Setup Mandiant FLARE VM

FLARE VM GitHub and Installation:

Installing packages with Chocolatey:

https://community.chocolatey.org/packages/timelineexplorer#files

Welcome to FLARE-VM - a collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a virtual machine (VM). FLARE-VM was designed to solve the problem of reverse engineering tool curation and relies on two main technologies: Chocolatey and Boxstarter. Chocolatey is a Windows-based Nuget package management system, where a "package" is essentially a ZIP file containing PowerShell installation scripts that download and configure a specific tool. Boxstarter leverages Chocolatey packages to automate the installation of software and create repeatable, scripted Windows environments.

Requirements

FLARE-VM should ONLY be installed on a virtual machine. The VM should satisfy the following requirements:

Windows >= 10
PowerShell >= 5
Disk capacity of at least 60 GB and memory of at least 2GB
Usernames without spaces or other special characters
Internet connection
Tamper Protection and any Anti-Malware solution (e.g., Windows Defender) Windows Defender disabled, preferably via Group Policy
Windows Updates Disabled

Installation instruction

This section documents the steps to install FLARE-VM. You may also find this video useful:

Pre-installation

Prepare a Windows 10+ virtual machine
- Install Windows in the virtual machine, for example using the raw Windows 10 ISO from https://www.microsoft.com/en-us/software-download/windows10ISO
- Ensure the requirements above are satisfied, including:
  - Disable Windows Updates (at least until installation is finished)
    https://www.windowscentral.com/how-stop-updates-installing-automatically-windows-10
  - Disable Tamper Protection and any Anti-Malware solution (e.g., Windows Defender), preferably via Group Policy.
    https://stackoverflow.com/questions/62174426/how-to-permanently-disable-windows-defender-real-time-protection-with-gpo
Take a VM snapshot so you can always revert to a state before the FLARE-VM installation

FLARE-VM installation

Open a PowerShell prompt as administrator

Download the installation script installer.ps1 to your Desktop:

(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")

Unblock the installation script:
- Unblock-File .\install.ps1
Enable script execution:
- Set-ExecutionPolicy Unrestricted -Force
  - If you receive an error saying the execution policy is overridden by a policy defined at a more specific scope, you may need to pass a scope in via Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force. To view execution policies for all scopes, execute Get-ExecutionPolicy -List
Finally, execute the installer script as follow:
- .\install.ps1
  - To pass your password as an argument: .\install.ps1 -password <password>
  - To use the CLI-only mode with minimal user interaction: .\install.ps1 -password <password> -noWait -noGui
  - To use the CLI-only mode with minimal user interaction and a custom config file: .\install.ps1 -customConfig <config.xml> -password <password> -noWait -noGui
After installation it is recommended to switch to host-only networking mode and take a VM snapshot

IF you get the Error:

$errorColor = [System.Drawing.ColorTranslator]::FromHtml("#c80505 ...

On line 470, of the install.ps1 script, add the following line: Add-Type -AssemblyName System.Drawing

Run install.ps1 again.

Installer Parameters

Below are the CLI parameter descriptions.

PARAMETERS
    -password <String>
        Current user password to allow reboot resiliency via Boxstarter. The script prompts for the password if not provided.

    -noPassword [<SwitchParameter>]
        Switch parameter indicating a password is not needed for reboots.

    -customConfig <String>
        Path to a configuration XML file. May be a file path or URL.

    -customLayout <String>
        Path to a taskbar layout XML file. May be a file path or URL.

    -noWait [<SwitchParameter>]
        Switch parameter to skip installation message before installation begins.

    -noGui [<SwitchParameter>]
        Switch parameter to skip customization GUI.

    -noReboots [<SwitchParameter>]
        Switch parameter to prevent reboots (not recommended).

    -noChecks [<SwitchParameter>]
        Switch parameter to skip validation checks (not recommended).

Get full usage information by running Get-Help .\install.ps1 -Detailed.

Installer GUI

The Installer GUI is display after executing the validation checks and installing Boxstarter and Chocolatey (if they are not installed already). Using the installer GUI you may customize:

Package selection
Environment variable paths

Configuration

The installer will download config.xml from the FLARE-VM repository. This file contains the default configuration, including the list of packages to install and the environment variable paths. You may use your own configuration by specifying the CLI-argument -customConfig and providing either a local file path or URL to your config.xml file. For example:

.\install.ps1 -customConfig "https://raw.githubusercontent.com/mandiant/flare-vm/main/config.xml"

Taskbar Layout

The installer will use CustomStartLayout.xml from the FLARE-VM repository. This file contains the default taskbar layout. You may use your own configuration by specifying the CLI-argument -customLayout and providing a local file path or URL to your CustomStartLayout.xml file. For example:

.\install.ps1 -customLayout "https://raw.githubusercontent.com/mandiant/flare-vm/main/CustomStartLayout.xml"

Things to Consider:

Items in the .xml that are not installed will not display in the taskbar (no broken links will be pinned)
Only applications (.exe files) or shortcuts to applications can be pinned.
If you would like to pin something that isn't an application, consider creating a shortcut that points to cmd.exe or powershell with arguments supplied that will perform that actions you would like.
If you would like to make something run with admin rights, consider making a shortcut using VM-Install-Shortcut with the flag -runAsAdmin and pinning the shortcut.

Post installation steps

You can include any post installation step you like in the configuration inside the tags apps, services, path-items, registry-items, and custom-items.

For example:

To show known file extensions:

    <registry-items>
        <registry-item name="Show known file extensions" path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" value="HideFileExt" type="DWord" data="0"/>
    </registry-items>

For more examples, check the default configuration file: config.xml.

Updating Flare

Open the command prompt as admin
run cup all Package updates are best effort and that updates are not being tested. If you encounter errors, perform a fresh FLARE-VM install.

PreviousObisidian How-To NextSecurity Fundamentals

Last updated 7 months ago

hashtagRequirements

hashtagInstallation instruction

hashtagPre-installation

hashtagFLARE-VM installation

hashtagInstaller Parameters

hashtagInstaller GUI

hashtagConfiguration

hashtagTaskbar Layout

hashtagThings to Consider:

hashtagPost installation steps

hashtagUpdating Flare