Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malware Analyst Use Case #11

Merged
merged 14 commits into from
Aug 23, 2016
Merged

Malware Analyst Use Case #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
e486efb
Username and password in the VM now configurable
obilodeau Aug 3, 2016
e1ba290
Windows install: Disabled Windows Defender
obilodeau Aug 3, 2016
d1c9ea0
Removed Autounattend.xml Defender disabling: it doesn't work
obilodeau Aug 4, 2016
5c046f8
Refactoring: Extracting common powershell rules into include
obilodeau Aug 4, 2016
c61428b
Allow user to specify chocolatey packages in configuration
obilodeau Aug 4, 2016
d078e3d
Doc: note on slow file copies (winrm issue) and more Autounattend.xml…
obilodeau Aug 4, 2016
d163204
config: Option to disable automatic updates
obilodeau Aug 5, 2016
e329ff5
config: Added option to disable Windows Defender
obilodeau Aug 5, 2016
5ba0158
Issues with powershell inline provisoner, more success with windows-s…
obilodeau Aug 5, 2016
ba74d44
Workaround for virtualbox 5.1.0 regression (#10)
obilodeau Aug 5, 2016
d0a59e7
config: Disk size is now configurable (resolves #14)
obilodeau Aug 8, 2016
0acf403
Fix: WinRM user/pass regression in vagrant introduced in e486efb
obilodeau Aug 8, 2016
6e20cab
Choco updates: fiddler4 is what we want, fiddler breaks the build
obilodeau Aug 10, 2016
2021eb5
Fix: Another WinRM user/pass regression in vagrant on top of 0acf4036
obilodeau Aug 10, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions TODO.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@

== Minimal malware analyst use case

* user/pass from config.js
* vagrant: punch hole through NAT for IDA in firewall
* disable Windows Defender
* vagrant no net, NAT
* doc: vagrant update box + send on network (archiving)
* doc: vagrant team workflow
Expand Down
20 changes: 16 additions & 4 deletions config-example.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,28 @@
//"trial": "false",
//"product_key": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX",

// VM username and password
// TODO. It doesn't work now.
//"username": "vagrant",
//"password": "vagrant",
// VM settings
"username": "malboxes",
"password": "malboxes",
"computername": "dirty",
// disk size is in megabytes
"disk_size": "15360",

// Windows Defender: true means enabled, false means disabled. Default is false.
//"windows_defender": "false",
// Windows Updates: true means enabled, false means disabled. Default is false.
//"windows_updates": "false",

// Chocolatey packages to install on the VM
"choco_packages": "sysinternals dependencywalker windbg wireshark 7zip putty fiddler4 processhacker regshot apm",

// Setting the IDA Path will copy the IDA remote debugging tools into the guest
//"ida_path": "/path/to/your/ida",

// Setting Tools Path will copy all the files under the given path into the guest.
// Useful to copy proprietary or unpackaged tools.
// Note: packer's file provisonning is really slow, avoid having more than
// 100 megabytes in there.
//"tools_path": "/path/to/your/tools",

"_comment": "last line must finish without a comma for file to be valid json"
Expand Down
11 changes: 11 additions & 0 deletions docs/Autounattend-fixing.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ installation of the OS:

https://technet.microsoft.com/en-us/library/dd744547%28WS.10%29.aspx

== List of all settings

https://msdn.microsoft.com/en-us/library/windows/hardware/dn958623(v=vs.85).aspx

== Installation is not automated and stalls at Windows variant selection

The image specified in the Autounattended.xml doesn't match what's on the DVD
Expand Down Expand Up @@ -50,9 +54,16 @@ Then put the Windows CD in.
</IMAGE>
[...]

== Windows 10 Enterprise Evaluation Quirks

* AIK is called ADK (Assesment and Deployment Kit)
* Catalog needs to be created which requires the install CD and some space
* From x64 you can't edit a x86 profile

== References

* https://github.com/m-dwyer/packer-malware/issues/2
* ImageX doc: https://technet.microsoft.com/en-au/library/cc749447%28v=ws.10%29.aspx
* Windows 7 AIK: http://www.microsoft.com/en-ca/download/details.aspx?id=5753
* Windows 10 ADK: https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx
* Windows Timezones: https://technet.microsoft.com/en-us/library/ff715394%28WS.10%29.aspx
26 changes: 13 additions & 13 deletions malboxes/installconfig/windows10/Autounattend.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
</DiskConfiguration>
<UserData>
<AcceptEula>true</AcceptEula>
<FullName>vagrant</FullName>
<FullName>{{ username }}</FullName>
</UserData>
<ImageInstall>
<OSImage>
Expand Down Expand Up @@ -65,13 +65,13 @@
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<AutoLogon>
<Password>
<Value>vagrant</Value>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>vagrant</Username>
<Username>{{ username }}</Username>
</AutoLogon>
<RegisteredOwner>vagrant</RegisteredOwner>
<RegisteredOwner>{{ username }}</RegisteredOwner>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<HideOnlineAccountScreens>true</HideOnlineAccountScreens>
Expand All @@ -87,8 +87,8 @@
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Order>2</Order>
<CommandLine>cmd.exe /c wmic useraccount where &quot;name=&apos;vagrant&apos;&quot; set PasswordExpires=FALSE</CommandLine>
<Description>Disable password expiration for user vagrant</Description>
<CommandLine>cmd.exe /c wmic useraccount where &quot;name=&apos;{{ username }}&apos;&quot; set PasswordExpires=FALSE</CommandLine>
<Description>Disable password expiration for user {{ username }}</Description>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
Expand All @@ -100,28 +100,28 @@
</FirstLogonCommands>
<UserAccounts>
<AdministratorPassword>
<Value>vagrant</Value>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>vagrant</Value>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
<DisplayName>vagrant</DisplayName>
<DisplayName>{{ username }}</DisplayName>
<Group>Administrators</Group>
<Name>vagrant</Name>
<Name>{{ username }}</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ComputerName>win10victim</ComputerName>
<RegisteredOwner>vagrant</RegisteredOwner>
<ComputerName>{{ computername }}</ComputerName>
<RegisteredOwner>{{ username }}</RegisteredOwner>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:c:/users/zara/desktop/install.wim#Windows 10 Enterprise Evaluation" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
<cpi:offlineImage cpi:source="wim:c:/users/vagrant/documents/malboxes/autounattend/win10_x86/install.wim#Windows 10 Enterprise Evaluation" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>
26 changes: 13 additions & 13 deletions malboxes/installconfig/windows10_64/Autounattend.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
</DiskConfiguration>
<UserData>
<AcceptEula>true</AcceptEula>
<FullName>vagrant</FullName>
<FullName>{{ username }}</FullName>
</UserData>
<ImageInstall>
<OSImage>
Expand Down Expand Up @@ -65,13 +65,13 @@
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<AutoLogon>
<Password>
<Value>vagrant</Value>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>vagrant</Username>
<Username>{{ username }}</Username>
</AutoLogon>
<RegisteredOwner>vagrant</RegisteredOwner>
<RegisteredOwner>{{ username }}</RegisteredOwner>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<HideOnlineAccountScreens>true</HideOnlineAccountScreens>
Expand All @@ -87,8 +87,8 @@
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Order>2</Order>
<CommandLine>cmd.exe /c wmic useraccount where &quot;name=&apos;vagrant&apos;&quot; set PasswordExpires=FALSE</CommandLine>
<Description>Disable password expiration for user vagrant</Description>
<CommandLine>cmd.exe /c wmic useraccount where &quot;name=&apos;{{ username }}&apos;&quot; set PasswordExpires=FALSE</CommandLine>
<Description>Disable password expiration for user {{ username }}</Description>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
Expand All @@ -100,28 +100,28 @@
</FirstLogonCommands>
<UserAccounts>
<AdministratorPassword>
<Value>vagrant</Value>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>vagrant</Value>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
<DisplayName>vagrant</DisplayName>
<DisplayName>{{ username }}</DisplayName>
<Group>Administrators</Group>
<Name>vagrant</Name>
<Name>{{ username }}</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ComputerName>win10victim</ComputerName>
<RegisteredOwner>vagrant</RegisteredOwner>
<ComputerName>{{ computername }}</ComputerName>
<RegisteredOwner>{{ username }}</RegisteredOwner>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:c:/users/zara/desktop/install.wim#Windows 10 Enterprise Evaluation" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
<cpi:offlineImage cpi:source="wim:c:/users/vagrant/documents/malboxes/autounattend/win10_x64/install.wim#Windows 10 Enterprise Evaluation" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>
30 changes: 14 additions & 16 deletions malboxes/installconfig/windows7/Autounattend.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,6 @@
<WillShowUI>OnError</WillShowUI>
</ProductKey>
<AcceptEula>true</AcceptEula>
<FullName>Vagrant Administrator</FullName>
<Organization>Vagrant Inc.</Organization>
</UserData>
</component>
<component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
Expand All @@ -76,11 +74,11 @@
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<AutoLogon>
<Password>
<Value>dgBhAGcAcgBhAG4AdABQAGEAcwBzAHcAbwByAGQA</Value>
<PlainText>false</PlainText>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>vagrant</Username>
<Username>{{ username }}</Username>
</AutoLogon>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
Expand All @@ -91,8 +89,8 @@
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Order>2</Order>
<CommandLine>cmd.exe /c wmic useraccount where &quot;name=&apos;vagrant&apos;&quot; set PasswordExpires=FALSE</CommandLine>
<Description>Disable password expiration for user vagrant</Description>
<CommandLine>cmd.exe /c wmic useraccount where &quot;name=&apos;{{ username }}&apos;&quot; set PasswordExpires=FALSE</CommandLine>
<Description>Disable password expiration for user {{ username }}</Description>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
Expand All @@ -110,29 +108,29 @@
</OOBE>
<UserAccounts>
<AdministratorPassword>
<Value>dgBhAGcAcgBhAG4AdABBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAFAAYQBzAHMAdwBvAHIAZAA=</Value>
<PlainText>false</PlainText>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>dgBhAGcAcgBhAG4AdABQAGEAcwBzAHcAbwByAGQA</Value>
<PlainText>false</PlainText>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
<DisplayName>vagrant</DisplayName>
<DisplayName>{{ username }}</DisplayName>
<Group>Administrators</Group>
<Name>vagrant</Name>
<Name>{{ username }}</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
<RegisteredOwner>vagrant</RegisteredOwner>
<RegisteredOwner>{{ username }}</RegisteredOwner>
<TimeZone>Eastern Standard Time</TimeZone>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RegisteredOwner>vagrant</RegisteredOwner>
<ComputerName>win7dirty</ComputerName>
<RegisteredOwner>{{ username }}</RegisteredOwner>
<ComputerName>{{ computername }}</ComputerName>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:e:/sources/install.wim#Windows 7 PROFESSIONAL" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
Expand Down
32 changes: 14 additions & 18 deletions malboxes/installconfig/windows_7x64/Autounattend.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,25 +21,25 @@
<AutoLogon>
<Enabled>true</Enabled>
<LogonCount>5</LogonCount>
<Username>Administrator</Username>
<Username>{{ username }}</Username>
<Password>
<Value>cuckoo</Value>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
</AutoLogon>
<UserAccounts>
<AdministratorPassword>
<Value>cuckoo</Value>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>malboxes</Value>
<Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
<Name>malboxes</Name>
<DisplayName>malboxes</DisplayName>
<Name>{{ username }}</Name>
<DisplayName>{{ username }}</DisplayName>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
Expand Down Expand Up @@ -67,9 +67,6 @@
<ComputerName>Malboxes</ComputerName>
<ShowWindowsLive>false</ShowWindowsLive>
</component>
<component name="Security-Malware-Windows-Defender" processorArchitecture="x64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DisableAntiSpyware>true</DisableAntiSpyware>
</component>
<component name="Networking-MPSSVC-Svc" processorArchitecture="x64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DisableStatefulFTP>true</DisableStatefulFTP>
<DisableStatefulPPTP>true</DisableStatefulPPTP>
Expand All @@ -90,13 +87,6 @@
</SetupUILanguage>
</component>
<component name="Microsoft-Windows-Setup" processorArchitecture="x64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Diagnostics>
<OptIn>false</OptIn>
</Diagnostics>
<DynamicUpdate>
<Enable>false</Enable>
<WillShowUI>OnError</WillShowUI>
</DynamicUpdate>
<DiskConfiguration>
<WillShowUI>OnError</WillShowUI>
<Disk>
Expand Down Expand Up @@ -140,7 +130,11 @@
<InstallFrom>
<MetaData wcm:action="add">
<Key>/IMAGE/NAME</Key>
{% if trial != 'true' %}
<Value>Windows 7 PROFESSIONAL</Value>
{% else %}
<Value>Windows 7 ENTERPRISE</Value>
{% endif %}
</MetaData>
</InstallFrom>
<InstallTo>
Expand All @@ -150,11 +144,13 @@
</OSImage>
</ImageInstall>
<UserData>
<AcceptEula>true</AcceptEula>
<ProductKey>
<Key>33PXH-7Y6KF-2VJC9-XBBR8-HVTHH</Key>
{% if trial != 'true' %}
<Key>{{ product_key }}</Key>
{% endif %}
<WillShowUI>OnError</WillShowUI>
</ProductKey>
<AcceptEula>true</AcceptEula>
</UserData>
</component>
<component name="Microsoft-Windows-TCPIP" processorArchitecture="x64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
Expand Down
Loading