MA-00 — Lab Architecture and build tips

https://dribbble.com/shots/2689257-Research-icon

Foreword

  • Restore the host if anything suspicious occurs.

Static analysis lab build

FlareVM — Windows Based lab by FireEye — Tutorial on how to install here

REMnux — Linux Based lab maintained by Lenny Zeltser

Dynamic analysis lab

Hardened version of Ubuntu required as Host OS. (Use Linux if the malware sample targets Windows to avoid any outbreak otherwise us Windows if it targets Linux!)

Dynamic analysis toolbelt:

  • Fakenet — Simulates network requests for malware

Articles on how to harden the labs:

Hardening both host and guest with AntiVMDetection: http://byte-atlas.blogspot.com/2017/02/hardening-vbox-win7x64.html

Paranoid Fish, tests your OS for how detectable it could be by malware: https://github.com/joesecurity/pafishmacro

Architecture diagram

So I do things slightly different, I send logs to Splunk i.e. Sysmon, Snort, Windows Firewall etc. essentially setting up an entire lab environment. Gathering things like Windows logs, gives me a chance to create SIEM rules in production too.

Default Gateway Note

If you want to utilise the likes of FakeNET, iNetsim and Wireshark… Drop another VM in and set that as your default gateway, run FakeNET, iNetSim and Wireshark on the default gateway VM, malware should now be tricked into connections and they will be logged on the wire.

IDS and logging

There are several benefits to logging to Splunk and installing an IDS in the malware environment. All of these additional instances will re-side in virtual non-networked servers within the malware analysis machine.

Sysmon and SwiftOnSecurity config

Enabling System Monitor (Sysmon) on the Dynamic analysis VM in conjunction with SwiftOnSecurity’s config allows us to feed all event information into the Splunk instance using a forwarder.

Splunk use case whitepaper: https://cyberoregon.com/wp-content/uploads/2017/11/White-Paper-Security-Use-Case-Detecting-Unknown-Malware.pdf

MSDN Sysmon: https://docs.microsoft.com/en-gb/sysinternals/downloads/sysmon

Config: https://github.com/SwiftOnSecurity/sysmon-config

Benefits of Splunk and IDS in a malware analysis lab

  • Ideal for seeing what type of logging and alerting will be generated by particular attack tactics and techniques

The aim with SIEM for malware analysis is that you can use this to threat hunt and develop detection methods, signatures and a better understanding retrospectively of what we seen when malware executed. When executing malware you’re going to be looking at alot of different panels such as ProcessHacker and Wireshark, so by logging into a SIEM like Splunk (ELK, QRadar and the rest), you’re never gonna miss anything as you can just go back over it later!

Sandboxes

Cuckoo Sandbox

Any.run

Hybrid Analysis

https://www.virusbulletin.com/virusbulletin/2017/11/fame-friendly-malware-evaluation-framework/

malwr.com

Twitter: @mikecybersec