MA-00 — Lab Architecture and build tips
Foreword
- Restore the host if anything suspicious occurs.
- Keep up with patches on the virtualisation software, zero days are a thing.
Static analysis lab build
FlareVM — Windows Based lab by FireEye — Tutorial on how to install here
REMnux — Linux Based lab maintained by Lenny Zeltser
Dynamic analysis lab
Hardened version of Ubuntu required as Host OS. (Use Linux if the malware sample targets Windows to avoid any outbreak otherwise us Windows if it targets Linux!)
Dynamic analysis toolbelt:
- Fakenet — Simulates network requests for malware
- INetSim — Simulates services on your machine
- Wireshark — Record your network activity
- Process Hacker — Observes running processes
- Process Dump — Hashes all processes before detonating malware to check against new hashes after malware detonated to identify suspicious processes.
- Process Monitor — records local system interactions
- ProcDOT — Cleans up and visualises Process Monitor data. Good for final report!
- Ninite — Use this when setting up your VM — installs a ton of apps like Office, Browsers, Skype etc… This makes the machine look normal as certain malware will check for these and if it believes its a fresh installed machine, it’ll close and assume its in a VM.
- Set a unique desktop background and create some fake office documents to make the machine appear more of a normal machine.
Articles on how to harden the labs:
Hardening both host and guest with AntiVMDetection: http://byte-atlas.blogspot.com/2017/02/hardening-vbox-win7x64.html
Paranoid Fish, tests your OS for how detectable it could be by malware: https://github.com/joesecurity/pafishmacro
Architecture diagram
So I do things slightly different, I send logs to Splunk i.e. Sysmon, Snort, Windows Firewall etc. essentially setting up an entire lab environment. Gathering things like Windows logs, gives me a chance to create SIEM rules in production too.
Default Gateway Note
If you want to utilise the likes of FakeNET, iNetsim and Wireshark… Drop another VM in and set that as your default gateway, run FakeNET, iNetSim and Wireshark on the default gateway VM, malware should now be tricked into connections and they will be logged on the wire.
IDS and logging
There are several benefits to logging to Splunk and installing an IDS in the malware environment. All of these additional instances will re-side in virtual non-networked servers within the malware analysis machine.
Sysmon and SwiftOnSecurity config
Enabling System Monitor (Sysmon) on the Dynamic analysis VM in conjunction with SwiftOnSecurity’s config allows us to feed all event information into the Splunk instance using a forwarder.
Splunk use case whitepaper: https://cyberoregon.com/wp-content/uploads/2017/11/White-Paper-Security-Use-Case-Detecting-Unknown-Malware.pdf
MSDN Sysmon: https://docs.microsoft.com/en-gb/sysinternals/downloads/sysmon
Config: https://github.com/SwiftOnSecurity/sysmon-config
Benefits of Splunk and IDS in a malware analysis lab
- Ideal for seeing what type of logging and alerting will be generated by particular attack tactics and techniques
- Ideal for modelling what type of logs and forensics artifacts to look for by analysing malware that informs our threat model, as a likely future digital forensics investigation
- Data logged into Splunk from malware investigations can then be exported as CSV (Or other formats, JSON) and imported into your SIEM for threat hunting and informing the improvement of your current detection methods.
The aim with SIEM for malware analysis is that you can use this to threat hunt and develop detection methods, signatures and a better understanding retrospectively of what we seen when malware executed. When executing malware you’re going to be looking at alot of different panels such as ProcessHacker and Wireshark, so by logging into a SIEM like Splunk (ELK, QRadar and the rest), you’re never gonna miss anything as you can just go back over it later!
