Home / Roadmap & Labs / Week 25 – Malware Analysis Lab Environment

Week 25 – Malware Analysis Lab Environment

Build a fully isolated, production‑grade malware analysis environment using Proxmox, REMnux, Windows 11, INetSim, Suricata, Sysmon, and Wazuh. This week establishes the foundation for all malware analysis activities in Weeks 26–28.

Month 7 Theme: Malware Analysis Foundations
Week 25 – Malware Analysis Lab Environment
Week 25: Building a fully isolated malware analysis environment using Proxmox, REMnux, and Windows 11.

Overview What you will accomplish

This week focuses on building a safe, isolated, and fully instrumented malware analysis environment. You will create a dedicated malware VLAN, deploy REMnux and Windows 11 analysis workstations, configure simulated internet services, enable telemetry pipelines, and validate the entire environment before detonating malware in Week 26.

  • Create an isolated Proxmox VLAN for malware analysis.
  • Deploy REMnux as the Linux analysis workstation.
  • Deploy Windows 11 as the primary analysis workstation.
  • Configure INetSim for simulated internet services.
  • Enable Sysmon, Suricata, and Wazuh telemetry pipelines.
  • Validate isolation, logging, and baseline behavior.
1. Create the Malware VLAN (vmbr30)

This activity creates a fully isolated Proxmox VLAN dedicated to malware analysis. All malware traffic remains contained within this network and cannot reach the internet or your home LAN.

  1. Create a new Linux bridge
    In Proxmox: 
    Datacenter → Node → System → Network → Create → Linux Bridge
    Configure:
    • Name: vmbr30
    • IPv4/CIDR: 10.30.0.1/24
    • IPv4 Gateway: leave blank
    • Autostart: Yes
  2. Apply and reboot
    Apply Configuration → Reboot Node
  3. Verify bridge creation
    On Proxmox shell: 
    ip a | grep vmbr30
    Expected: 
    inet 10.30.0.1/24
  4. Document VLAN configuration
    Add to your homelab documentation:
    • Bridge name: vmbr30
    • Subnet: 10.30.0.0/24
    • Gateway: none
    • Purpose: malware analysis
2. Deploy REMnux Linux Analysis Workstation

This activity deploys REMnux, a Linux distribution designed for malware analysis. REMnux provides tools for static analysis, dynamic analysis, memory forensics, and network simulation.

  1. Download REMnux OVA
    https://remnux.org
  2. Import into Proxmox
    qm importovf 9000 remnux.ova local-lvm
  3. Attach to vmbr30
    Hardware → Network → vmbr30
  4. Set static IP
    10.30.0.10/24
Gateway: none
DNS: none
  5. Verify connectivity
    ping 10.30.0.1
  6. Document REMnux configuration
    Add:
    • IP: 10.30.0.10
    • Hostname: remnux-analysis
    • Interface: ens18
3. Deploy Windows 11 Analysis Workstation

This activity deploys a Windows 11 VM configured for malware analysis. This workstation will be used for static and dynamic analysis in Weeks 26–28.

  1. Create VM
    VM ID: 110
Name: win11-analysis
  2. Attach to vmbr30
    Hardware → Network → vmbr30
  3. Set static IP
    10.30.0.20/24
Gateway: none
DNS: 10.30.0.10
  4. Install Sysmon
    sysmon64.exe -accepteula -i sysmonconfig.xml
  5. Install Wazuh agent
    Configure: 
    Manager: 10.30.0.5
Agent name: windows11-analysis
  6. Document Windows configuration
    Add:
    • IP: 10.30.0.20
    • Hostname: win11-analysis
    • DNS: 10.30.0.10
4. Configure Simulated Internet Services (INetSim + DNS + HTTP/HTTPS/SMTP)

This activity configures INetSim on REMnux to simulate internet services for malware. INetSim provides fake DNS, HTTP, HTTPS, SMTP, and other services so malware behaves as if it is online while remaining fully contained.

  1. Install INetSim
    On REMnux: 
    sudo apt update
sudo apt install -y inetsim
  2. Configure INetSim to bind to the malware VLAN interface
    Edit: 
    sudo nano /etc/inetsim/inetsim.conf
    Set: 
    service_bind_address    10.30.0.10
dns_default_ip          10.30.0.10
  3. Enable DNS simulation
    Ensure: 
    start_service dns
  4. Enable HTTP/HTTPS simulation
    Ensure: 
    start_service http
start_service https
  5. Enable SMTP simulation
    Ensure: 
    start_service smtp
  6. Start INetSim
    sudo systemctl enable inetsim
sudo systemctl start inetsim
  7. Validate DNS simulation
    From Windows: 
    nslookup google.com
    Expected: 
    Address: 10.30.0.10
  8. Validate HTTP simulation
    From Windows: 
    curl http://example.com
    Expected: 
    INetSim HTTP service banner
  9. Validate SMTP simulation
    From Windows: 
    telnet 10.30.0.10 25
    Expected: 
    220 inetsim ESMTP service ready
  10. Document INetSim configuration
    Add:
    • DNS: 10.30.0.10
    • HTTP/HTTPS: 10.30.0.10
    • SMTP: 10.30.0.10
    • Interface: ens18
5. Enable Telemetry Pipelines (Sysmon + Suricata + Wazuh Integration)

This activity configures full telemetry collection for the malware analysis environment. You will enable Sysmon on Windows 11, Suricata on REMnux, and integrate both with your Wazuh SIEM. This ensures that all process, file, registry, DNS, HTTP, and network events are captured and forwarded for analysis.

  1. Verify Sysmon is installed on Windows 11
    Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | head
  2. Verify Sysmon configuration
    sysmon64.exe -c sysmonconfig.xml
  3. Verify Wazuh agent is installed
    Get-Service -Name Wazuh
  4. Configure Wazuh to collect Sysmon logs
    Edit: 
    C:\Program Files (x86)\ossec-agent\ossec.conf
    Add: 
    
  Microsoft-Windows-Sysmon/Operational
  eventchannel
  5. Validate Sysmon → Wazuh forwarding
    Trigger: 
    notepad.exe
  6. Verify Suricata installation
    suricata --build-info
  7. Bind Suricata to ens18
    Edit: 
    sudo nano /etc/suricata/suricata.yaml
    Set: 
    af-packet:
  - interface: ens18
  8. Update Suricata rules
    sudo suricata-update
sudo systemctl restart suricata
  9. Validate Suricata alerts
    From Windows: 
    curl http://example.com
nslookup testdomain.local
  10. Install Filebeat on REMnux
    curl -s https://packages.wazuh.com/4.x/filebeat/install.sh | sudo bash
  11. Configure Filebeat to forward Suricata logs
    Edit: 
    sudo nano /etc/filebeat/filebeat.yml
    Add: 
    - type: log
  paths:
    - /var/log/suricata/eve.json
  fields:
    log_type: suricata
  fields_under_root: true
  12. Validate Suricata → Wazuh forwarding
    Check Wazuh dashboard for Suricata events.
  13. Enable packet capture
    sudo tcpdump -i ens18 -w ~/pcaps/malware-traffic.pcap
  14. Document telemetry architecture
    Add:
    • Sysmon → Wazuh
    • Suricata → Filebeat → Wazuh
    • Log paths
    • Agent names
6. Validate Isolation & Baseline Behavior

This activity validates that your malware analysis environment is safe, isolated, and functioning correctly before you begin detonating malware in Week 26.

  1. Verify Windows cannot reach the internet
    ping 8.8.8.8
ping 1.1.1.1
  2. Verify DNS resolution goes to INetSim
    nslookup google.com
  3. Validate HTTP/HTTPS simulation
    curl http://example.com
curl https://secure.test -k
  4. Validate Suricata baseline alerts
    sudo tail -f /var/log/suricata/eve.json
  5. Validate Sysmon baseline events
    notepad.exe
calc.exe
  6. Capture baseline packet traffic
    sudo tcpdump -i ens18 -w ~/pcaps/baseline-week25.pcap
  7. Create final snapshots
    remnux-baseline-week25
windows11-baseline-week25

◀️ Back to Month 7 Overview  |  Next: Week 26 – Static Analysis Fundamentals ▶️