Malware Test VM

Setup

  1. Install Windows VM
  2. Fully update VM
  3. Install WFC
  • wfc6.7.0.0.setup.exe (2737 kb)
    1. Configure WFC to block all inbound and outbound connections (high filtering)
    2. (optional) add additional tooling
    3. Create snapshot

    How to use

    1. Create clone of V
    2. Disable WFC and fully update VM
    3. Install any additional AV if you are not testing against defender
    4. Activate WFC
    5. Create rule in WFC that allows outbound traffic to C2 infra
    6. Test malware
    7. Remove VM clone
    Name Description
    ThreatCheck Modified version of Matterpreter's DefenderCheck. Takes a binary as input (either from a file on disk or a URL), splits it until it pinpoints that exact bytes that the target engine will flag on and prints them to the screen.
    AMSITrigger AMSITrigger is a tool to identify malicious strings in PowerShell files.