Azure Malware Lab VM Templates - Gr00t's Security Research Lab

# Azure Malware Lab: VM Templates Now that we've got our network [[Azure Malware Lab Network Build]] and security all sorted, let's build our template machines. We're going to create two VMs: 1. A Windows 10 box that'll run FlareVM 2. An Ubuntu machine for REMnux Here's the plan - we'll set these up in our _Sky_Net_ network first (you know, the one with internet) so we can install and configure all our tools. Once everything's ready, we'll take snapshots and move them into our locked-down _Mal_Net_ environment. Don't worry if manual setup isn't your thing - I've got infrastructure as code ready to go for both machines. You'll find the links at the bottom of each section. ## Creating the FlareVM Template Let's start with our Windows machine. We'll build this in our _Template_RG_ resource group - the same one that's holding our internet-friendly _Sky_Net_. ### Basic Configuration Right, let's get the basic settings sorted: | Setting | Value | Notes | | ---------------------- | ---------------------------------------- | -------------------------- | | Resource Group | Template_RG | Same group as Sky_Net | | VM Name | Flare-Template | Use your naming convention | | Region | [Your local region] | Match your other resources | | Availability Options | None | Most cost-effective choice | | Security Type | Trusted launch VMs | Enhanced security feature | | Image | Windows 10 Pro, version 22H2 - x64 Gen 2 | Our starting point | | Run with Spot Discount | False | We want this stable | ### Authentication & Access | Setting | Value | Notes | |---------|--------|--------| | Username | [Your choice] | Document securely | | Password | [Your choice] | Use strong password | | Public Inbound ports | None | Security best practice | | Licensing | Confirm Windows 10/11 hosting rights | Required | ### Storage Configuration | Setting | Value | Notes | |---------|--------|--------| | OS disk type | Standard HDD | Cost-effective for templates | | Delete with VM | False | Preserves disk for snapshots | ### Network Settings | Setting | Value | Notes | | | ---------------------------- | ------- | ---------------------------- | --- | | Virtual Network | sky_net | Our template network | | | Subnet | Sky_sub | Internet-enabled subnet | | | Public IP | New | Required for initial setup | | | NIC NSG | Basic | We'll enhance security later | | | Public Inbound Ports | None | See security note below | | | Delete public IP/NIC with VM | False | Allows resource management | | | Load Balancing | None | Not needed for templates | | >[!SECURITY] >We've turned off Public Inbound Ports, but you might want to think about using Just-In-Time (JIT) access for ports 22 and 3389. It's like having a bouncer who only lets people in when you say it's okay! ### Management Options - Turn on auto-shutdown to keep your wallet happy - Maybe enable boot diagnostics (trust me, it's helpful when things go wrong) >[!TIP] >Auto-shutdown is your friend here! Since we're only using these VMs to make templates, having them shut down automatically can save you a bunch of money. ### IaC Want to set this up super quick? I've got all the infrastructure as code (IaC) ready for the Flare-Template build right here: [https://github.com/Syb3rs3c/Azure-Malware-Lab/tree/main/Flare-Template](https://github.com/Syb3rs3c/Azure-Malware-Lab/tree/main/1.%20Build/Flare-Template) Before you dive in though, you'll need a few things: > [!note] > The template code uses Azure Key Vault to keep secrets safe, but don't worry if you don't have that - you can tweak the code to use secure strings instead (though maybe stay away from plaintext passwords, yeah?) **Prerequisites** Think about this like your virtual shopping list: - Azure Subscription - Azure PowerShell Module - Bicep CLI - PowerShell 7.0 or later - Azure Key Vault with appropriate access policies - Required Azure permissions: - Contributor access to the target resource group - Access to read secrets from Key Vault - Access to create/manage VMs and networking resources Make sure you check out the [initial setup](https://github.com/Syb3rs3c/Azure-Malware-Lab/tree/main/Flare-Template#configuration-instructions) guide - you'll need the Az module, Azure CLI, and Bicep tools installed (grab them from [https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-cli](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-cli)). These are like your toolkit - you need them all to build and manage everything properly. ## Creating the REMnux Template Right, now for our Linux machine! This is going to be the foundation for our REMnux setup. ### Basic Configuration Here's what we're looking at: | Setting | Value | Notes | | ---------------------- | ----------------------------------- | -------------------------- | | Resource Group | Template_RG | Same group as Sky_Net | | VM Name | Remnux-Template | Use your naming convention | | Region | [Your local region] | Match your other resources | | Availability Options | None | Most cost-effective choice | | Security Type | Trusted launch VMs | Enhanced security feature | | Image | Ubuntu Minimal 20.04 LTS - x64 Gen2 | Base OS | | Run with Spot Discount | False | Ensures stability | ### Authentication & Access | Setting | Value | Notes | |---------|--------|--------| | Authentication Type | SSH Public Key | More secure than password auth | | Username | [Your choice] | Document securely | | SSH Public Key Source | [Your choice] | Generate new or use existing | | SSH Key Type | Ed25519 | Modern, more secure than RSA | | Public Inbound ports | None | Security best practice | ### Storage Configuration | Setting | Value | Notes | |---------|--------|--------| | OS disk size | 30 GB | Sufficient for base installation | | OS disk type | Standard HDD | Cost-effective for templates | | Delete with VM | False | Preserves disk for snapshots | ### Network Settings | Setting | Value | Notes | |---------|--------|--------| | Virtual Network | sky_net | Our template network | | Subnet | Sky_sub | Internet-enabled subnet | | Public IP | New | Required for initial setup | | NIC NSG | Basic | We'll enhance security later | | Public Inbound Ports | None | See security note below | | Delete public IP/NIC with VM | False | Allows resource management | | Load Balancing | None | Not needed for templates | >[!security] >Just like with Flare, we've turned off Public Inbound Ports, but think about using JIT access for port 22. It's another layer of security - and you can never have too many of those! ### Management Options - Enable auto-shutdown to control costs - Consider enabling boot diagnostics for troubleshooting >[!TIP] >Auto-shutdown is crucial for template VMs. Since these VMs are only used for template creation and maintenance, automatic shutdown can significantly reduce costs. ### IaC Not a fan of clicking through menus? No worries! I've got the REMnux-Template IaC ready to go here: [https://github.com/Syb3rs3c/Azure-Malware-Lab/tree/main/Remnux-Template](https://github.com/Syb3rs3c/Azure-Malware-Lab/tree/main/1.%20Build/Remnux-Template) You'll need pretty much the same stuff as before: > [!note] > Same deal with Key Vault - it's in there but you can modify the code if you need to use something else. **Prerequisites** - Azure Subscription - Azure PowerShell Module - Bicep CLI - PowerShell 7.0 or later - Azure Key Vault with appropriate access policies - Required Azure permissions: - Contributor access to the target resource group - Access to manage VMs and networking resources - Access to read secrets from Key Vault Make sure you check out the [initial setup](https://github.com/Syb3rs3c/Azure-Malware-Lab/tree/main/Remnux-Template#required-configuration-changes) instructions - they're a bit different from the Flare-Template ones. You'll still need the Az module, Azure CLI and Bicep tools though ([https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-cli](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-cli)). ### Next Steps Here's what's coming up: 1. Get `FlareVM` all set up and configured 2. Install and configure `REMnux` 3. Take those base snapshots so we can deploy them later Ready to make your Flare VM awesome? Head over to [[Azure Malware Lab Flare]] where we'll get it all optimised for our malware analysis playground!