MA-00 — Lab Architecture and build tips

https://dribbble.com/shots/2689257-Research-icon

Foreword

  • Restore the host if anything suspicious occurs.
  • Keep up with patches on the virtualisation software, zero days are a thing.

Static analysis lab build

FlareVM — Windows Based lab by FireEye — Tutorial on how to install here

REMnux — Linux Based lab maintained by Lenny Zeltser

Dynamic analysis lab

Hardened version of Ubuntu required as Host OS. (Use Linux if the malware sample targets Windows to avoid any outbreak otherwise us Windows if it targets Linux!)

Dynamic analysis toolbelt:

  • Fakenet — Simulates network requests for malware
  • INetSim — Simulates services on your machine
  • Wireshark — Record your network activity
  • Process Hacker — Observes running processes
  • Process Dump — Hashes all processes before detonating malware to check against new hashes after malware detonated to identify suspicious processes.
  • Process Monitor — records local system interactions
  • ProcDOT — Cleans up and visualises Process Monitor data. Good for final report!
  • Ninite — Use this when setting up your VM — installs a ton of apps like Office, Browsers, Skype etc… This makes the machine look normal as certain malware will check for these and if it believes its a fresh installed machine, it’ll close and assume its in a VM.
  • Set a unique desktop background and create some fake office documents to make the machine appear more of a normal machine.

Articles on how to harden the labs:

Hardening both host and guest with AntiVMDetection: http://byte-atlas.blogspot.com/2017/02/hardening-vbox-win7x64.html

Paranoid Fish, tests your OS for how detectable it could be by malware: https://github.com/joesecurity/pafishmacro

Architecture diagram

So I do things slightly different, I send logs to Splunk i.e. Sysmon, Snort, Windows Firewall etc. essentially setting up an entire lab environment. Gathering things like Windows logs, gives me a chance to create SIEM rules in production too.

Default Gateway Note

If you want to utilise the likes of FakeNET, iNetsim and Wireshark… Drop another VM in and set that as your default gateway, run FakeNET, iNetSim and Wireshark on the default gateway VM, malware should now be tricked into connections and they will be logged on the wire.

IDS and logging

There are several benefits to logging to Splunk and installing an IDS in the malware environment. All of these additional instances will re-side in virtual non-networked servers within the malware analysis machine.

Sysmon and SwiftOnSecurity config

Enabling System Monitor (Sysmon) on the Dynamic analysis VM in conjunction with SwiftOnSecurity’s config allows us to feed all event information into the Splunk instance using a forwarder.

Splunk use case whitepaper: https://cyberoregon.com/wp-content/uploads/2017/11/White-Paper-Security-Use-Case-Detecting-Unknown-Malware.pdf

MSDN Sysmon: https://docs.microsoft.com/en-gb/sysinternals/downloads/sysmon

Config: https://github.com/SwiftOnSecurity/sysmon-config

Benefits of Splunk and IDS in a malware analysis lab

  • Ideal for seeing what type of logging and alerting will be generated by particular attack tactics and techniques
  • Ideal for modelling what type of logs and forensics artifacts to look for by analysing malware that informs our threat model, as a likely future digital forensics investigation
  • Data logged into Splunk from malware investigations can then be exported as CSV (Or other formats, JSON) and imported into your SIEM for threat hunting and informing the improvement of your current detection methods.

The aim with SIEM for malware analysis is that you can use this to threat hunt and develop detection methods, signatures and a better understanding retrospectively of what we seen when malware executed. When executing malware you’re going to be looking at alot of different panels such as ProcessHacker and Wireshark, so by logging into a SIEM like Splunk (ELK, QRadar and the rest), you’re never gonna miss anything as you can just go back over it later!

Sandboxes

Cuckoo Sandbox

Any.run

Hybrid Analysis

https://www.virusbulletin.com/virusbulletin/2017/11/fame-friendly-malware-evaluation-framework/

malwr.com

Twitter: @mikecybersec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store