VMware Communities
wuming79
Contributor
Contributor
‎07-24-2017 12:28 AM

Setting up Malware Analysis Lab

Hi,

I'm trying to setup a lab for malware analysis. I have 2 plans below:

Plan A

Guest1 Host-Only (Forward sysmon data to Guest 2 using Splunk)

Guest2 Host-Only + Nat (Receive data from Guest 2 and forward again to Guest 3)

Guest3 Nat (View sysmon with splunk)

Or

Plan B

Guest1 Nat (Forward sysmon data to Guest 2 using Splunk)

Guest2 Nat (Receive data from Guest 2 and forward again to Guest 3)

Guest3 Nat (View sysmon with splunk)

Results:

Plan A: I realized I can't forward anything is Guest1 and Guest2 are on Host-Only. Or is it actually possible to send data from 1 Host-Only Guest to another Host-Only Guest?

Plan B: How do I block internet connects in Guest1? Is it possible to use windows Firewall?

0 Kudos
2 Replies
wila
Immortal
Immortal
‎07-24-2017 06:02 AM

Hi,

If two guests are in the same host only network then they can communicate with each other.

They can not communicate with your NAT guest.

They can also not access the internet.

Having a malware analysis lab in a NAT environment is a bad idea as you are giving your guests internet access.

So plan B is out of the window.

Plan A can work, but realize that once guest 2 is compromised your local network is accessible (the NAT network does provide access to your normal network AND internet)

I would say go for plan C where you add a firewall VM where the WAN side is your malware analysis lab sitting in a host only network and then you can setup proper firewall rules and monitoring on the firewall.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
wuming79
Contributor
Contributor
‎07-24-2017 07:45 AM

Plan C?

Guest1 Host-Only (Forward sysmon data to Guest 2 using Splunk)

Guest2 Host-Only + Nat FW? Forward to Guest3?

Guest3 Nat (View sysmon with splunk)

Actually I am creating Guest1 and Guest2 with my local laptop and Guest3 was created by another person. I have the known IP and Port for Guest3 but....I'm not too sure about the FW setup. How shd I go about doing this?

By the way, when I created my 2 Host-Only VM with the same Host-Only Adaptor, I can't seems to forward my sysmon data out from Guest1 to Guest2 using the splunk universal forwarder. Many told me Host-Only can only communicate with the Host (my laptop). Is that true????

Actually, for Malware that needs to connect to their C2 servers, wouldn't it be more realized to let me do what it wants and monitor from another system? I'm still thinking of how to control the Nat Guest to Host connection. Is making Host to Guest respond General Failure during ping considered safe?

0 Kudos