Ive been a bit busy practicing for, and then competing in a CTF this week. So haven’t had much time to do much building. So i thought id check in on the malware lab, ensure everything is configured and ready to go.
The malware lab comprises of a flare-vm box and a remnux box. They are isolated from the rest of the lab by a dedicated bridged network adapter, and from the lab itself by Proxmox’s built in firewall (checking this did get me thinking that I should look more into software defined networking and perhaps put all labs behind a opensense firewall, that way i can control them easier and get suricata logs direct, something to think about). The firewall is set to drop any outbound packets not from and to the malware lab ip range (10.10.0.x).
Booting up both boxes first i checked that they could communicate with each other, but not with the outside world or the host.
Next I ran INetSim on remunux to check dns was working correctly (flare uses remnux as the DNS server in order for remnux to capture web traffic for examination with wireshark)
Now that the boxes were configured I took a snapshot (clean) and set flare to the public network adapter and disabled the firewall… I realised I didn’t have any malware samples on the box. I also used this opportunity to check over some tools and download any that im missing. I realised the latest version of flare-vm didnt come with PEviewer, yes it comes with PEstudio but I like the simpler ui of viewer.
Following that… malware. I downloaded a few samples of malware from vxunderground, black basta, AgentTesla, nanocore, ViperSoftX and Gh0stRAT. Some of the more commonly seen RATs, infostealers and ransomware. Hopefully in the next few days I can get time to look at them when my schedule frees up a bit. Finally I reverted the config changes made to Flare back, re-isolated the box and tested again. With everything set up and ready to go took another snapshot (infected).
So next post finally should be getting around to the security bits.
Then, its time to build the Linux and Windows estates, lots of AD and Puppet fun…