2014

You should do several steps in order to protect administration panel of CMS Joomla.

1. Brute-force protection.

Install plugin authentication_captcha and enable it.

2. Change default URL address of administration panel.

CAPTCHA vs Brute-Force Attack
09 Feb 2014

Brute-force is one of the most popular attacks of hacking user accounts. Recently developers has started to think about security more and implement different protection mechanisms in order to increase site security. For example, CAPTCHA. This mearure complicates the work of the hacker but only until weakness of CAPTCHA implemantation will be detected.

Let's look for the real case when attacker could brute-force user accounts. It was online shop which was protected by CAPTCHA. Read more...

Theft of American Express, Visa and MasterCard card data
06 Oct 2013

Let's consider how the attacker can steal cardholder data using social enginerring.

Attacker sends e-mail with the text about necessary to check information about cardholder. Fishing html attachment is used in order to gather this infomation. See below.

Function document.write() writes to the document value obtained and function unescape() decodes the string according to ASCII. See html result below. Read more...

Bypass firewall using HTTP tunnel
21 Sep 2013

We are going to look how we can bypass corporate firewall using HTTP tunnel. This technology allows incapsulate network traffic in HTTP packets. Then it will be sent to the HTTP tunnel server, retrieved and forwarded to the destination host. So you can access to any host by any port if HTTP traffic is not restricted on the firewall.

Let's do it.

Metasploit vs Software Updates
13 Feb 2012

We are going to look at how attacker can get access to remote host if don't install updates. At first we scan host with Nessus Vulnerability Scanner.

There are 2 critical vulnerabilities in scan results. Then we will use Metasploit in order to attack the system.

As you see we have access to remote host with system rights. Read more...

ARP Spoofing
16 Jan 2012

We are going to find out how attacker can steal user credentials using ARP spoofing.

This kind of attack consists in poisoning of network equipmenet and computers ARP cache. Hacker can do it by sending fake ARP responses within subnet.

Routing within subnet is implemented by using mac addresses. ARP response contains match between IP and mac addresses of the user computer. Read more...

OSSEC. Use Cases.
15 Apr 2011

In this acticle we will review several use cases of OSSEC usage and create custom decoders and rules.

1. Unauthorized attempts of privileged access usage.

Let's try to create custom OSSEC correlation rule in order to monitor failed "sudo" attempts in Linux.

First of all we need to create custom decoder. Read more...

OSSEC. Introduction.
11 Mar 2011

OSSEC (Open Source SECurity) is open source correlation and analysis engine. It has server software and agents.

OSSEC Server works under Linux. First of all security administrator should determine if he needs to store information in database or not. If yes it's necessary to install database engine (for example, MySQL or PostgreSQL) and activate database support (make setdb) before OSSEC installing. Read more...