PMA 40: FLARE-VM (20 pts extra)
What you need
- A computer with VMware or some other hypervisor product installed
Purpose
To set up a FLARE-VM--a powerful Windows-based
forensic and malware analysis machine
from FireEye.
The Fast Way
The steps below this box explain how to build your own FLARE-VM,
which will take many hours.
However, if you are working before Sept, 2021,
you can just copy my pre-made machine.
Download this file:
FLARE060721.7z
Size: 26.8 GB (26,819,888,182 bytes)
SHA256(FLARE060721.7z)=
0db7b7c03c28e9f32b4df10c338573f6119fa0907fbcfff389a16866dc9c2dee
If you are on Windows, you can unzip that file with 7-Zip.
If you are on a Mac, use The Unarchiver.
After unzipping that file, import the OVF it contains into VMware or VirtualBox.
Log in to the FLARE-VM with these credentials:
- Username: IEUser
- Password: Passw0rd!
The hard disk on this virtual machine
has already been expanded to 80 GB,
and
Windows Defender has been disabled in Local Group Policy.
PMA 40.1: Debuggers Folder (20 pts)
On your desktop, double-click the
FLARE folder icon.
Double-click the Debuggers folder.
The flag,
covered by a green box in the image below.
|
|
Warning: This is a Slow Process
This project takes a lot of time and a lot
of storage space (60 GB or so). It took
more than a day to complete on my system.
Also, the final machine is only useful for
90 days, as far as I can tell (although
there may be a way to extend that with
snapshots).
Downloading Windows 10
In a browser, go to
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
In the "Virtual Machines" list,
select
"MSEdge on Win10...",
as shown below.
In the Choose a VM platform" list,
choose your virtualization software,
as shown below.
Download the file. Unzip it and launch it
in your virtualization software. For VMware,
use File, Import, and customize the virtual
machine so it has an 80 GB hard disk.
Log in with these credentials:
- Username: IEUser
- Password: Passw0rd!
Allow Windows to install any updates it wants to.
You may need to install VMware Tools (or the comparable
software) manually.
Installing Firefox
In your Windows 10 virtual machine, open Edge. Go to
https://getfirefox.com
Download and install Firefox.
Installing FLARE-VM
In your Windows 10 virtual machine,
in Firefox, go to
https://github.com/fireeye/flare-vm
You will see a link to a blog on installing
FLARE-VM, as shown below. Click it.
Follow the instructions on that page
to download and install FLARE-VM.
Once you start it, it will download
and install many packages, and automatically
restart many times. This process took
about a day when I did it.
PMA 40.1: Debuggers Folder (20 pts)
On your desktop, double-click the
FLARE folder icon.
Double-click the Debuggers folder.
The flag,
covered by a green box in the image below.
|
Disabling Windows Defender
On June 6, 2021, I noticed that it is now very
difficult to disable Windows Defender.
Do this now and you can skip the instructions
in later projects that describe the old way to
disable Windows Defender.
Open an Administrator Command Prompt and
execute this command:
gpedit.msc
In Local Group Policy Editor,
in the left pane, navigate
to "Windows Components",
as shown below, and click it.
In the right pane, scroll down
and double-click
"Windows Defendere Antivirus",
as shown below.
In the right pane,
double-click
"Turn off Windows Defender Antivirus",
as shown below.
In the
"Turn off Windows Defender Antivirus" box,
click Enabled,
as shown below. Then click OK.
Disabling Windows SmartScreen
In Local Group Policy Editor,
in "Windows Components",
click "File Explorer",
as shown below.
In the right pane, scroll down
and double-click
"Configure Windows Defender Smartscreen",
as shown below.
In the
"Configure Windows Defender Smartscreen" box,
click Disabled,
as shown below. Then click OK.
Restart your Windows 10 machine.
|
Increasing the Hard Disk Size
If you didn't already increase the hard
disk size, you can do it at any time.
Instructions for VMware are here:
https://docs.vmware.com/en/VMware-Fusion/11/com.vmware.fusion.using.doc/GUID-2CE88716-DB0B-4612-AEFE-726E737E347B.html
References
Export a VMWare Fusion virtual machine
7zz Command Line Commands
Posted 9-14-2020
Hard disk resize link added 9-15-2020
Instructions expanded 10-7-20
Flag updated 3-2-21
Instructions about Windows Update and VMware Tools added 3-9-21
Flag description updated 3-17-21
Disabling Defender section added 6-6-2021
New pre-made VM added 6-7-2021
Flag updated 6-13-2021
Disabling SmartScreen added 6-17-2021
Link to PMA 41 added 7-6-2021