Prepare Your Target System

Configuration

Before performing any malicious activity, especially when using malware, it is important that you take precautions to prevent the risk of infecting other systems. Carefully consider your options regarding enabling or disabling your internet connection below in the Networking section. Additionally, ensure that there aren’t any shared folders that allow access to the host system.

Windows Defender

By default, Windows Defender has real-time protection, cloud-delivered protection and automatic sample submission enabled. To make our lives easier, we want to disable those features. You can disable them in:

Windows Security settings -> Virus & threat protection settings -> Manage settings

The crux? Real-time protection is only temporary and will enable itself after a while or upon restart. The solution to permanently turn off Real-Time Protection is by disabling the feature in the Local Group Policy Editor (this GPO setting can also be done on a domain controller and applied on the entire network). To do so follow the instructions below:

“Local Group Policy Editor” -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> Set the state to disabled

Additionally, you may want to disable features in that category such as behavior monitoring, file scanning, etc to avoid them interfering with your tests. 

Networking 

The first thing that malware often does is check for an active internet connection and try to connect to its command and control server. By doing so, it may transmit host information, and private IP addresses may get logged by the attacker infrastructure (which we want to avoid).

• No Internet: If an internet connection is not needed, consider using an “Internal” networking mode with no other systems on it or disabling the network adapter for the VM as a whole. 
• Isolated Network:  It is also possible to simulate internet access by having an isolated internal network where a second VM provides a number of fake services, such as DNS.  We highly recommend using the REMnux Malware Analysis Toolkit for this, which comes with tools such as fakedns and FakeNet-NG. 
• With Internet: Alternatively, to prevent submitting your private IP address, a VPN should be used (at the very least). There are various ways to do so. One option is to have the host system permanently connected to a VPN using full-tunnel i.e. the entire traffic is routed through the VPN. That way, when connecting to the attacker’s infrastructure, all they see is the VPN host IP. With a little bit of work, it is also possible to set up your own VPN server in the cloud, for example by using open-source tools such as Streisand. This way you can tunnel traffic through cloud infrastructure using your own account on AWS, Azure, etc.

Host Configuration

It is also important to consider the events that should be recorded on the target system for further analysis and to ensure that logging and monitoring are set up accordingly. For learning purposes, it can be very helpful to record the attack using process monitoring tools and even video. That way it will be easier to understand and validate what happened when performing forensic analysis.

1. Consider installing Microsoft’s Sysinternals Suite, which provides a number of useful tools:
   • Sysmon: A service that logs a wealth of additional information to the Windows event log. This includes process creations, network connections, etc. It can be used out of the box, but it is recommended to use the well-known SwiftOnSecurity configuration file template to ensure that it is set up properly. 
   • Process Explorer: This is an advanced process viewer and can be used during the attack to provide visibility into currently running processes, handles, and DLLs. 
   • Process Monitor: This monitoring tool records every event about a process and its registry and file activities. It can be used to record details of the attack activity, which can then be used during the analysis. 
2. Depending on the lab setup, network traffic may be captured by systems such as proxies and firewalls, which is outside of this scope. Since there aren’t typically any ways of an end-user system recording packet captures (PCAP), a good way to start learning about this is to use Wireshark. It can record network traffic on a system and provides a nice GUI for analyzing PCAP files. 

It is highly recommended to take a snapshot once a system is set up and before taking any next steps. This snapshot can then be used as a baseline for any future exercises.