Setup Mandiant FLARE VM

FLARE VM GitHub and Installation:

https://github.com/mandiant/flare-vm

Installing packages with Chocolatey:

https://community.chocolatey.org/packages/timelineexplorer#files

Welcome to FLARE-VM - a collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a virtual machine (VM). FLARE-VM was designed to solve the problem of reverse engineering tool curation and relies on two main technologies: Chocolatey and Boxstarter. Chocolatey is a Windows-based Nuget package management system, where a "package" is essentially a ZIP file containing PowerShell installation scripts that download and configure a specific tool. Boxstarter leverages Chocolatey packages to automate the installation of software and create repeatable, scripted Windows environments.

Requirements

FLARE-VM should ONLY be installed on a virtual machine. The VM should satisfy the following requirements:

• Windows >= 10

• PowerShell >= 5

• Disk capacity of at least 60 GB and memory of at least 2GB

• Usernames without spaces or other special characters

• Internet connection

• Tamper Protection and any Anti-Malware solution (e.g., Windows Defender) Windows Defender disabled, preferably via Group Policy

• Windows Updates Disabled

Installation instruction

This section documents the steps to install FLARE-VM. You may also find this video useful:

Pre-installation

• Prepare a Windows 10+ virtual machine

  • Install Windows in the virtual machine, for example using the raw Windows 10 ISO from https://www.microsoft.com/en-us/software-download/windows10ISO
  • Ensure the requirements above are satisfied, including:

    • Disable Windows Updates (at least until installation is finished)

      • https://www.windowscentral.com/how-stop-updates-installing-automatically-windows-10
    • Disable Tamper Protection and any Anti-Malware solution (e.g., Windows Defender), preferably via Group Policy.

      • https://stackoverflow.com/questions/62174426/how-to-permanently-disable-windows-defender-real-time-protection-with-gpo
• Take a VM snapshot so you can always revert to a state before the FLARE-VM installation

FLARE-VM installation

• Open a PowerShell prompt as administrator

• Download the installation script installer.ps1 to your Desktop:

  (New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")

• Unblock the installation script:

  • Unblock-File .\install.ps1

• Enable script execution:

  • Set-ExecutionPolicy Unrestricted -Force

    • If you receive an error saying the execution policy is overridden by a policy defined at a more specific scope, you may need to pass a scope in via Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force. To view execution policies for all scopes, execute Get-ExecutionPolicy -List

• Finally, execute the installer script as follow:

  • .\install.ps1

    • To pass your password as an argument: .\install.ps1 -password <password>

    • To use the CLI-only mode with minimal user interaction: .\install.ps1 -password <password> -noWait -noGui

    • To use the CLI-only mode with minimal user interaction and a custom config file: .\install.ps1 -customConfig <config.xml> -password <password> -noWait -noGui

• After installation it is recommended to switch to host-only networking mode and take a VM snapshot

Installer Parameters

Below are the CLI parameter descriptions.

PARAMETERS
    -password <String>
        Current user password to allow reboot resiliency via Boxstarter. The script prompts for the password if not provided.

    -noPassword [<SwitchParameter>]
        Switch parameter indicating a password is not needed for reboots.

    -customConfig <String>
        Path to a configuration XML file. May be a file path or URL.

    -customLayout <String>
        Path to a taskbar layout XML file. May be a file path or URL.

    -noWait [<SwitchParameter>]
        Switch parameter to skip installation message before installation begins.

    -noGui [<SwitchParameter>]
        Switch parameter to skip customization GUI.

    -noReboots [<SwitchParameter>]
        Switch parameter to prevent reboots (not recommended).

    -noChecks [<SwitchParameter>]
        Switch parameter to skip validation checks (not recommended).

Get full usage information by running Get-Help .\install.ps1 -Detailed.

Installer GUI

The Installer GUI is display after executing the validation checks and installing Boxstarter and Chocolatey (if they are not installed already). Using the installer GUI you may customize:

• Package selection

• Environment variable paths

Configuration

The installer will download config.xml from the FLARE-VM repository. This file contains the default configuration, including the list of packages to install and the environment variable paths. You may use your own configuration by specifying the CLI-argument -customConfig and providing either a local file path or URL to your config.xml file. For example:

.\install.ps1 -customConfig "https://raw.githubusercontent.com/mandiant/flare-vm/main/config.xml"

Taskbar Layout

The installer will use CustomStartLayout.xml from the FLARE-VM repository. This file contains the default taskbar layout. You may use your own configuration by specifying the CLI-argument -customLayout and providing a local file path or URL to your CustomStartLayout.xml file. For example:

.\install.ps1 -customLayout "https://raw.githubusercontent.com/mandiant/flare-vm/main/CustomStartLayout.xml"

Things to Consider:

• Items in the .xml that are not installed will not display in the taskbar (no broken links will be pinned)

• Only applications (.exe files) or shortcuts to applications can be pinned.

• If you would like to pin something that isn't an application, consider creating a shortcut that points to cmd.exe or powershell with arguments supplied that will perform that actions you would like.

• If you would like to make something run with admin rights, consider making a shortcut using VM-Install-Shortcut with the flag -runAsAdmin and pinning the shortcut.

Post installation steps

You can include any post installation step you like in the configuration inside the tags apps, services, path-items, registry-items, and custom-items.

For example:

• To show known file extensions:

    <registry-items>
        <registry-item name="Show known file extensions" path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" value="HideFileExt" type="DWord" data="0"/>
    </registry-items>

For more examples, check the default configuration file: config.xml.

Updating Flare

1. Open the command prompt as admin

2. run cup all Package updates are best effort and that updates are not being tested. If you encounter errors, perform a fresh FLARE-VM install.