Creating a malware analysis lab in the cloud βοΈ π¬
Introduction
This is the continuation of part 1: creating a malware analysis lab locally. To recap in part 1 we setup a flare vm by mandiant and create an image as a vagrant box to be uploaded to vagrant cloud for distribution. A vagrantfile is also created to configure and spin up the VM locally with recommended specifications.
The approach now will incur some cost as you will need to have an active Azure subscription as pre-requisite.
If you are looking a free alternative option, use this repository https://github.com/brootware/flarevm-up instead to spin up the VM locally as per part 1 of the setup.
In this part, we will explore:
- Setting up a flare vm on Azure.
- Create an image using Azure image builder, a cloud native feature of Azure.
- Publish the image into Azure compute gallery for distribution within your organization.
Setting up a flare vm on Azure
First a windows 10 Virtual Machine need to be provisioned. I will not be going into much details here as it should be fairly straight forward using Microsoftβs official documentation.
Imaging the FlareVM for distribution within your organization
Once the VM is provisioned follow these steps to install all the flareVM tools.
- Disable real-time protection
- Disable cloud-delivered protection
- Disable automatic sample submission
- Add the directory C:\ to the exclusion list
- Run the powershell script below to setup flareVM tools
1
2
3
4
wget https://raw.githubusercontent.com/mandiant/flare-vm/master/install.ps1 -outfile install.ps1
Unblock-File .\install.ps1
Set-ExecutionPolicy Unrestricted
.\install.ps1
After about 4-5 hours, the VM is ready to be imaged using cloud native Azure Image Builder service.
Click on the capture button on the provisioned VM.
- Create an Image by setting the parameters as below
- Share the image to gallery
- Automatically delete VM after creating the image
- Generalized VM
- Create a new Azure Compute Gallery
- Create a VM image definition
- Set version as 0.0.1
- Replica count as 1
Review and create the image kickstart the image build process which could take some time.
After creation, you will be able to see the version number in the list of azure resources and create VMs from the image.
With gallery setup, you will be able to share the image easily within your organization using Azureβs Role Based Access Controls.
Conclusion
We have come to the 2nd part of building a malware analysis lab in the cloud. If you havenβt read, the first part be sure to check it out at https://brootware.github.io/posts/creating-a-malware-analysis-lab-locally/.