Flare VM templates and collaboration

[Wenzel]

Hi !

I found your work thanks to reddit, and it turns out that i was working on the same thing as you, but for the FLARE VM: packer-flare, a set of packer templates to provision a VM from scratch and setup the FLARE VM configuration.

So what is the status of malboxes as of today ?
If you had to compare it against what FLARE VM proposes ?

Can we join our efforts ?
I know Packer and Ansible provisioning through WinRM

Thanks !

[obilodeau]

Hi,

Last year at BlackHat USA Arsenal I ran the Flare VM install on top of Malboxes live to demonstrate that both projects are compatible. I don't know how far you are but I think we have dealt with a lot of the boring stuff (learning the various pieces that fails when setuping trial vs non-trial versions of Windows, windows 7/8, winrm bugs w/ dotnet, etc. just check closed issues to get a sense).

As far as the status, I plan to work on Malboxes in the coming months. Ideally, we could have a profile that would run the Flare VM stuff after installation. Pretty much like your goal. If you are interested in doing that here it would be awesome!

What do you think?

[Wenzel]

Last year at BlackHat USA Arsenal I ran the Flare VM install on top of Malboxes live to demonstrate that both projects are compatible.

Awesome.
Compatible how ?

Because the FLARE scripts installs everything.
I think we could instead build an ansible playbook where the user can select what tools(roles) he wants.

I don't know how far you are but I think we have dealt with a lot of the boring stuff (learning the various pieces that fails when setuping trial vs non-trial versions of Windows, windows 7/8, winrm bugs w/ dotnet, etc. just check closed issues to get a sense).

I already dealt with setting up WinRM on Windows VMs, to allow the provisioning via Ansible.
For example on Windows 7, you need to upgrade to SP1, install Dotnet 4.6 and only then you can upgrade to powershell 3.0.
(Ansible windows modules rely on Powershell 3.0)
https://github.com/Wenzel/packer-flare/blob/master/windows_7.json#L36

Ideally, we could have a profile that would run the Flare VM stuff after installation. Pretty much like your goal. If you are interested in doing that here it would be awesome!

I can think we customize and break the FLARE VM monolithic script into a set of Ansible roles, like i said earlier.
It's way more flexible.

Furthermore, the user could customize is VM provisioning by adding useful features:

• do all the windows updates
• specific anti-vm tweaks
• etc

I also have to ping @htnhan, maintainer from the https://github.com/fireeye/flare-vm repo, to see how we could collaborate ;)

Thanks !

[htnhan]

@Wenzel Thank you for your work on integrating Flare VM into Malboxes. I am happy to collaborate, so please let me know what I can do to help.

One thing about Flare VM is that we still have to keep it an independent project so anyone can download and install Flare VM without Packer, Ansible, or other orchestration tools.

[Wenzel]

@Wenzel Thank you for your work on integrating Flare VM into Malboxes. I am happy to collaborate, so please let me know what I can do to help.

For now, i have done absolutely nothing, except opening this issue.
Maybe you were referring to my work to build FLARE VMs with packer :)

One thing about Flare VM is that we still have to keep it an independent project so anyone can download and install Flare VM without Packer, Ansible, or other orchestration tools.

I agree !

[obilodeau]

@Wenzel: I'm interested in any kind of help from people wanting to provide easy to use malware analysis tools to the masses. I think where flare-vm falls short is that you need to already have a Windows VM. I want to avoid that (and you seem to want to avoid it too).

We don't rely on ansible right now but I use it for Linux servers and I like it so I'm interested in exploring that area.

The way I see malboxes heading is that it should do almost everything out of band so we can avoid being detected like cuckoo or other intrusive sandboxes. If we do all our stuff with WinRM (or ansible) and then we plug that hole by wiping logs, etc. We could provide a reliable sandbox and a malware reversing tool at the same time.

I think we could instead build an ansible playbook where the user can select what tools(roles) he wants.

I really like that and I would definitely merge that. It fits our vision of becoming the Dockerfile of Windows VMs: reversing malware, building Windows honeypots and pentest target test environments. What I just said might have not been public yet but it is clearly a path for where I want malboxes to go: orchestrating Windows in ways that the security community can benefit.

If you are interested in that direction, I can send you some whiteboard screenshots I took a few months ago of where I think we should be heading.

[Wenzel]

The way I see malboxes heading is that it should do almost everything out of band so we can avoid being detected like cuckoo or other intrusive sandboxes. If we do all our stuff with WinRM (or ansible) and then we plug that hole by wiping logs, etc. We could provide a reliable sandbox and a malware reversing tool at the same time.

The reason i choose Ansible to provision my Windows VMs:

• It relies on WinRM, which is a native service integrated in Windows, not a custom protocol.
• no agent to upload and configure
• more powerful than powershell scripts
• really easy to edit and contribute to a playbook, even for beginners, syntax is YAML and the modules are well documented.

I really like that and I would definitely merge that. It fits our vision of becoming the Dockerfile of Windows VMs: reversing malware, building Windows honeypots and pentest target test environments. What I just said might have not been public yet but it is clearly a path for where I want malboxes to go: orchestrating Windows in ways that the security community can benefit.

We have the same vision 👍

If you are interested in that direction, I can send you some whiteboard screenshots I took a few months ago of where I think we should be heading.

Absolutely !
Thanks

[obilodeau]

The reason i choose Ansible to provision my Windows VMs:
[...]

I have been using ansible for Linux server stuff here and there and I like it a lot. If it stays "out of band" (no agent like you said) and doesn't require SSH installed (uses WinRM) on the Windows guest then I have absolutely no objection on its use 👍

Looking forward to what you do with malboxes! Btw do you think we should setup a gitter.im chatroom for malboxes if that could help your integration in the team?

[Wenzel]

Btw do you think we should setup a gitter.im chatroom for malboxes if that could help your integration in the team?

I was about to suggest Gitter a few days ago !
I'm using it for almost all my projects on Github.
You can ask them a PR to integrate a badge in your README also:
Wenzel/r2vmi#1

[Wenzel]

Ping @obilodeau
could you setup the Gitter and add a badge at the top of your README ? (the PR will do that automatically)

I have some topics to discuss with you :)

[obilodeau]

It's done: https://gitter.im/malboxes_/Lobby. The underscore is unfortunate but for some reason I could never get malboxes to be accepted by gitter... Badge is on the README too.