Introduction

In This video walk-through, we explained RedLine from Fireeye to perform incident response, memory analysis and computer forensic. This was part 1 video of the redline room from tryhackme.

Get Blue Team Cyber Security Study Notes

The Complete Practical Metasploit Framework Course

Many tools can aid a security analyst or incident responder in performing memory analysis on a potentially compromised endpoint. One of the most popular tools is Volatility, which will allow an analyst to dig deep into the weeds when examining memory artifacts from an endpoint. But this process can take time. Often, when an analyst is triaging, time is of the essence, and the analyst needs to perform a quick assessment to determine the nature of a security event.

That is where the FireEye tool Redline comes in. Redline will essentially give an analyst a 30,000-foot view (10 kilometers high view) of a Windows, Linux, or macOS endpoint. Using Redline, you can analyze a potentially compromised endpoint through the memory dump, including various file structures. With a nice-looking GUI (Graphical User Interface) – you can easily find the signs of malicious activities.

Here is what you can do using Redline:

  • Collect registry data (Windows hosts only)
  • Collect running processes
  • Collect memory images (before Windows 10)
  • Collect Browser History
  • Look for suspicious strings
  • And much more!

Note: Task 6 has a glitch and tryhackme is working on a fix for it. I will release the answers once the fix is validated.

Get Blue Team Notes

 

Answers

What data collection method takes the least amount of time?

You are reading a research paper on a new strain of ransomware. You want to run the data collection on your computer based on the patterns provided, such as domains, hashes, IP addresses, filenames, etc. What method would you choose to run a granular data collection against the known indicators?

What script would you run to initiate the data collection process? Please include the file extension.

If you want to collect the data on Disks and Volumes, under which option can you find it?

What cache does Windows use to maintain a preference for recently executed code?

Where in the Redline UI can you view information about the Logged in User?

Provide the Operating System detected for the workstation.

Provide the BIOS Version for the workstation.
What is the suspicious scheduled task that got created on the victim’s computer?

Find the message that the intruder left for you in the task.

There is a new System Event ID created by an intruder with the source name “THM-Redline-User” and the Type “ERROR”. Find the Event ID #.

Provide the message for the Event ID.

It looks like the intruder downloaded a file containing the flag for Question 8. Provide the full URL of the website.

Provide the full path to where the file was downloaded to including the filename.

Provide the message the intruder left for you in the file.

What is the actual filename of the Keylogger?

What filename is the file masquerading as?

Who is the owner of the file?

What is the file size in bytes?

Provide the full path of where the .ioc file was placed after the Redline analysis, include the .ioc filename as well

Can you identify the product name of the machine?

Can you find the name of the note left on the Desktop for the “Charles”?

Find the Windows Defender service; what is the name of its service DLL?

The user manually downloaded a zip file from the web. Can you find the filename?

Provide the filename of the malicious executable that got dropped on the user’s Desktop.

Provide the MD5 hash for the dropped malicious executable.

What is the name of the ransomware?

Video Walkthrough

P1

P2