Introduction
In This video walk-through, we explained RedLine from Fireeye to perform incident response, memory analysis and computer forensic. This was part 1 video of the redline room from tryhackme.
Blue Team Cyber Security Study Notes
The Complete Practical Metasploit Framework Course
Many tools can aid a security analyst or incident responder in performing memory analysis on a potentially compromised endpoint. One of the most popular tools is Volatility, which will allow an analyst to dig deep into the weeds when examining memory artifacts from an endpoint. But this process can take time. Often, when an analyst is triaging, time is of the essence, and the analyst needs to perform a quick assessment to determine the nature of a security event.
That is where the FireEye tool Redline comes in. Redline will essentially give an analyst a 30,000-foot view (10 kilometers high view) of a Windows, Linux, or macOS endpoint. Using Redline, you can analyze a potentially compromised endpoint through the memory dump, including various file structures. With a nice-looking GUI (Graphical User Interface) – you can easily find the signs of malicious activities.
Here is what you can do using Redline:
- Collect registry data (Windows hosts only)
- Collect running processes
- Collect memory images (before Windows 10)
- Collect Browser History
- Look for suspicious strings
- And much more!
Note: Task 6 has a glitch and tryhackme is working on a fix for it. I will release the answers once the fix is validated.
Setting Up Redline
- The first step involves logging into the virtual machine provided by TryHackMe using Remmina (a remote desktop client). After connecting, the user sees two key programs: Redline and the IOC (Indicators of Compromise) Editor.
- The focus of this video is on Redline, and the next video covers the IOC Editor.
Redline Interface Overview
Upon launching Redline, the software provides three data collection options:
- Standard Collector: The quickest method, gathering basic system information.
- Comprehensive Collector: More detailed and takes longer, useful for analyzing malware incidents in-depth.
- IOC Search Collector: Useful when specific indicators of compromise (e.g., file hashes, domains, IP addresses) are known, and the tool searches for them on the system.
Configuring Data Collection
The video walks through how to configure data collection for forensic analysis. Users can choose to collect data about processes, file systems, network activity, system information, and more.Various customizable options include gathering process details, browser history, DNS tables, event logs, user accounts, and network connections.
The process concludes with saving the configuration, selecting a folder to store the analysis results, and running the data collection.
Analysis of Collected Data
Once data collection finishes, the video demonstrates how to navigate the analysis results. The analysis session is saved in a .MAF (Mandiant Analysis File) format, and the user can begin reviewing the collected information.The video covers the following areas of analysis:
- System Information: Displays details like the OS version, BIOS version, and logged-in users.
- Processes: Lists running processes, their arguments, and connections to system resources.
- Ports and Network Activity: Shows open ports, local and remote connections, and the processes associated with them.
- Timeline: Provides a chronological view of events, such as process creation or file access, which helps analysts track when the compromise occurred.
Using the Timeline and Filters
The timeline feature is particularly useful for understanding when the incident occurred. Users can apply time filters to narrow down events that happened during specific time frames, such as the time surrounding the compromise.
Custom Time Wrinkles allow analysts to focus on events that occurred just before or after the suspected compromise.
Room Answers | TryHackMe RedLine
You are reading a research paper on a new strain of ransomware. You want to run the data collection on your computer based on the patterns provided, such as domains, hashes, IP addresses, filenames, etc. What method would you choose to run a granular data collection against the known indicators?
What script would you run to initiate the data collection process? Please include the file extension.
If you want to collect the data on Disks and Volumes, under which option can you find it?
What cache does Windows use to maintain a preference for recently executed code?
Provide the Operating System detected for the workstation.
Find the message that the intruder left for you in the task.
There is a new System Event ID created by an intruder with the source name “THM-Redline-User” and the Type “ERROR”. Find the Event ID #.
Provide the message for the Event ID.
It looks like the intruder downloaded a file containing the flag for Question 8. Provide the full URL of the website.
Provide the full path to where the file was downloaded to including the filename.
Provide the message the intruder left for you in the file.
What filename is the file masquerading as?
Who is the owner of the file?
What is the file size in bytes?
Provide the full path of where the .ioc file was placed after the Redline analysis, include the .ioc filename as well
Can you find the name of the note left on the Desktop for the “Charles”?
Find the Windows Defender service; what is the name of its service DLL?
The user manually downloaded a zip file from the web. Can you find the filename?
Provide the filename of the malicious executable that got dropped on the user’s Desktop.
Provide the MD5 hash for the dropped malicious executable.
What is the name of the ransomware?
Video Walkthrough
P1
P2
Hey, did you complete task 6 ?
I am planning to go over it soon.