Optional features
This sections contains various information about optional features that may be enabled when setting up DRAKVUF Sandbox.
ZFS storage backend
If you want to install DRAKVUF Sandbox with a ZFS storage backend, you should perform the following extra steps before executing draksetup install command:
Install ZFS on your machine (guide for: Debian Buster, Ubuntu 18.04)
Create a ZFS pool on a free partition:
# zpool create tank <partition_name>
where
<partiton_name>is e.g./dev/sda3. Be aware that all data stored on the selected partition may be erased.Create a dataset for DRAKVUF Sandbox:
# zfs create tank/vms
Execute
draksetup installas in “Basic installation” section, but remembering to provide additional command line switches:--storage-backend zfs --zfs-tank-name tank/vms
Networking
Note
Even though that the guest Internet connectivity is an optional feature, drakrun would always make some changes to your host system’s network configuration:
Always:
Each instance of
drakrun@<vm_id>will create a bridgedrak<vm_id>, assign10.13.<vm_id>.1/24IP address/subnet to it and bring the interface up.drakrunwill drop any INPUT traffic originating fromdrak<vm_id>bridge, except DHCP traffic (UDP ports: 67, 68).
Only with net_enable=1:
drakrunwill enable IPv4 forwarding.drakrunwill configure MASQUERADE throughout_interfacefor packets originating from10.13.<vm_id>.0/24.drakrunwill DROP traffic betweendrak<X>anddrak<Y>bridges forX != Y.
In order to find out the exact details of the network configuration, search for _add_iptable_rule function usages in drakrun/drakrun/main.py file.
Basic networking
If you want your guest VMs to access Internet, you can enable networking by editing [drakrun]
section in /etc/drakrun/config.ini:
Set
net_enable=1in order to enable guest Internet access.Check if
out_interfacewas detected properly (e.g.ens33) and if not, correct this setting.
After making changes to /etc/drakrun, you need to restart all drakrun services that are running
in your system:
# systemctl restart 'drakrun@*'
Be aware that if your sandbox instance is already running some analyses, the above command will gracefully wait up to a few minutes until these are completed.
Using dnschef
You may optionally configure your guests to use dnschef.
Setup dnschef tool.
Start
dnschefin such way to make it listen on alldrak*interfaces that belong to DRAKVUF Sandbox.Set
dns_server=use-gateway-addressin/etc/drakrun/config.ini.Restart your drakrun instances:
systemctl restart 'drakrun@*.
MS Office file support
There is an experimental support for analyzing word and excel samples. However this requires that you have Microsoft Office installed.
The steps below should be completed on guest vm before creating the snapshot (e.g. before you run draksetup postinstall).
If you want to modify the existing snapshot, please refer to snapshot modification.
Install Microsoft Office. You can use
draksetup mount /path/to/office.isocommand to insert Office installation media during VM setup. After installation, you should be able to start word/excel by runningstart winword.exe,start excel.exefrom command line.Adjust the registry keys by executing this .reg file:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security] "VBAWarnings"=dword:00000001 "AccessVBOM"=dword:00000001 "ExtensionHardening"=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security] "VBAWarnings"=dword:00000001 "AccessVBOM"=dword:00000001 "ExtensionHardening"=dword:00000000
(change 14.0 to your Office version, see registry key by product name)
ProcDOT integration
DRAKVUF Sandbox may optionally draw a behavioral graph using ProcDOT, if drakcore will find it’s binary installed at /opt/procdot/procmon2dot.
Download ProcDOT (Linux version).
With your downloaded
procdot*_linux.ziparchive, execute the following commands:
# unzip -o procdot*_linux.zip lin64/* -d /tmp/procdot # mv /tmp/procdot/lin64 /opt/procdot # chmod +x /opt/procdot/procmon2dot
Your new analysis reports will also contain behavioral graphs.