Introduction
In This video walk-through, we explained RedLine from Fireeye to perform incident response, memory analysis and computer forensic. This was part 1 video of the redline room from tryhackme.
Blue Team Cyber Security Study Notes
The Complete Practical Metasploit Framework Course
Many tools can aid a security analyst or incident responder in performing memory analysis on a potentially compromised endpoint. One of the most popular tools is Volatility, which will allow an analyst to dig deep into the weeds when examining memory artifacts from an endpoint. But this process can take time. Often, when an analyst is triaging, time is of the essence, and the analyst needs to perform a quick assessment to determine the nature of a security event.
That is where the FireEye tool Redline comes in. Redline will essentially give an analyst a 30,000-foot view (10 kilometers high view) of a Windows, Linux, or macOS endpoint. Using Redline, you can analyze a potentially compromised endpoint through the memory dump, including various file structures. With a nice-looking GUI (Graphical User Interface) – you can easily find the signs of malicious activities.
Here is what you can do using Redline:
- Collect registry data (Windows hosts only)
- Collect running processes
- Collect memory images (before Windows 10)
- Collect Browser History
- Look for suspicious strings
- And much more!
Note: Task 6 has a glitch and tryhackme is working on a fix for it. I will release the answers once the fix is validated.
Setting Up Redline
- The first step involves logging into the virtual machine provided by TryHackMe using Remmina (a remote desktop client). After connecting, the user sees two key programs: Redline and the IOC (Indicators of Compromise) Editor.
- The focus of this video is on Redline, and the next video covers the IOC Editor.
Redline Interface Overview
Upon launching Redline, the software provides three data collection options:
- Standard Collector: The quickest method, gathering basic system information.
- Comprehensive Collector: More detailed and takes longer, useful for analyzing malware incidents in-depth.
- IOC Search Collector: Useful when specific indicators of compromise (e.g., file hashes, domains, IP addresses) are known, and the tool searches for them on the system.
Configuring Data Collection
The video walks through how to configure data collection for forensic analysis. Users can choose to collect data about processes, file systems, network activity, system information, and more.Various customizable options include gathering process details, browser history, DNS tables, event logs, user accounts, and network connections.
The process concludes with saving the configuration, selecting a folder to store the analysis results, and running the data collection.
Analysis of Collected Data
Once data collection finishes, the video demonstrates how to navigate the analysis results. The analysis session is saved in a .MAF (Mandiant Analysis File) format, and the user can begin reviewing the collected information.The video covers the following areas of analysis:
- System Information: Displays details like the OS version, BIOS version, and logged-in users.
- Processes: Lists running processes, their arguments, and connections to system resources.
- Ports and Network Activity: Shows open ports, local and remote connections, and the processes associated with them.
- Timeline: Provides a chronological view of events, such as process creation or file access, which helps analysts track when the compromise occurred.
Using the Timeline and Filters
The timeline feature is particularly useful for understanding when the incident occurred. Users can apply time filters to narrow down events that happened during specific time frames, such as the time surrounding the compromise.
Custom Time Wrinkles allow analysts to focus on events that occurred just before or after the suspected compromise.
Task 7: Investigating a Ransomware Infection
- Setup:
- Open the provided analysis session file in Redline.
- Analyze system information, file system, services, and internet activity.
- Investigation Steps:
- Product Name:
- Navigate to
System Information
to find the product name (e.g., Windows 7 Home Basic).
- Navigate to
- Identifying Notes on Desktop:
- Check the file system under the
Desktop
directory. - Locate text files with names indicative of ransomware notes (e.g.,
read_this.txt
).
- Check the file system under the
- Windows Defender Service DLL:
- Search for the service
WinDefend
underServices
. - Find the
ServiceDLL
column to identify the associated DLL (e.g.,mpsvc.dll
).
- Search for the service
- Downloaded ZIP File:
- Check
File Download History
for downloaded ZIP files. - Locate the file name and confirm its source.
- Check
- Dropped Malicious Executable:
- Navigate to the
Desktop
directory in the file system. - Identify executable files indicative of ransomware (e.g.,
Server53.exe
).
- Navigate to the
- MD5 Hash of Malicious File:
- Locate the MD5 column in the file properties for the ransomware executable.
- Name of Ransomware:
- Deduce the ransomware name from file names (e.g.,
Server Ransomware
).
- Deduce the ransomware name from file names (e.g.,
- Product Name:
Task 6: Building and Testing IOC Files
- Creating an IOC File:
- Open the
IOC Editor
in Redline. - Define indicators such as:
- File strings.
- File size.
- Add conditions:
- Use logical operators like
AND
orOR
to combine indicators.
- Use logical operators like
- Open the
- Steps to Build the IOC:
- File Strings:
- Add file string indicators using provided malicious strings.
- File Size:
- Add size conditions to match specific file sizes.
- Logical Conditions:
- Combine file strings with
OR
(either string matches). - Combine strings and size with
AND
(both conditions must match).
- Combine file strings with
- File Strings:
- Testing the IOC File:
- Load the IOC file into Redline.
- Configure the data collection script to include file attributes (e.g., strings, MD5 hashes).
- Run the analysis on the system.
- View the IOC hits in the results.
- Known Issue:
- Redline only detects the IOC file itself as a hit, preventing further analysis for this task.
Key Takeaways
- Forensic Analysis:
- Redline is effective for analyzing system artifacts such as services, file systems, and internet activity.
- Building IOCs:
- Combining multiple indicators like file strings and sizes can help detect malicious files.
- Limitations:
- The current bug in Redline (for this specific TryHackMe task) limits the functionality of IOC testing.
Room Answers | TryHackMe RedLine
You are reading a research paper on a new strain of ransomware. You want to run the data collection on your computer based on the patterns provided, such as domains, hashes, IP addresses, filenames, etc. What method would you choose to run a granular data collection against the known indicators?
What script would you run to initiate the data collection process? Please include the file extension.
If you want to collect the data on Disks and Volumes, under which option can you find it?
What cache does Windows use to maintain a preference for recently executed code?
Provide the Operating System detected for the workstation.
Find the message that the intruder left for you in the task.
There is a new System Event ID created by an intruder with the source name “THM-Redline-User” and the Type “ERROR”. Find the Event ID #.
Provide the message for the Event ID.
It looks like the intruder downloaded a file containing the flag for Question 8. Provide the full URL of the website.
Provide the full path to where the file was downloaded to including the filename.
Provide the message the intruder left for you in the file.
What filename is the file masquerading as?
Who is the owner of the file?
What is the file size in bytes?
Provide the full path of where the .ioc file was placed after the Redline analysis, include the .ioc filename as well
Can you find the name of the note left on the Desktop for the “Charles”?
Find the Windows Defender service; what is the name of its service DLL?
The user manually downloaded a zip file from the web. Can you find the filename?
Provide the filename of the malicious executable that got dropped on the user’s Desktop.
Provide the MD5 hash for the dropped malicious executable.
What is the name of the ransomware?
Video Walkthrough
P1
P2
Hey, did you complete task 6 ?
I am planning to go over it soon.