Malware Sandbox - busbeetech.com

Delete Hard Disk: Go to Datacenter > [Node] > REMnux > Hardware > Hard Disk and click Detach to remove the default Hard Drive from the VM. Next click Remove to remove it.

Import REMnux VM

Download and Install page: https://docs.remnux.org/install-distro/get-virtual-appliance

Current download link: https://app.box.com/shared/static/k60473jsgmtklrlgmlhl90ikbagnek1b.ova

Download the OVA file then run these commands:

Unzip the .ova file

tar -xzvf remnux-v7-focal.ova

Unzip the .vmdk file

gzip -d remnux-v7-focal-disk1.vmdk.gz

Copy to Proxmox Server

scp remnux-v7-focal-disk1.vmdk  root@10.31.0.3:/root/remnux/

Note: This assumes there is already a directory on the Proxmox server at /root/remnux. Create one if you don't already have it.

Import OVA to blank VM

qm importdisk 901 remnux-v7-focal-disk1.vmdk local-lvm -format qcow2

You should now see a disk listed with a name like local-lvm:vm-901-disk-0

Now go to Datacenter > [Node] > REMnux > Hardware > Unused Disk and click Edit.

Select the local-lvm:vm-901-disk-0 from the drop down then click the Add button to apply it to the VM.

Also in the Hardware page change the Display from Default to VMware compatibile and Processor Type to qemu64.

FlareVM Setup

Snapshots

The FlareVM machine will be detonating malware so it will be important to take several snapshots of the setup as we go so we can rollback if needed.

Look out for these SNAPSHOT CHECKPOINTS:

Base-Install
Pre-FlareVM
FlareVM-Base
Pre-Detionation

VM Config

Name: FlareVM
VM ID: 900
OS: Windows 11 ISO
Disk: 64GB
CPU: 2 Cores
Type: host
Memory: 8GB
Network: vmbr0
Model: E1000

Turn on the VM and run through the installer. Create a local admin user and log in.

SNAPSHOT CHECKPOINT: Base-Install

Windows Settings

Disable Proxy Settings

Network and Internet > Proxy Settings

Automatically Detect Settings: Off

Disable Windows Defender

Privacy and Security > Windows Security > Virus and Threat Protection

Click Virus and Threat Protection Settings

Turn all On buttons to Off
Especially make sure Real-Time Protection is turned off

Edit Group Policy

Administrative Templates > Network > Network Connections > Windows Defender Firewall

There are two profiles:

Domain
Standard

Go into each profile and change this setting:

Windows Defender Firewall: Protect all network connections: Disabled

SNAPSHOT CHECKPOINT: Pre-FlareVM

Install FlareVM

Run the following commands on the Windows 11 host to install FlareVM

(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")

cd ~\Desktop\

Unblock-File .\install.ps1

Set-ExecutionPolicy Unrestricted

.\install.ps1 -customConfig https://raw.githubusercontent.com/HuskyHacks/PMAT-labs/main/config.xml

Update Network Interface

Go to Datacenter > [Node] > FlareVM > Hardware > Network Device and change from vmbr0 to vmbr2 to move the FlareVM to the Host-Only network.

Host-Only Network with pfSense

https://www.pfsense.org/download/

VM Config

Name: pfSense
VM ID: 902
OS: pfsense ISO
Disk: 32gb
CPU: 2 Cores
Memory: 4GB
Network: vmbr2

Make another network device connected to vmbr0.

Set WAN=vmbr0 and LAN=vmbr2

Go to WAN IP address and run through setup wizard. Set LAN IP to 10.0.0.1.

Once setup wizard is done delete vmbr0 network device interface.

Confirm Network

On the FlareVM check IP Address:

ipconfig

On the REMnux VM check IP Address:

ip a | grep "inet "

If you do not get a 10.0.0.x IP address for either of these you may need to double check that all 3 VMs are connected to vmbr2 with the correct settings as shown above.

Make sure you can ping between FlareVM <--> REMnux IP addresses

Make sure you cannot ping outside the network: ping google.com

Update FlareVM DNS

Go to Settings > Network & Internet > Ethernet > DNS Server > Edit

Set the Manual IPv4 Address to the REMnux IP Address: 10.0.0.11

SNAPSHOT CHECKPOINT: FlareVM-Base

Update REMnux INetSim DNS

sudo nano /etc/inetsim/insetsim.conf

Uncomment and set the following lines

start_service dns

service_bind_address 0.0.0.0

dns_default_ip [REMnux IP Address] for example: dns_default_ip 10.0.0.11

Now start INetSim:

inetsim

Download Lab Files

Since our lab environment in Proxmox does not have copy/paste or file share we have to make an extra step to get files to the FlareVM called ISO dropping.

First download the zip file for the lab contents here: https://github.com/HuskyHacks/PMAT-labs/archive/refs/heads/main.zip

wget https://github.com/HuskyHacks/PMAT-labs/archive/refs/heads/main.zip -O PMAT-labs-main.zip

unzip PMAT-labs-main.zip

hdiutil makehybrid -iso -joliet -o ~/Downloads/PMAT-labs-main.iso ~/Downloads/PMAT-labs-main

This will output a file called PMAT-labs-main.iso that you can upload to Proxmox the same as you would any other ISO installer file. Once uploaded you can plug it into the VM as a CD/DVD.

First got to Datacenter > local ([Node]) > ISO Images > upload and select the PMAT-labs-main.iso file. Once uploaded, go to Datacenter > [Node] > FlareVM > Hardware > CD/DVD Drive and select the ISO from the dropdown. Now if you go into the drives in File Explorer on the FlareVM you should see the lab files. You can copy/paste them over to the desktop and disconnect the CD/DVD and delete the ISO.

Before taking the Pre-Detonation snapshot, its worth checking your Microsoft Defender Antivirus settings one more time to make sure Real-Time Protection didn't turn itself back on.

SNAPSHOT CHECKPOINT: Pre-Detonation

Keyboard shortcuts

busbeetech.com