Azure Malware Lab Flare - Gr00t's Security Research Lab

# Azure Malware Lab: Flare Template Now we have our [[Azure Malware Lab Network Build]] and [[Azure Malware Lab VM Templates]] built it is time for us to start to configure these images to have the tools and malware samples that we require to start reverse engineering some malware in our lab environment. Firstly, we need to install our tools. We will be looking at deploying [Flare](https://github.com/mandiant/flare-vm), which is a reverse engineering toolkit created by Mandiant on our Windows 10 virtual machine and [REMnux](https://docs.remnux.org/install-distro/install-from-scratch), on our Ubuntu minimal OS deployment. ## Initial Snapshots Before we dive into anything fun, we need to take an initial snapshot of both our templates with the basic operating system installed. It's pretty straightforward - just head over to the Snapshots section of the Azure Portal and click on **create**. Set these settings for your first snapshot: - Resource group: *Template_RG* - Name: _Flare_Template_BaseOS_ - Region: Closest to you - Snapshot Type: _Incremental_ - Source Type: _Disk_ - Source Disk: _Flare-Template OS_ You can skip past Encryption, and when you get to Networking, set Network Access to "**Disable public and private access**". Then just skip through to review and create. Once that's done, we'll do the same thing for REMnux: - Resource group: _Template_RG_ - Name: _Remnux_Template_BaseOS_ - Region: Closest to you - Snapshot Type: _Incremental_ - Source Type: _Disk_ - Source Disk: _REMnux-Template OS_ Now, let's get to the interesting part! ## Flare >[!check] >This machine should be connected to the _sky_net_ vNet to enable internet connectivity First up, you'll need to connect into Flare's template via the public IP address you've got assigned. (Quick tip: setting up JIT access on these templates is recommended, but if you don't want to pay for the licence to use that, you can just add the rule into the NSG attached to the VM). Once you've sorted out your access on the NSG, grab the RDP file to the virtual machine and log in using your credentials from when you built the VM. There are a few things we need to sort out: - We need to turn off the proxy - We've got to disable Defender, AV, and real-time scans (this can be done via the local GPO `gpedit.msc`, if you desire, we will do it via registry) - And we need to set the execution policy to bypass To make this faster, below is a script that'll automatically handle all of these settings for you and kick off a system reboot to make sure everything sticks. ```PowerShell # Requires elevation (Run as Administrator) #Requires -RunAsAdministrator function Test-Administrator { $user = [Security.Principal.WindowsIdentity]::GetCurrent(); (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) } if (-not (Test-Administrator)) { Write-Host "This script requires Administrator privileges. Please run as Administrator." -ForegroundColor Red exit 1 } Write-Host "Disabling proxy settings and automatic detection..." -ForegroundColor Yellow Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyEnable -Value 0 Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyServer -Value "" Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name AutoDetect -Value 0 $regKey = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" $defaultConnection = ([byte[]](Get-ItemProperty -Path $regKey -Name DefaultConnectionSettings).DefaultConnectionSettings) $defaultConnection[8] = $defaultConnection[8] -band -bnot 8 Set-ItemProperty -Path $regKey -Name DefaultConnectionSettings -Value $defaultConnection Write-Host "Setting PowerShell execution policy to Bypass..." -ForegroundColor Yellow Set-ExecutionPolicy Bypass -Force Write-Host "Disabling Windows Defender..." -ForegroundColor Yellow $defenderRegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" if (!(Test-Path $defenderRegistryPath)) { New-Item -Path $defenderRegistryPath -Force | Out-Null } Set-ItemProperty -Path $defenderRegistryPath -Name "DisableAntiSpyware" -Value 1 Set-ItemProperty -Path $defenderRegistryPath -Name "DisableAntiVirus" -Value 1 $defenderSecurityCenterPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" if (!(Test-Path $defenderSecurityCenterPath)) { New-Item -Path $defenderSecurityCenterPath -Force | Out-Null } Set-ItemProperty -Path $defenderSecurityCenterPath -Name "DisableRealtimeMonitoring" -Value 1 Set-ItemProperty -Path $defenderSecurityCenterPath -Name "DisableBehaviorMonitoring" -Value 1 Set-ItemProperty -Path $defenderSecurityCenterPath -Name "DisableOnAccessProtection" -Value 1 Set-ItemProperty -Path $defenderSecurityCenterPath -Name "DisableScanOnRealtimeEnable" -Value 1 Write-Host "Disabling Windows Firewall profiles..." -ForegroundColor Yellow Set-NetFirewallProfile -Profile Domain,Private -Enabled False Write-Host "Configuring Local Group Policy settings..." -ForegroundColor Yellow $gpoCommands = @( 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f', 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f', 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f', 'reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f', 'reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v EnableFirewall /t REG_DWORD /d 0 /f' ) foreach ($command in $gpoCommands) { Write-Host "Executing: $command" Invoke-Expression $command } Write-Host "`nConfiguration complete. Please verify the following settings:" -ForegroundColor Green Write-Host "1. Proxy settings and automatic detection disabled" Write-Host "2. PowerShell execution policy set to Bypass" Write-Host "3. Windows Defender disabled" Write-Host "4. Real-time protection disabled" Write-Host "5. Windows Firewall disabled for Domain and Private profiles" Write-Host "6. Local Group Policy settings configured." $restart = Read-Host "`nA system restart is recommended. Would you like to restart now? (Y/N)" if ($restart -eq 'Y' -or $restart -eq 'y') { Restart-Computer -Force } ``` After your machine comes back up, let's double-check that everything's configured properly. Another PowerShell script to help check our system. ```PowerShell # Requires elevation (Run as Administrator) #Requires -RunAsAdministrator function Write-Status { param( [string]$Check, [bool]$Status ) $icon = if ($Status) { "[✓]" } else { "[✗]" } $color = if ($Status) { "Green" } else { "Red" } Write-Host "$icon $Check" -ForegroundColor $color } function Test-RegistryValue { param( [string]$Path, [string]$Name, [string]$ExpectedValue ) try { $actualValue = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop return $actualValue.$Name -eq $ExpectedValue } catch { return $false } } Write-Host "`nVerifying Windows Configuration Settings" -ForegroundColor Cyan Write-Host "====================================`n" -ForegroundColor Cyan # Check Proxy Settings Write-Host "Proxy Settings:" -ForegroundColor Yellow $proxyEnabled = (Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings").ProxyEnable $autoDetect = (Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings").AutoDetect $defaultConn = (Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" -Name DefaultConnectionSettings).DefaultConnectionSettings $autoConfigDisabled = ($defaultConn[8] -band 8) -eq 0 Write-Status -Check "Proxy Disabled" -Status ($proxyEnabled -eq 0) Write-Status -Check "Auto-Detect Disabled" -Status ($autoDetect -eq 0) Write-Status -Check "Auto-Configuration Disabled" -Status $autoConfigDisabled # Check PowerShell Execution Policy Write-Host "`nPowerShell Settings:" -ForegroundColor Yellow $executionPolicy = Get-ExecutionPolicy Write-Status -Check "Execution Policy set to Bypass" -Status ($executionPolicy -eq "Bypass") # Check Windows Defender Settings Write-Host "`nWindows Defender Settings:" -ForegroundColor Yellow $defenderPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" $rtPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" Write-Status -Check "Defender AntiSpyware Disabled" -Status (Test-RegistryValue -Path $defenderPath -Name "DisableAntiSpyware" -ExpectedValue "1") Write-Status -Check "Defender AntiVirus Disabled" -Status (Test-RegistryValue -Path $defenderPath -Name "DisableAntiVirus" -ExpectedValue "1") Write-Status -Check "Realtime Monitoring Disabled" -Status (Test-RegistryValue -Path $rtPath -Name "DisableRealtimeMonitoring" -ExpectedValue "1") Write-Status -Check "Behavior Monitoring Disabled" -Status (Test-RegistryValue -Path $rtPath -Name "DisableBehaviorMonitoring" -ExpectedValue "1") Write-Status -Check "On Access Protection Disabled" -Status (Test-RegistryValue -Path $rtPath -Name "DisableOnAccessProtection" -ExpectedValue "1") # Check Firewall Profiles Write-Host "`nFirewall Profile Settings:" -ForegroundColor Yellow $domainProfile = Get-NetFirewallProfile -Profile Domain -ErrorAction SilentlyContinue $privateProfile = Get-NetFirewallProfile -Profile Private -ErrorAction SilentlyContinue Write-Status -Check "Domain Profile Disabled" -Status (-not $domainProfile.Enabled) Write-Status -Check "Private Profile Disabled" -Status (-not $privateProfile.Enabled) # Check Group Policy Settings Write-Host "`nGroup Policy Settings:" -ForegroundColor Yellow $domainGPOPath = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" $privateGPOPath = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" # Domain Profile GPO Write-Status -Check "Domain Profile Firewall GPO Disabled" -Status (Test-RegistryValue -Path $domainGPOPath -Name "EnableFirewall" -ExpectedValue "0") Write-Status -Check "Domain Profile Exceptions GPO Configured" -Status (Test-RegistryValue -Path $domainGPOPath -Name "DoNotAllowExceptions" -ExpectedValue "0") # Private Profile GPO Write-Status -Check "Private Profile Firewall GPO Disabled" -Status (Test-RegistryValue -Path $privateGPOPath -Name "EnableFirewall" -ExpectedValue "0") Write-Status -Check "Private Profile Exceptions GPO Configured" -Status (Test-RegistryValue -Path $privateGPOPath -Name "DoNotAllowExceptions" -ExpectedValue "0") Write-Host "`nVerification Complete!" -ForegroundColor Cyan Write-Host "Note: [✓] indicates the setting is correctly configured" -ForegroundColor Gray Write-Host " [✗] indicates the setting needs attention`n" -ForegroundColor Gray ``` If everything is configured correctly you should see a `[✓]` next to every configuration item required. If you see an `[✗]` then something has gone wrong, it is recommended to run the code again. If you are seeing issues with the GPO settings for Domain and Private, open up `gpedit.msc` (right click start run and type in gpedit.msc) Navigate to the following locations: 1. `Computer Configuration -> Policies -> Administrative Templates -> Network -> Network Connections -> Windows Defender Profile -> Domain Profile`. 2. Within this section, find and open the policy `Windows Defender Firewall: Define inbound port exceptions`. 3. Set this policy to `Disabled` to prevent any inbound port exceptions from being applied to the domain profile. Repeat this process for the private settings. Reboot your machine one more time and you're off! Now we've got a working system that's configured correctly, it's time to start the Flare download. This... is going to take a while, probably around 3 hours or so. >[!note] >Your system will reboot several times during installation. You'll need to log back in to continue the process. Let's get this started.... open PowerShell as Administrator and run this: >[!info] >If you receive an error saying the execution policy is overridden by a policy defined at a more specific scope, you may need to pass a scope in via `Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force`. To view execution policies for all scopes, execute `Get-ExecutionPolicy -List` ```PowerShell (New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1") # Change directory to Desktop if you're not already in this path. Unblock-File .\install.ps1 Set-ExecutionPolicy Unrestricted -Force .\install.ps1 ``` For advanced installation options, you can use these alternative commands: - To pass your password as an argument: `.\install.ps1 -password <password>` - To use the CLI-only mode with minimal user interaction: `.\install.ps1 -password <password> -noWait -noGui` - To use the CLI-only mode with minimal user interaction and a custom config file: `.\install.ps1 -customConfig <config.xml> -password <password> -noWait -noGui` The system will ask if you've taken an OS disk snapshot. If you've followed these instructions, answer '_Y_'. ![[Pasted image 20241224104440.png]] If you didn't do the noGUI installation then you will be displayed with the below image. Make your selection of tools by selecting tools from the available to install list on the lest and adding them to the "To install" option on the right. ![[Pasted image 20241223204021.png | 600]] Once everything's installed, we'll need to grab some malware samples. Here are some good places to look on the clearweb: - theZoo ([https://github.com/ytisf/theZoo](https://github.com/ytisf/theZoo)) - While slightly outdated, these samples remain valuable for analysis - vx-underground.org ([https://vx-underground.org](https://vx-underground.org)) - Offers white papers and research on [[Windows API Basics|Windows API Basics]] and Fuzzing, with practical examples at [https://vx-underground.org/Samples/Families](https://vx-underground.org/Samples/Families) - Source code available at: [https://github.com/vxunderground/malwaresourcecode](https://github.com/vxunderground/malwaresourcecode) - MalwareBazaar ([https://bazaar.abuse.ch](https://bazaar.abuse.ch)) - Requires advanced search techniques - Malshare (https://malshare.com/) - Requires specific syntax to search - Lenny Zeltser's collection - [https://zeltser.com/malware-sample-sources/](https://zeltser.com/malware-sample-sources/) Right, now we're ready to take another snapshot of the OS - this one will have all your tools and malware samples ready to go. Next up, let's get our [[Azure Malware Lab REMnux]] template set up and ready to go!