Additional Configuration

In this chapter we will enumerate several recommendations so as to make your Guest virtual machine as stealthy and operational as it gets. Additionally, we intend to address some of the most common problems that may arise.

Windows Guest

Windows Debloating

There exist some tools that automatically try to debloat your Windows instance. That is, uninstalling lots of pre-installed software and disabling intrusive features of Windows. The purpose of these tools is optimization, performance, security or all of these. In the context of CAPE, they’re useful to reduce noise and the probability of malware not detonating. Examples of these tools are Debloat-Windows-10 or BlackBird. You can find a larger list here.

Note

It is recommended to use any of these tools to disable as much noise as possible. Remember to create a snapshot before executing them.

Disable Microsoft Store

Sometimes the Microsoft Store opens up as soon as an analysis starts. In order to disable it, you can remove the environment variable %USERPROFILE%\AppData\Local\Microsoft\WindowsApps from the user PATH, as specified in this issue (#1237).

Reduce Overall Noise

Sometimes disabling all Windows services (like UAC, defender, update, aero, firewall, etc…) is necessary in order to make the analysis as fluent as possible. Make sure you check this script out and use it to get rid of all unnecessary noise. This is just an example. Your VM may require a different configuration in order to reduce or delete any Windows noise.

Windows automatically enables the Virus Real-time Protection

One possible annoying behavior of Windows occurs when it automatically enables the real-time protection whenever an analysis is started therefore deleting the sample (if it identifies the sample as malware).

To definitely turn it off you can follow one or more options listed in this site.

Enable AutoLogon

For features like “Reboot Analysis” (not implemented) to work properly, the VM must automatically log in the user upon boot so the agent can restart.

To enable AutoLogon via the Registry, open an Administrator command prompt and run the following commands (replace <USERNAME> and <PASSWORD> with your specific user credentials):

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d <USERNAME> /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d <PASSWORD> /f

Alternatively, you can use the Microsoft Sysinternals tool Autologon.