VM Pool

Setting up Windows VMs for sample execution

The VM pool provides isolated Windows environments for executing generated binaries.

Overview

Each VM in the pool:

  • Runs Windows 11 with Elastic Agent
  • Executes compiled samples
  • Reports telemetry to Elastic Controller
  • Can be reset via snapshots

Proxmox Setup

Create Template VM

  1. Create new VM in Proxmox (4GB RAM, 60GB disk)
  2. Install Windows 11
  3. Disable Windows Defender
  4. Run preparation script:
.\scripts\Prepare-RLVRLabVM.ps1 `
    -FleetUrl "https://10.0.20.145:8220" `
    -EnrollmentToken "YOUR_TOKEN" `
    -SshPublicKey "ssh-rsa AAAA..."
  1. Create snapshot: clean-base

Clone VMs

qm clone 100 101 --name malagent-vm-01 --full
qm clone 100 102 --name malagent-vm-02 --full

malagent Configuration

vm_pool:
  type: "proxmox"
  
  proxmox:
    host: "proxmox.local"
    port: 8006
    user: "root@pam"
    token_name: "malagent"
    token_value: "your-api-token"
    node: "pve"
  
  vms:
    - vmid: 101
      name: "malagent-vm-01"
      ip: "10.0.20.101"
      snapshot: "clean-base"
    - vmid: 102
      name: "malagent-vm-02"
      ip: "10.0.20.102"
      snapshot: "clean-base"
  
  ssh:
    user: "labuser"
    key_path: "~/.ssh/win"
    staging_dir: "C:\\MalwareStaging\\samples"

Execution Flow

1. SELECT VM     → Pool manager picks available VM
2. TRANSFER      → SCP binary to staging directory
3. EXECUTE       → Run binary via SSH with timeout
4. WAIT          → Poll Elastic for alerts (30-60s)
5. QUERY         → Get alerts for this sample
6. REWARD        → Map severity to reward
7. CLEANUP       → Delete binary, optionally reset VM