{"id":22312,"date":"2025-03-14T00:05:00","date_gmt":"2025-03-14T03:05:00","guid":{"rendered":"https:\/\/www.ethicalhacker.com.br\/site\/?p=22312"},"modified":"2025-03-13T11:56:21","modified_gmt":"2025-03-13T14:56:21","slug":"forense-digital-com-linux-tecnicas-praticas-parte-20","status":"publish","type":"post","link":"https:\/\/www.ethicalhacker.com.br\/site\/2025\/03\/exploits\/forense-digital-com-linux-tecnicas-praticas-parte-20\/","title":{"rendered":"Forense Digital com Linux \u2013 T\u00e9cnicas Pr\u00e1ticas \u2013 Parte 20"},"content":{"rendered":"\n<div class=\"dad65929\">\n<div class=\"f9bf7997 d7dc56a8 c05b5566\">\n<div class=\"ds-markdown ds-markdown--block\">\n<p><strong>Configura\u00e7\u00e3o do Cuckoo Sandbox para m\u00e1quina virtual (VM) <\/strong><\/p>\n<p style=\"text-align: justify;\">Configurar o Cuckoo Sandbox para usar uma m\u00e1quina virtual (VM) como ambiente de an\u00e1lise \u00e9 uma etapa crucial para garantir que o malware seja executado em um ambiente isolado e controlado. Abaixo, descrevo os passos detalhados para configurar o Cuckoo Sandbox com uma m\u00e1quina virtual no Rocky Linux 9, utilizando o KVM (Kernel-based Virtual Machine) como hipervisor.<\/p>\n<p>\u00a0<\/p>\n<p>1. <strong>Instala\u00e7\u00e3o e configura\u00e7\u00e3o do KVM<\/strong><\/p>\n<p style=\"text-align: justify;\">O KVM \u00e9 um hipervisor de c\u00f3digo aberto amplamente utilizado no Linux. Para us\u00e1-lo com o Cuckoo Sandbox, siga os passos abaixo:<\/p>\n<p>\u00a0<\/p>\n<p><strong>Instale o KVM e ferramentas relacionadas:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">sudo<\/span> dnf <span class=\"token function\">install<\/span> @virtualization\n<span class=\"token function\">sudo<\/span> systemctl start libvirtd\n<span class=\"token function\">sudo<\/span> systemctl <span class=\"token builtin class-name\">enable<\/span> libvirtd<br \/><br \/><\/pre>\n<\/div>\n<p><strong>Verifique se o KVM est\u00e1 funcionando:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">sudo<\/span> <span class=\"token function\">virsh<\/span> list <span class=\"token parameter variable\">--all<br \/><br \/><\/span><\/pre>\n<\/div>\n<p>Se o KVM estiver configurado corretamente, voc\u00ea ver\u00e1 uma lista de m\u00e1quinas virtuais (se houver alguma).<\/p>\n<\/div>\n<\/div>\n<p>\u00a0<\/p>\n<div class=\"f9bf7997 d7dc56a8 c05b5566\">\n<div class=\"ds-markdown ds-markdown--block\">\n<p>2. <strong>Cria\u00e7\u00e3o da m\u00e1quina virtual (VM)<\/strong><\/p>\n<p style=\"text-align: justify;\">Crie uma m\u00e1quina virtual que ser\u00e1 usada como ambiente de an\u00e1lise. Voc\u00ea pode usar uma imagem do Rocky Linux 9 ou outro sistema operacional.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Passos para criar a VM:<\/strong><\/p>\n<ul>\n<li>\n<p>Baixe uma imagem ISO do Rocky Linux 9 ou outro sistema operacional.<\/p>\n<\/li>\n<li>\n<p><strong>Use o\u00a0<code>virt-install<\/code>\u00a0para criar a VM:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">sudo<\/span> virt-install <span class=\"token punctuation\">\\<\/span>\n<span class=\"token parameter variable\">--name<\/span> rocky9-analysis <span class=\"token punctuation\">\\<\/span>\n<span class=\"token parameter variable\">--ram<\/span> <span class=\"token number\">2048<\/span> <span class=\"token punctuation\">\\<\/span>\n<span class=\"token parameter variable\">--vcpus<\/span> <span class=\"token number\">2<\/span> <span class=\"token punctuation\">\\<\/span>\n<span class=\"token parameter variable\">--disk<\/span> <span class=\"token assign-left variable\">path<\/span><span class=\"token operator\">=<\/span>\/var\/lib\/libvirt\/images\/rocky9-analysis.qcow2,size<span class=\"token operator\">=<\/span><span class=\"token number\">20<\/span> <span class=\"token punctuation\">\\<\/span>\n--os-type linux <span class=\"token punctuation\">\\<\/span>\n--os-variant rocky9 <span class=\"token punctuation\">\\<\/span>\n<span class=\"token parameter variable\">--network<\/span> <span class=\"token assign-left variable\">network<\/span><span class=\"token operator\">=<\/span>default <span class=\"token punctuation\">\\<\/span>\n<span class=\"token parameter variable\">--graphics<\/span> spice <span class=\"token punctuation\">\\<\/span>\n<span class=\"token parameter variable\">--cdrom<\/span> \/caminho\/para\/Rocky-9.0-x86_64-dvd.iso<br \/><br \/><\/pre>\n<\/div>\n<\/li>\n<li>\n<p>Siga o processo de instala\u00e7\u00e3o do sistema operacional na VM.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>3. <strong>Configura\u00e7\u00e3o do Cuckoo Sandbox para usar a VM<\/strong><\/p>\n<p>Ap\u00f3s criar a VM, \u00e9 necess\u00e1rio configurar o Cuckoo Sandbox para us\u00e1-la como ambiente de an\u00e1lise.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Edite o arquivo de configura\u00e7\u00e3o\u00a0<code>cuckoo.conf<\/code>:<\/strong><\/p>\n<ul>\n<li>\n<p><strong>Abra o arquivo de configura\u00e7\u00e3o do Cuckoo:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">nano<\/span> ~\/.cuckoo\/conf\/cuckoo.conf<br \/><br \/><\/pre>\n<\/div>\n<\/li>\n<li>\n<p><strong>Defina o hipervisor como\u00a0<code>kvm<\/code>:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token section\"><span class=\"token punctuation\">[<\/span><span class=\"token section-name selector\">cuckoo<\/span><span class=\"token punctuation\">]<\/span><\/span>\n<span class=\"token key attr-name\">machinery<\/span> <span class=\"token punctuation\">=<\/span> <span class=\"token value attr-value\">kvm<br \/><br \/><\/span><\/pre>\n<\/div>\n<\/li>\n<\/ul>\n<p><strong>Edite o arquivo de configura\u00e7\u00e3o\u00a0<code>kvm.conf<\/code>:<\/strong><\/p>\n<ul>\n<li>\n<p><strong>Abra o arquivo de configura\u00e7\u00e3o do KVM:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">nano<\/span> ~\/.cuckoo\/conf\/kvm.conf<br \/><br \/><\/pre>\n<\/div>\n<\/li>\n<li>\n<p><strong>Configure a VM criada anteriormente. Exemplo:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token section\"><span class=\"token punctuation\">[<\/span><span class=\"token section-name selector\">kvm<\/span><span class=\"token punctuation\">]<\/span><\/span>\n<span class=\"token key attr-name\">label<\/span> <span class=\"token punctuation\">=<\/span> <span class=\"token value attr-value\">rocky9-analysis<\/span>\n<span class=\"token key attr-name\">ip<\/span> <span class=\"token punctuation\">=<\/span> <span class=\"token value attr-value\">192.168.122.2  # IP da VM na rede NAT do KVM<\/span>\n<span class=\"token key attr-name\">snapshot<\/span> <span class=\"token punctuation\">=<\/span> <span class=\"token value attr-value\">cuckoo_snapshot  # Nome do snapshot<\/span>\n<span class=\"token key attr-name\">interface<\/span> <span class=\"token punctuation\">=<\/span> <span class=\"token value attr-value\">virbr0  # Interface de rede do KVM<br \/><br \/><\/span><\/pre>\n<\/div>\n<ul>\n<li>\n<p><strong>label<\/strong>: Nome da VM no KVM.<\/p>\n<\/li>\n<li>\n<p><strong>ip<\/strong>: Endere\u00e7o IP da VM na rede NAT do KVM.<\/p>\n<\/li>\n<li>\n<p><strong>snapshot<\/strong>: Nome do snapshot que ser\u00e1 usado para restaurar a VM ap\u00f3s cada an\u00e1lise.<\/p>\n<\/li>\n<li>\n<p><strong>interface<\/strong>: Interface de rede usada pelo KVM (geralmente\u00a0<code>virbr0<\/code>).<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>4. <strong>Cria\u00e7\u00e3o de um snapshot da VM<\/strong><\/p>\n<p style=\"text-align: justify;\">O Cuckoo Sandbox depende de snapshots para restaurar a VM ao estado original ap\u00f3s cada an\u00e1lise. Siga os passos abaixo para criar um snapshot:<\/p>\n<ul>\n<li>\n<p><strong>Inicie a VM e configure-a para an\u00e1lise:<\/strong><\/p>\n<ul>\n<li>\n<p>Instale ferramentas de an\u00e1lise, como Python, e configure o agente do Cuckoo Sandbox.<\/p>\n<\/li>\n<li>\n<p>Certifique-se de que a VM est\u00e1 configurada para iniciar automaticamente o agente do Cuckoo.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Desligue a VM:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">sudo<\/span> <span class=\"token function\">virsh<\/span> <span class=\"token function\">shutdown<\/span> rocky9-analysis<\/pre>\n<\/div>\n<\/li>\n<li>\n<p><strong>Crie um snapshot:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">sudo<\/span> <span class=\"token function\">virsh<\/span> snapshot-create-as rocky9-analysis cuckoo_snapshot<\/pre>\n<\/div>\n<\/li>\n<li>\n<p><strong>Verifique o snapshot:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">sudo<\/span> <span class=\"token function\">virsh<\/span> snapshot-list rocky9-analysis<br \/><br \/><br \/><\/pre>\n<\/div>\n<\/li>\n<\/ul>\n<p>5. <strong>Configura\u00e7\u00e3o do agente do Cuckoo na VM<\/strong><\/p>\n<p style=\"text-align: justify;\">O agente do Cuckoo Sandbox \u00e9 um software que roda dentro da VM e coleta dados durante a execu\u00e7\u00e3o do malware.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Passos para configurar o agente:<\/strong><\/p>\n<ul>\n<li>\n<p>Copie o agente do Cuckoo para a VM:<\/p>\n<ul>\n<li>\n<p>O agente est\u00e1 localizado em\u00a0<code>~\/cuckoo\/agent\/agent.py<\/code>.<\/p>\n<\/li>\n<li>\n<p>Use\u00a0<code>scp<\/code>\u00a0ou um compartilhamento de rede para copiar o arquivo para a VM.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>Configure o agente para iniciar automaticamente:<\/p>\n<ul>\n<li>\n<p>Adicione o agente ao sistema de inicializa\u00e7\u00e3o da VM (por exemplo, usando\u00a0<code>systemd<\/code>\u00a0ou\u00a0<code>cron<\/code>).<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>Teste o agente:<\/p>\n<ul>\n<li>\n<p>Execute o agente manualmente na VM e verifique se ele se conecta ao Cuckoo Sandbox.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>6. <strong>Teste a configura\u00e7\u00e3o<\/strong><\/p>\n<p style=\"text-align: justify;\">Ap\u00f3s configurar o ambiente, teste o Cuckoo Sandbox para garantir que ele est\u00e1 funcionando corretamente.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Submeta um arquivo para an\u00e1lise:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre>cuckoo submit \/caminho\/para\/arquivo_suspeito.exe<br \/><br \/><br \/><\/pre>\n<\/div>\n<p><strong>Verifique o status da an\u00e1lise:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre>cuckoo status<br \/><br \/><\/pre>\n<\/div>\n<p><strong>Acesse o relat\u00f3rio gerado:<\/strong><\/p>\n<ul>\n<li>\n<p>Os relat\u00f3rios s\u00e3o gerados em\u00a0<code>~\/.cuckoo\/storage\/analyses\/&lt;ID&gt;\/<\/code>.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>7. <strong>Dicas e boas pr\u00e1ticas<\/strong><\/p>\n<ul>\n<li>\n<p><strong>Isolamento de Rede<\/strong>: Certifique-se de que a VM est\u00e1 isolada da rede principal para evitar a propaga\u00e7\u00e3o de malware.<\/p>\n<\/li>\n<li>\n<p><strong>Atualiza\u00e7\u00f5es<\/strong>: Mantenha o sistema operacional da VM e o Cuckoo Sandbox atualizados.<\/p>\n<\/li>\n<li>\n<p><strong>Backup<\/strong>: Fa\u00e7a backup regular dos snapshots e configura\u00e7\u00f5es do Cuckoo.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">Com essas configura\u00e7\u00f5es, o Cuckoo Sandbox estar\u00e1 pronto para analisar malware em um ambiente seguro e controlado utilizando uma m\u00e1quina virtual no Rocky Linux 9.<\/p>\n<p>\u00a0<\/p>\n<\/div>\n<p><strong>Refer\u00eancias Bibliogr\u00e1ficas<\/strong><\/p>\n<ul>\n<li>\n<p style=\"text-align: justify;\"><strong>&#8220;Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software&#8221;<\/strong>\u00a0by Michael Sikorski and Andrew Honig &#8211; Este livro oferece uma vis\u00e3o detalhada sobre t\u00e9cnicas de an\u00e1lise de malware, incluindo o uso de sandboxes.<\/p>\n<\/li>\n<li>\n<p style=\"text-align: justify;\"><strong>&#8220;The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory&#8221;<\/strong>\u00a0by Michael Hale Ligh, Andrew Case, Jamie Levy, and AAron Walters &#8211; Um guia abrangente sobre forense de mem\u00f3ria, que complementa a an\u00e1lise de malware.<\/p>\n<\/li>\n<li>\n<p style=\"text-align: justify;\"><strong>&#8220;Cuckoo Sandbox Documentation&#8221;<\/strong>\u00a0&#8211; A documenta\u00e7\u00e3o oficial do Cuckoo Sandbox fornece informa\u00e7\u00f5es detalhadas sobre configura\u00e7\u00e3o, uso e interpreta\u00e7\u00e3o de relat\u00f3rios. Dispon\u00edvel em:\u00a0<a href=\"https:\/\/cuckoosandbox.org\/docs\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/cuckoosandbox.org\/docs\/<\/a><\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<\/div>\n<p>\u00a0<\/p>\n<div class=\"f9bf7997 d7dc56a8 c05b5566\">\n<div class=\"ds-flex\">\n<div class=\"ds-flex abe97156\">\n<div class=\"ds-icon-button\" tabindex=\"0\">\n<div class=\"ds-icon\">\u00a0<\/div>\n<\/div>\n<div class=\"ds-icon-button\" tabindex=\"0\">\n<div class=\"ds-icon\">\u00a0<\/div>\n<\/div>\n<div class=\"ds-icon-button\" tabindex=\"0\">\n<div class=\"ds-icon\">\u00a0<\/div>\n<\/div>\n<div class=\"ds-icon-button\" tabindex=\"0\">\n<div class=\"ds-icon\">\u00a0<\/div>\n<\/div>\n<\/div>\n<div>\u00a0<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"e886deb9\">\n<div class=\"e214291b\">\u00a0<\/div>\n<\/div>\n\n\n","protected":false},"excerpt":{"rendered":"<p>Configura\u00e7\u00e3o do Cuckoo Sandbox para m\u00e1quina virtual (VM) Configurar o Cuckoo Sandbox para usar uma m\u00e1quina virtual (VM) como ambiente de an\u00e1lise \u00e9 uma etapa crucial para garantir que o malware seja executado em um ambiente isolado e controlado. Abaixo, descrevo os passos detalhados para configurar o Cuckoo Sandbox com uma m\u00e1quina virtual no Rocky [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":22308,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[89,100,21],"tags":[],"class_list":["post-22312","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-basico","category-diversos","category-exploits"],"_links":{"self":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22312","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/comments?post=22312"}],"version-history":[{"count":6,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22312\/revisions"}],"predecessor-version":[{"id":22322,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22312\/revisions\/22322"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media\/22308"}],"wp:attachment":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media?parent=22312"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/categories?post=22312"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/tags?post=22312"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}