Malware Detonation Lab

An isolated, on-prem malware detonation and detection environment — a Windows analysis host (FLARE-VM) paired with a Linux network sink (REMnux) on a sealed virtual switch with no path to the production lab network or the internet. Samples detonate on the Windows box; REMnux fakes the internet so callbacks have somewhere to land and get logged. Telemetry is captured locally and exported into a detection pipeline offline — live malware never touches the real SIEM.

On-prem companion to my cloud detection labs (Azure-SOC-mini-lab, AWS-SOC-lab).

⚠️ No samples or exploit code in this repo. This documents lab infrastructure and methodology only. Malware artifacts are intentionally excluded (see .gitignore).

---

Architecture

            VMware LAN Segment: "detonation-net"  (192.168.99.0/24)
            ─ no host adapter ─ no NAT ─ no bridge ─ no internet ─

   ┌──────────────────────────────┐        ┌──────────────────────────────┐
   │  FLARE-VM (Win10)            │        │  REMnux (sink)               │
   │  192.168.99.10/24            │◄──────►│  192.168.99.2/24             │
   │  GW + DNS → 192.168.99.2     │        │  dnsmasq  → DNS sinkhole     │
   │  Sysmon (SwiftOnSecurity)    │        │  inetsim  → HTTP/S, mail, FTP│
   │  Defender OFF                │        │                              │
   └──────────────────────────────┘        └──────────────────────────────┘

Role	Host	Address
Detonation host	FLARE-VM (Win10)	192.168.99.10
Sink / fake internet	REMnux	192.168.99.2 (also GW + DNS)
Isolation	VMware LAN Segment detonation-net	private switch, no host link

Design rule: the segment is never bridged to the main lab network. Telemetry leaves by manual export after revert, not by live forwarding.

---

Build

FLARE-VM (detonation host)

• Full FLARE-VM toolset (x64dbg, IDA Free, Ghidra, dnSpyEx, PE-bear, FLOSS, capa, YARA, Procmon, Wireshark, FakeNet-NG).
• Defender disabled — Tamper Protection off via GUI first (it overrides Group Policy), then gpedit disable + gpupdate /force + reboot. Verify:

  Get-MpComputerStatus | Select RealTimeProtectionEnabled, IsTamperProtected

• Sysmon with the SwiftOnSecurity config:

  sysmon.exe -accepteula -i "C:\Tools\sysmonconfig-export.xml"
  Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 5

• Password-protected (infected) quarantine folder for samples, isolated from any synced location.
• Static network (persists in snapshot):

  New-NetIPAddress -InterfaceAlias "Ethernet0" -IPAddress 192.168.99.10 -PrefixLength 24 -DefaultGateway 192.168.99.2
  Set-DnsClientServerAddress -InterfaceAlias "Ethernet0" -ServerAddresses 192.168.99.2

REMnux (sink)

• Imported from OVA (an OVA is imported, not mounted as an ISO).
• Static IP via netplan (networkd, not NetworkManager, manages the interface here). /etc/netplan/99-detonation.yaml:

  network:
    version: 2
    renderer: networkd
    ethernets:
      ens33:
        dhcp4: false
        optional: true
        addresses:
          - 192.168.99.2/24
        nameservers:
          addresses: [127.0.0.1]

  sudo chmod 600 + sudo netplan apply. Cloud-init network regen disabled so it survives reverts:

  echo 'network: {config: disabled}' | sudo tee /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

• Boot-hang fix (isolated segment stalls wait-online):

  sudo systemctl disable --now systemd-networkd-wait-online.service
  sudo systemctl disable --now NetworkManager-wait-online.service

DNS sinkhole — dnsmasq

INetSim 1.3.2's DNS service is broken on Ubuntu Noble (deprecated Net::DNS::Nameserver subprocess method — starts but doesn't answer), so DNS is handled by dnsmasq with a catch-all:

sudo dnsmasq -d --no-resolv --address=/#/192.168.99.2 --interface=ens33 --bind-interfaces

Every domain resolves to the sink; binds only the segment IP to avoid colliding with systemd-resolved.

inetsim (everything except DNS)

• start_service dns commented out (dnsmasq owns 53).
• service_bind_address 0.0.0.0 so it listens on the segment, not just loopback.
• Serves HTTP/HTTPS, SMTP(S), POP3(S), FTP(S); logs + report in /var/log/inetsim/.

Snapshots

• CLEAN-BASELINE-FLARE-ISOLATED, CLEAN-BASELINE-REMNUX — revert points after every detonation.

---

Session start (after reboot / revert)

Sink services run in the foreground, so bring them up each session:

# REMnux, terminal 1 — DNS sinkhole
sudo dnsmasq -d --no-resolv --address=/#/192.168.99.2 --interface=ens33 --bind-interfaces

# REMnux, terminal 2 — HTTP/mail/FTP
sudo inetsim

Verify isolation (from FLARE)

ping 192.168.99.2     # replies  → reaches sink
nslookup google.com   # → 192.168.99.2
ping 8.8.8.8          # TIMES OUT → no egress (good)

http://example.com should return the INetSim default page. If ping 8.8.8.8 ever succeeds, isolation is broken — stop and check the adapter is on detonation-net.

---

Detection workflow

Local capture + offline export — live malware never touches the production SIEM.

1. Revert both VMs to clean baseline; start sink services; verify isolation.
2. Stage the sample via a one-way share, then disconnect it. Unzip inside the isolated VM only.
3. Start capture: Sysmon (running), Procmon, optional Wireshark.
4. Detonate.
5. Observe — FLARE: Sysmon EID 1/3/11/13/etc., Procmon, process tree. REMnux: dnsmasq query log + inetsim report (callback picture).
6. Collect artifacts: Sysmon EVTX, Procmon export, pcap, inetsim report.
7. Revert to clean baseline.
8. Offline → detection pipeline: normalize → cluster/triage → write Sigma detections (target the technique, not the hash) → drift-check → hunt playbook → IR report.

Rules built off one sample's hash/strings overfit. Validate detections against the ATT&CK technique (e.g. a safe Atomic Red Team test) so they generalize.

---

Lessons learned

• OVA ≠ ISO — appliances are imported, not booted from a CD drive.
• Tamper Protection beats Group Policy — turn it off in the GUI before gpedit will disable Defender.
• networkd vs NetworkManager — nmcli fails when netplan/cloud-init hands the NIC to networkd; configure it in netplan.
• INetSim DNS is dead on Noble — use dnsmasq for DNS, inetsim for the rest.
• service_bind_address defaults to 127.0.0.1 — must be 0.0.0.0 for segment clients to reach inetsim.
• Isolated segments stall Linux boot on wait-online — disable those services.

---

Skills Demonstrated

• Malware Analysis Lab Engineering — isolated FLARE-VM + REMnux sandbox on a private VMware LAN segment
• Network Containment — air-gapped detonation segment, DNS sinkhole, fake-service simulation, zero egress
• Endpoint Telemetry — Sysmon (SwiftOnSecurity) process / network / registry instrumentation
• Dynamic Analysis Workflow — controlled detonation with local artifact capture (Sysmon EVTX, Procmon, pcap, inetsim reports)
• Detection Engineering — technique-focused detection development and validation from observed behavior
• Infrastructure Troubleshooting — netplan/networkd, DNS service substitution, Windows Defender / Tamper Protection handling

Portfolio Context

On-prem member of the Rootless-Ghost detection portfolio. Cloud companions — Azure-SOC-mini-lab and AWS-SOC-lab — cover cloud-plane detection engineering; this lab adds host-level dynamic malware analysis feeding the same Wazuh/Sysmon → Nebula Forge pipeline. End-to-end coverage from detonation telemetry through SIEM detection and IR.

Disclaimer

For educational and lab use only. Malware must only be handled in fully isolated environments that you own and control. This repository documents lab infrastructure and methodology — no samples or exploit code are included. Never execute malware on production systems or networks you do not own.

License

This project is licensed under the MIT License — see the LICENSE file for details.

Built by Rootless-Ghost