Hyper-V Malware Analysis Part #1

Okay this series will be going over how to setup Hyper-V for malware analysis. I won’t be covering Hyper-V server in depth so I recommend reading up on Windows Server, how to set them up, and Hyper-V. You will need background knowledge in basic networking, Hyper-V, and Windows Servers.

First thing I did was install Server 2016 standard. Afterwards I enabled RDP access to it, and set up one of the physical NIC’s with a static IP on a subnet separate from my home network. If I put it same as home network there could be routing issues from my home desktop, could have internet issues, and etc…

I then added a static IP on my home PC’s network card. That way I could just RDP into my Host and manage it like that. There are so many different ways to do this. After setting up your interface be it physical or WiFi card you could manage your host through that interface. I do recommend setting a static IP on your host.

This guide goes over configuring access to be able to remotely manage your host. https://docs.microsoft.com/en-us/windows-server/administration/server-manager/configure-remote-management-in-server-manager Keep in mind there are so many different ways to manage the host remotely. The basic one for me is to set static IP. And under system setting allow RDP access to the server.

Your network will probably be public by default so use the link below to set a group policy to make sure all NIC’s including WiFi card use a private network. This makes connecting to the host much easier.

In their guide use the local group policy editor to set network list manager policies. They show how to set unidentified networks policy to private. Do the same private network setting for identifying and all networks.


Alright with that out of the way use roles and features wizard to install hyper-v role. Once the hyper-v is installed under hyper-v manager you can start creating VM’s. First things first is to use virtual switch manager to set your networks.

It is recommended to have a subnet that is separate from your home network subnet. Basically have your malware analysis being done on a seperate subnet and network. Again so many different ways to do this network setup. You will just need to research and choose one that works best for you.

Below I have a couple networks in Hyper-V.

Again I am going over a high level overview of this setup. The reason being to help you get an idea of what is possible. Another way is to setup a static IP on the host. Have your VM’s use a external hyper-v network switch that uses the Hosts physical NIC. Next have the physical NIC connect to a router. That router will then NAT and forward traffic through your internal network to the public internet.

Another setup is to have your malware traffic router route traffic through a mobile hotspot. That way it doesn’t even go through your home network.

Make a network map of what the traffic will look like. It helps greatly to visualize where the traffic will go to from the guest VM.

Leave a Reply

Your email address will not be published. Required fields are marked *