BOOK THIS SPACE FOR AD
ARTICLE ADForeword
Restore the host if anything suspicious occurs.Keep up with patches on the virtualisation software, zero days are a thing.FlareVM — Windows Based lab by FireEye — Tutorial on how to install here
REMnux — Linux Based lab maintained by Lenny Zeltser
Hardened version of Ubuntu required as Host OS. (Use Linux if the malware sample targets Windows to avoid any outbreak otherwise us Windows if it targets Linux!)
Fakenet — Simulates network requests for malwareINetSim — Simulates services on your machineWireshark — Record your network activityProcess Hacker — Observes running processesProcess Dump — Hashes all processes before detonating malware to check against new hashes after malware detonated to identify suspicious processes.Process Monitor — records local system interactionsProcDOT — Cleans up and visualises Process Monitor data. Good for final report!Ninite — Use this when setting up your VM — installs a ton of apps like Office, Browsers, Skype etc… This makes the machine look normal as certain malware will check for these and if it believes its a fresh installed machine, it’ll close and assume its in a VM.Set a unique desktop background and create some fake office documents to make the machine appear more of a normal machine.Hardening both host and guest with AntiVMDetection: http://byte-atlas.blogspot.com/2017/02/hardening-vbox-win7x64.html
Paranoid Fish, tests your OS for how detectable it could be by malware: https://github.com/joesecurity/pafishmacro
So I do things slightly different, I send logs to Splunk i.e. Sysmon, Snort, Windows Firewall etc. essentially setting up an entire lab environment. Gathering things like Windows logs, gives me a chance to create SIEM rules in production too.
Default Gateway Note
If you want to utilise the likes of FakeNET, iNetsim and Wireshark… Drop another VM in and set that as your default gateway, run FakeNET, iNetSim and Wireshark on the default gateway VM, malware should now be tricked into connections and they will be logged on the wire.
There are several benefits to logging to Splunk and installing an IDS in the malware environment. All of these additional instances will re-side in virtual non-networked servers within the malware analysis machine.
Enabling System Monitor (Sysmon) on the Dynamic analysis VM in conjunction with SwiftOnSecurity’s config allows us to feed all event information into the Splunk instance using a forwarder.
Splunk use case whitepaper: https://cyberoregon.com/wp-content/uploads/2017/11/White-Paper-Security-Use-Case-Detecting-Unknown-Malware.pdf
MSDN Sysmon: https://docs.microsoft.com/en-gb/sysinternals/downloads/sysmon
Config: https://github.com/SwiftOnSecurity/sysmon-config
Ideal for seeing what type of logging and alerting will be generated by particular attack tactics and techniquesIdeal for modelling what type of logs and forensics artifacts to look for by analysing malware that informs our threat model, as a likely future digital forensics investigationData logged into Splunk from malware investigations can then be exported as CSV (Or other formats, JSON) and imported into your SIEM for threat hunting and informing the improvement of your current detection methods.The aim with SIEM for malware analysis is that you can use this to threat hunt and develop detection methods, signatures and a better understanding retrospectively of what we seen when malware executed. When executing malware you’re going to be looking at alot of different panels such as ProcessHacker and Wireshark, so by logging into a SIEM like Splunk (ELK, QRadar and the rest), you’re never gonna miss anything as you can just go back over it later!