• Stars
    star
    6,334
  • Rank 6,298 (Top 0.2 %)
  • Language
    PowerShell
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
                                                              .;,                  
                                                            .;oo'                  
                                                          .,ldo,                   
                                                         ,lddo;                    
                                                       'cdddo;                     
                                                     .codddd:.                     
                                                   .:odddodc.                      
                                                 .;oddddddl.                       
                                               .,ldddddddl'                        
                                             .,lddddddddo,                         
                     .;cccccccc;.          .'cdoddddddddolccccccc:.                
                      ,odddddodd:.       .coododddddddddddddddddo;                 
                       ,odddddddd:.    .:odddddddddddddddddddddd:.                 
                        ;odddddddo;  .;oddddddddddddddddddddddd:.                  
                         ;odddddddo; .,::::::::::::codddddddddc.                   
                         .:ddddddddo,              'lddddddddc.                    
                         .cdddddddddo'            .lddddddddl.                     
                        .ckxdddddddddl.          .cdddddddddl.                     
                       .:xkkxdddddddodl.        .:dddddddddxkl.                    
                       :xkkkkxdddddddddc.      .:dddddddddxxkkl.                   
                      ;xkkkkkxxdddddddddc.     ;dddddddddxkkkkkc.                  
                     ;xkkkkkkkxllddddddddc.   ;oddddddddxxkkkkxxc.                 
                    ,dkkkkkkkxc..ldddddddd:..,odddddddoldkkkkkkkx:.                
                   ,dkxkkkkkkl.  'ldddddddoolodddddddo,.;xkkkkkkkx:                
                  'dkkkkxkkkl.    'ododdddddddddddddo;   :xkkkkkxkx;               
                 'dkkkkkkkko.      ,odddddddddddoddo;     :xkkkkkkkx;              
                .okkkkkkxkd'        ,oddddddddddodd:.     .ckkkkkkkkx,             
               .okkkkkkkkd,          ;oddddddddddd:.       .lkkkxkkxkd,            
              .lkkkxkkkkx;            ;oddddddddd:.         .lkkxkkkkkd'           
             .lkkkkkkkkx;              ;odddddddc.           .okkkkkkkkd'          
            .lkkkkkkkkx:               .:odddodc.             .okkkkkkxko.         
           .ckkkkkkkkkc.                .:ddddc.               'dkxxxxxxko.        
           .;c::cc:c:,.                  .:llc.                 'loooooooo;        
           ________________________________________________________________        
                                       Developed by                                
                                   [email protected]                            
                                  FLARE Team at Mandiant                           
           ________________________________________________________________        

FLARE VM

Welcome to FLARE VM - a collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a virtual machine (VM). FLARE VM was designed to solve the problem of reverse engineering tool curation and relies on two main technologies: Chocolatey and Boxstarter. Chocolatey is a Windows-based Nuget package management system, where a "package" is essentially a ZIP file containing PowerShell installation scripts that download and configure a specific tool. Boxstarter leverages Chocolatey packages to automate the installation of software and create repeatable, scripted Windows environments.

Updates

Our latest updates make FLARE VM more open and maintainable to allow the community to easily add and update tools and make them quickly available to everyone. We've worked hard to open source the packages (see the VM-packages repo) which detail how to install and configure analysis tools. The FLARE VM project now uses automatic testing, updating, and releasing to make updated packages immediately installable. See this blog for more information regarding recent changes!

Good to Know Now

  • Windows 7 is no longer supported
  • Please do a fresh install instead of trying to update an older FLARE VM
  • The installer has a GUI and can also run in CLI-only mode
  • Contributing is encouraged!!

Installation

Note: FLARE VM should ONLY be installed on a virtual machine!

Installer GUI

The installer now features a GUI to enable easy customizations! You may customize:

  • Package selection
  • Environment variable paths

Installer GUI

Installer CLI

To run the installer in CLI-only mode with minimal user interaction, use the following combination of parameters:

.\install.ps1 -password <password> -noWait -noGui -noChecks

Get full usage information by running Get-Help .\install.ps1 -Detailed. Below are the CLI parameter descriptions.

PARAMETERS
    -password <String>
        Current user password to allow reboot resiliency via Boxstarter. The script prompts for the password if not provided.

    -noPassword [<SwitchParameter>]
        Switch parameter indicating a password is not needed for reboots.

    -customConfig <String>
        Path to a configuration XML file. May be a file path or URL.

    -noWait [<SwitchParameter>]
        Switch parameter to skip installation message before installation begins.

    -noGui [<SwitchParameter>]
        Switch parameter to skip customization GUI.

    -noReboots [<SwitchParameter>]
        Switch parameter to prevent reboots.

    -noChecks [<SwitchParameter>]
        Switch parameter to skip validation checks (not recommended).

Default FLARE VM Tools

The installer will download config.xml from the FLARE VM repository. This file contains the default list of packages FLARE VM will install. You may use your own list of default packages by specifying the CLI-argument -customConfig and providing either a local file path or URL to your config.xml file. For example:

.\install.ps1 -customConfig "https://raw.githubusercontent.com/mandiant/flare-vm/main/config.xml"

Post Installation

Previous versions of FLARE VM attempted to configure Windows settings post-installation with the goal of streamlining the system for malware analysis (e.g., disabling noisy services). This version of FLARE VM does not currently attempt to further configure Windows (e.g., removing bloatware). It is up to the user to manually configure their environment further.

Below are links for post-installation tweaks for Windows 10+.

We do encourage you to download and set your background to the FLARE VM logo!

FLARE VM

Contributing

Want to get started contributing? See the links below to learn how.

Installer

Tool Packages

Troubleshooting

If your installation fails, please attempt to identify the reason for the installation error by reading through the log files listed below on your system:

  • %VM_COMMON_DIR%\log.txt
  • %PROGRAMDATA%\chocolatey\logs\chocolatey.log
  • %LOCALAPPDATA%\Boxstarter\boxstarter.log

Installer Error

If the installation failed due to an issue in the installation script (e.g., install.ps1), file an issue here: https://github.com/mandiant/flare-vm/issues

Note: Rarely should install.ps1 be the reason for an installation failure. Most likely it is a specific package or set of packages that are failing (see below).

Package Error

Packages fail to install from time to time -- this is normal. The most common reasons are outlined below:

  1. Failure or timeout from Chocolatey or MyGet to download a .nupkg file
  2. Failure or timeout due to remote host when downloading a tool
  3. Intrusion Detection System (IDS) or AV product (e.g., Windows Defender) prevents a tool download or removes the tool from the system
  4. Host specific requirement issue
    1. Untested host
    2. Not enough disk space to install tools
  5. Tool fails to build due to dependencies
  6. Old tool URL (e.g., HTTP STATUS 404)
  7. Tool's SHA256 hash has changed from what is hardcoded in the package installation script

Reasons 1-4 are difficult for us to fix since we do not control them. If an issue related to reasons 1-4 is filed, it is unlikely we will be able to assist.

We can help with reasons 5-7 and welcome the community to contribute fixes as well! Please file GitHub issues related to package failures at: https://github.com/mandiant/VM-Packages/issues

Legal Notice

This download configuration script is provided to assist cyber security analysts in creating handy and versatile toolboxes for malware analysis environments. It provides a convenient interface for them to obtain a useful set of analysis tools directly from their original sources. Installation and use of this script is subject to the Apache 2.0 License. You as a user of this script must review, accept and comply with the license terms of each downloaded/installed package. By proceeding with the installation, you are accepting the license terms of each package, and acknowledging that your use of each package will be subject to its respective license terms.

More Repositories

1

commando-vm

Complete Mandiant Offensive VM (Commando VM), a fully customizable Windows-based pentesting virtual machine distribution. [email protected]
PowerShell
6,897
star
2

capa

The FLARE team's open-source tool to identify capabilities in executable files.
Python
4,775
star
3

flare-floss

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Python
3,155
star
4

red_team_tool_countermeasures

YARA
2,639
star
5

flare-ida

IDA Pro utilities from FLARE team
Python
2,031
star
6

flare-fakenet-ng

FakeNet-NG - Next Generation Dynamic Network Analysis Tool
Python
1,677
star
7

speakeasy

Windows kernel and user mode emulation.
Python
1,290
star
8

SharPersist

C#
1,213
star
9

ThreatPursuit-VM

Threat Pursuit Virtual Machine (VM): A fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly.
PowerShell
1,204
star
10

gocrack

GoCrack is a management frontend for password cracking tools written in Go
Go
1,101
star
11

flare-emu

Python
735
star
12

stringsifter

A machine learning tool that ranks strings based on their relevance for malware analysis.
Python
672
star
13

SilkETW

C#
641
star
14

Mandiant-Azure-AD-Investigator

PowerShell
614
star
15

Azure_Workshop

HCL
572
star
16

sunburst_countermeasures

YARA
561
star
17

Ghidrathon

The FLARE team's open-source extension to add Python 3 scripting to Ghidra.
Java
556
star
18

capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
528
star
19

ReelPhish

Python
493
star
20

iocs

FireEye Publicly Shared Indicators of Compromise (IOCs)
458
star
21

DueDLLigence

C#
450
star
22

FIDL

A sane API for IDA Pro's decompiler. Useful for malware RE and vulnerability research
Python
431
star
23

flare-wmi

C++
412
star
24

GoReSym

Go symbol recovery tool
Go
379
star
25

rvmi

rVMI - A New Paradigm For Full System Analysis
C
352
star
26

PwnAuth

Python
347
star
27

idawasm

IDA Pro loader and processor modules for WebAssembly
Python
332
star
28

ADFSpoof

Python
318
star
29

SimplifyGraph

IDA Pro plugin to assist with complex graphs
C++
303
star
30

STrace

A DTrace on Windows Reimplementation
C++
299
star
31

ShimCacheParser

Python
258
star
32

OfficePurge

C#
256
star
33

msi-search

C
215
star
34

macos-UnifiedLogs

Rust
200
star
35

ioc_writer

Python
195
star
36

GeoLogonalyzer

GeoLogonalyzer is a utility to analyze remote access logs for anomalies such as travel feasibility and data center sources.
Python
194
star
37

Vulnerability-Disclosures

C++
183
star
38

flare-kscldr

FLARE Kernel Shellcode Loader
C
175
star
39

flare-qdb

Command-line and Python debugger for instrumenting and modifying native software behavior on Windows and Linux.
Python
161
star
40

flare-dbg

flare-dbg is a project meant to aid malware reverse engineers in rapidly developing debugger scripts.
Python
149
star
41

thiri-notebook

The Threat Hunting In Rapid Iterations (THIRI) Jupyter notebook is designed as a research aide to let you rapidly prototype threat hunting rules.
Python
146
star
42

route-sixty-sink

Link sources to sinks in C# applications.
C#
137
star
43

VM-Packages

Chocolatey packages supporting the analysis environment projects FLARE-VM & Commando VM.
PowerShell
135
star
44

heyserial

Programmatically create hunting rules for deserialization exploitation with multiple keywords, gadget chains, object types, encodings, and rule types
YARA
130
star
45

dncil

The FLARE team's open-source library to disassemble Common Intermediate Language (CIL) instructions.
Python
124
star
46

flashmingo

Automatic analysis of SWF files based on some heuristics. Extensible via plugins.
Python
118
star
47

Reversing

111
star
48

ioc-scanner-CVE-2019-19781

Indicator of Compromise Scanner for CVE-2019-19781
Shell
91
star
49

flare-bytecode_graph

Python
82
star
50

gocrack-ui

The User Interface for GoCrack
Vue
81
star
51

Volatility-Plugins

Python
80
star
52

unicorn-libemu-shim

libemu shim layer and win32 environment for Unicorn Engine
C++
70
star
53

citrix-ioc-scanner-cve-2023-3519

Shell
61
star
54

AuditParser

AuditParser
Python
56
star
55

remote_lookup

Resolves DLL API entrypoints for a process w/ remote query capabilities.
Visual Basic
54
star
56

synfulknock

Lua
48
star
57

SSSDKCMExtractor

Python
46
star
58

jitm

JITM is an automated tool to bypass the JIT Hooking protection on a .NET sample.
C++
43
star
59

goauditparser

Go
39
star
60

capa-testfiles

Data to test capa's code and rules.
Max
39
star
61

tf_rl_tutorial

Tutorial: Statistical Relational Learning with Google TensorFlow
Jupyter Notebook
39
star
62

macOS-tools

Python
38
star
63

apooxml

Generate YARA rules for OOXML documents.
Python
38
star
64

gootloader

Collection of scripts used to deobfuscate GOOTLOADER malware samples.
Python
36
star
65

pycommands

PyCommand Scripts for Immunity Debugger
Python
35
star
66

vocab_scraper

Vocabulary Scraper script used in FLARE's analysis of Russian-language Carbanak source code
Python
35
star
67

ARDvark

ARDvark parses the Apple Remote Desktop (ARD) files to pull out application usage, user activity, and filesystem listings.
Python
34
star
68

rvmi-rekall

Rekall Forensics and Incident Response Framework with rVMI extensions
Python
32
star
69

gocat

Provides access to libhashcat
Go
29
star
70

ics_mem_collect

Python
26
star
71

rvmi-qemu

QEMU with rVMI extensions
C
26
star
72

IDA_Pro_VoiceAttack_profile

Python
25
star
73

win10_auto

Python
23
star
74

pulsesecure_exploitation_countermeasures

YARA
23
star
75

rvmi-kvm

Linux-KVM with rVMI extensions
C
23
star
76

pivy-report

Poison Ivy Appendix/Extras
17
star
77

siglib

Python
15
star
78

DFUR-Splunk-App

The "DFUR" Splunk application and data that was presented at the 2020 SANS DFIR Summit.
13
star
79

vbScript_deobfuscator

Help deobfuscate VBScript
VBA
13
star
80

flare-gsoc-2023

Supporting resources and documentation for FLARE @ Google Summer of Code 2023
13
star
81

rpdebug_qnx

Python
11
star
82

mandiant_managed_hunting

Azure Deployment Templates for Mandiant Managed Huning
9
star
83

flare-floss-testfiles

Resources for testing FLOSS by the FLARE team.
C
6
star
84

shelidate

Go
2
star