I have an interest in CyberSecurity and a Network Pro + certification but I am by no means an expert. This video helped me fill in some gaps in my knowledge without being so advanced that it's impossible to understand
Seen your newest upload just 18 min ago. Hows this notification that this video came up on me feed. Thanks mate. Love this vid. It gave me afew ideas for malware work. Pretty hecas to be fair.
This is a great setup. I ran a couple of malware analysis labs (on-prem and remote) for almost two decades and there was a lot of overlap with what you've done here. My setup of choice was using ESXi, virtualising a firewall, and then building the clients behind that. I love the flexibility of your cloud based setup though.
@@collinsinfosec We were using dedicated servers. My team was spread all over the globe, so we built one in each continent where we had people. 20 years ago latency on international routing was a bit more of an issue than it is now.
I followed all the steps and after the .\install.ps1 was executed in powershell the flare vm is not showing up on my screen it is my regular windows background. How would I know if it was downloaded correctly? Any help is appreciated.
Great demo! I was able to follow along and set up the lab in cloud. Although I am curious if AWS allows malware analysis in their environment? Do we need explicit approval from AWS to do so?
i tried setting it up on VMWare workstation and everything went smoothly until setting up a host only network, how do we do that in VMWare workstation pro?
The samples normally come as zipped files with a password like "malware" or "infected". This way they can't be accidently executed until you've put them on your malware analysis machine. You can just download them directly if you have internet access on your malware box too.
I tried setting up the Flare Vm , following each step but it keeps saying please disbale windows defender through group policy after i have diabled all
Im enjoying doing this project but im running into an issue with connecting REMnux and FlareVM. When I run ipconfig in powershell I get the ipv4 address 10.0.0.3 and when i run a ping test in power shell with ip 10.0.0.3 it comes back successful but when i run 10.0.0.4 in powershell it comes back with a request timed out and Lost=4. When i run "ping 10.0.0.4" or "ping 10.0.0.3" in REMnux it says "Network is unreachable". When I run ipconfig in REMnux the inet address is 127.0.0.1. I tried rewatching the video and starting from the beginning but I'm stumped on what to do. This is my first malware analysis so i want to make sure everything is correct before moving forward. Any suggestions?
@@otakusenpai8134 The fix is learning the basics of networking and Linux. The "problem" isn't something someone else can fix for you. Although one possible solution is seeking out a mentor for help
I had the same issue, and in my case, the network interface on REMnux was off by default. The network interface is named something like "enp0s#", which might be different for you. Here’s how I fixed it for my interface "enp0s17": 1. Brought up the interface using: sudo ip link set enp0s17 up
2. Checked the status with the command: ip addr show enp0s17
This showed that the state changed to "UP". 3. Edited the netplan configuration file: sudo nano /etc/netplan/01-netcfg.yaml Ensure it looks like this to use DHCP: network: version: 2 ethernets: enp0s17: dhcp4: yes
4. Applied the netplan configuration with: sudo netplan apply 5. Verified if it obtained an IP address:
ip addr show enp0s17
It should show an IP address. 6. For FlareVM, set the gateway/DNS similar to your REMnux IP (from the previous command). FlareVM IP will need to be different (e.g., FlareVM 10.0.0.3 | REMnux 10.0.0.4 ). Note: Before doing all this, make sure both machines are using "host only adapter" and that you created the network adapter shown at 25:20 in the video.
It depends on the where you are applying. Security vendors with threat intelligence and research teams will be needed. I wouldn't say there is a huge need for malware analysts compared to SOC analysts or security engineers. It's a great skill to learn regardless of your day job.
I had the same issue. If you copied the link in the description it is incomplete when I pasted in the FlareVM powershell console. I just clicked on it in the description and copied the URL from the window that popped up and pasted it in the powershell window.
If you are on VirtualBox, make sure you are using Host-Only Adapter and using the same Ethernet Adapter under the Name section. Something similar to "VirtualBox Host-Only Ethernet Adapter #2".
@@collinsinfosec hey thanks for the Quick reply, definitely followed your instructions to use of Host only and use the same adapert for both Boxes.... Happy new year !
I have no idea what any of this is but I think its really cool
lol
I have an interest in CyberSecurity and a Network Pro + certification but I am by no means an expert. This video helped me fill in some gaps in my knowledge without being so advanced that it's impossible to understand
Seen your newest upload just 18 min ago. Hows this notification that this video came up on me feed. Thanks mate. Love this vid. It gave me afew ideas for malware work. Pretty hecas to be fair.
This is a great setup. I ran a couple of malware analysis labs (on-prem and remote) for almost two decades and there was a lot of overlap with what you've done here. My setup of choice was using ESXi, virtualising a firewall, and then building the clients behind that. I love the flexibility of your cloud based setup though.
Interesting choice! Did you have a dedicated server running ESXi? The cloud-based lab was fun to build.
@@collinsinfosec We were using dedicated servers. My team was spread all over the globe, so we built one in each continent where we had people. 20 years ago latency on international routing was a bit more of an issue than it is now.
Great Work 👍
Im so gonna use this RDP application for ny work. Ur the best
how we are going to test the self-hosted labs ? i mean how to do analysis
Should the EBS volume and snapshots be destroyed when you run the terraform destroy command? I've still got the EBS volume and the snapshot running
Great vedio brother ❤❤
Anyone knows the after use of setting the lab??? Like using actual malware in the flarevm to know it’s working of detection/analysis
I followed all the steps and after the .\install.ps1 was executed in powershell the flare vm is not showing up on my screen it is my regular windows background. How would I know if it was downloaded correctly? Any help is appreciated.
👍👍Thanks man!
Great demo! I was able to follow along and set up the lab in cloud. Although I am curious if AWS allows malware analysis in their environment? Do we need explicit approval from AWS to do so?
this looks alot easier that configuring cuckoo3; i know cuckoo3 its kind of different because its sutomatic analysis, but this looks better for me
i tried setting it up on VMWare workstation and everything went smoothly until setting up a host only network, how do we do that in VMWare workstation pro?
Same question..
How would one safely download/import malware samples into those lab setups? Whether its host-based or cloud-based. Thanks
The samples normally come as zipped files with a password like "malware" or "infected".
This way they can't be accidently executed until you've put them on your malware analysis machine.
You can just download them directly if you have internet access on your malware box too.
Cool Grant... thanks man
The remote server returned an error: (404) Not found when trying to install flareVM.
Got the same issue. Did you find solution. If yes, please share with me . Thanks
you will also have to replace the install.ps1 script that gets pulled with the new one on the URL i provided
I keep getting the same message it’s an error
Guys i didn't get network in Windows flare VM says No Internet
i get .404 error for installing FlareVM someone help
same here did u get any solution
could'nt insert addition guest cs image
I tried setting up the Flare Vm , following each step but it keeps saying please disbale windows defender through group policy after i have diabled all
i have same problem idk what to do
Im enjoying doing this project but im running into an issue with connecting REMnux and FlareVM. When I run ipconfig in powershell I get the ipv4 address 10.0.0.3 and when i run a ping test in power shell with ip 10.0.0.3 it comes back successful but when i run 10.0.0.4 in powershell it comes back with a request timed out and Lost=4. When i run "ping 10.0.0.4" or "ping 10.0.0.3" in REMnux it says "Network is unreachable". When I run ipconfig in REMnux the inet address is 127.0.0.1. I tried rewatching the video and starting from the beginning but I'm stumped on what to do. This is my first malware analysis so i want to make sure everything is correct before moving forward. Any suggestions?
same issue mate no fix yet i guess'
@@otakusenpai8134 The fix is learning the basics of networking and Linux. The "problem" isn't something someone else can fix for you. Although one possible solution is seeking out a mentor for help
I had the same issue, and in my case, the network interface on REMnux was off by default. The network interface is named something like "enp0s#", which might be different for you. Here’s how I fixed it for my interface "enp0s17":
1. Brought up the interface using:
sudo ip link set enp0s17 up
2. Checked the status with the command:
ip addr show enp0s17
This showed that the state changed to "UP".
3. Edited the netplan configuration file:
sudo nano /etc/netplan/01-netcfg.yaml
Ensure it looks like this to use DHCP:
network:
version: 2
ethernets:
enp0s17:
dhcp4: yes
4. Applied the netplan configuration with:
sudo netplan apply
5. Verified if it obtained an IP address:
ip addr show enp0s17
It should show an IP address.
6. For FlareVM, set the gateway/DNS similar to your REMnux IP (from the previous command). FlareVM IP will need to be different (e.g., FlareVM 10.0.0.3 | REMnux 10.0.0.4 ).
Note: Before doing all this, make sure both machines are using "host only adapter" and that you created the network adapter shown at 25:20 in the video.
@@na0 thank you so much! i had this issue before, this worked for me :)
I did all the network setup correctly can’t reach jost
Hi, are there enough jobs in malware analysis domain? What's the future of this domain as SOAR and automation comes in
It depends on the where you are applying. Security vendors with threat intelligence and research teams will be needed. I wouldn't say there is a huge need for malware analysts compared to SOC analysts or security engineers. It's a great skill to learn regardless of your day job.
Hello, does anyone know why the "install" file is not generated on the desktop? ...and thnks Grant for this gread work
I had the same issue. If you copied the link in the description it is incomplete when I pasted in the FlareVM powershell console. I just clicked on it in the description and copied the URL from the window that popped up and pasted it in the powershell window.
Hello, quick question why did you run JQ, Terraform, and AWSCLI from an ubuntu?
I am using Windows Subsystem For Linux.
I have a question your running your ubuntu in windows or in virtual box? I got confused for these part
@@martiantv4360 Im still lost at this part
why did you skip over disabling updates or fully turning off defender in group policy?
i went over it 2 more times i cannot ping the remnux mashine and vice versa, Any troubleshooting advice ?
If you are on VirtualBox, make sure you are using Host-Only Adapter and using the same Ethernet Adapter under the Name section.
Something similar to "VirtualBox Host-Only Ethernet Adapter #2".
@@collinsinfosec hey thanks for the Quick reply, definitely followed your instructions to use of
Host only and use the same adapert for both Boxes....
Happy new year !
i got it, i had to set the remnux interface to the desired ip addr. and bring it up and now i can ping the mashines
hey what did you end up setting remnux IP addr to? @@philradon5794
@collinsinfosec
Just a quick question, I will soon be starting this tutorial, can I give around 40 gigs of space instead of 75? My laptop sucks. :(
40 Gigabytes should be enough for this project!
@@collinsinfosec thank you.
good job 👏, +1sub
This this possible in qemu/kvm
I think so
👍