-
Notifications
You must be signed in to change notification settings - Fork 2
Architecture Details
-
The SOC LAN serves as a central hub within the environment, allowing all devices within the Infectable Networks to connect to it. This network plays a crucial role in monitoring and analysis, you'll find various monitoring components such as Elasticsearch, Kibana, and network traffic analysis tools.
-
Fake DNS server operates within this network. This server is responsible for responding to DNS requests from infectable devices with a pre-defined, fixed IP address
-
Dummy HTTP page is provided as a response to DNS requests, adding another layer of simulation to the environment.
-
DMZ LAN (Demilitarized Zone) is where the malware samples are securely housed. These samples are encapsulated within a Docker container to ensure isolation and prevent any potential spread.
-
Importantly, this network establishes an exclusively bidirectional connection with only one host, referred to as "targetVM," located within the infected network. This restricted connection helps control the flow of traffic and interactions between the DMZ LAN and the infected network.
-
Traffic originating from the DMZ LAN is intentionally blocked from reaching any other device within the entire sandbox infrastructure. This measure ensures that potential threats are contained within the controlled boundaries of the DMZ.
- Full packets are captured for the network interface where targetVM is connected
- Possibility of capturing full-packets or flow data at LAN level (Not active now)
- Endpoint data (Process creation (with full command line and hashes)/ termination; Network connections; DNS Requests; File creation timestamps/changes; Driver/image loading; Create remote threads; Raw disk access; Process memory access)
- Starting time of Infrastructure, Stopping time