How To Use FireEye RedLine For Incident Response P1 | TryHackMe RedLine

00:01

welcome back what's going on today we

00:03

will be doing

00:05

red line

00:06

red line is one of the newest rooms

00:09

released by troy hackme the room is part

00:12

of the cyber defense pathway

00:15

the room talks about the

00:17

software redline produced by file eye so

00:20

if you go to google and type just

00:22

redline

00:23

file i

00:28

so the software is produced by the first

00:30

security firm or the known security firm

00:32

fire eye it's used for instant response

00:35

and forensic analysis

00:37

today we will be talking about redline

00:40

all right

00:41

and we will be going over the tasks

00:44

basically i have splitted the video or i

00:48

have made two videos

00:50

first one we will go over

00:52

task one through task five and in the

00:54

last video or the second video we will

00:56

be going over tasks six and seven we

00:58

will be solving a challenge

01:00

okay so in this video we will be

01:02

introducing the software how to use it

01:03

the interface the features the

01:05

properties and we will take an analysis

01:08

example

01:09

uh

01:11

the second video we will be going over

01:13

the challenges so it's kind of long but

01:15

i have tried to i've tried my best to

01:17

make it short

01:18

so let's get started

01:20

the first thing you do you log into the

01:22

machine using rdb so basically remember

01:26

that

01:28

once you deploy the machine you will

01:30

have the credentials here

01:33

use a software called remina to log in

01:36

which i have used so basically if you

01:39

look at my

01:41

let me see here

01:44

so this is

01:48

wait

01:56

so this is my desktop i used

02:02

i use the mina

02:04

filled in

02:05

the information by clicking on plus

02:07

adding the connection details

02:09

and you will be connecting to the

02:11

machine

02:13

okay

02:16

so

02:17

once you connect

02:19

go to you will have you you will see the

02:21

two uh programs here one is red line and

02:25

the other one is

02:27

ioc editor indicators of compromise

02:30

editor we will be talking about this in

02:32

the next video

02:34

now but in this video we were talking

02:35

about the redline interface so if you

02:38

click on that

02:41

and wait a bit for the program to start

02:44

so as you know

02:46

okay so it opened so here you see

02:49

we have

02:50

um

02:51

three types of data collection so

02:53

basically redline collects data about

02:55

your system in order to analyze it

02:58

so first you have the standard collector

03:00

second you have the comprehensive

03:01

collector the third you have ioc search

03:03

collector

03:04

the standard collector is the standard

03:06

one where it gathers the minimum amount

03:09

of data about your system

03:11

all right and it's the most popular one

03:14

the compressive correct collector it's

03:16

the same as standard as far as the data

03:18

collection process but it takes more

03:20

time to complete

03:22

so if you are analyzing a machine that

03:25

has been hit

03:26

with a malware or an incident and you

03:29

want to gather all the information and

03:31

you have all the time in the world you

03:33

can just go with the comprehensive

03:34

collector

03:36

the last one is the create an ioc search

03:38

collector

03:40

and it only applies on windows systems

03:43

so you cannot do that on linux systems

03:46

so basically the last method takes an

03:48

indicator of compromise indicators of

03:50

compromised file

03:52

such as a file that contains hashes ip

03:55

domain names strings

03:58

indicators of compromise right and

04:00

it searches

04:02

your system for

04:04

uh and uh for

04:06

something

04:07

that has or that matches the indicators

04:10

you just you just created so you load

04:13

the red line with a file

04:14

and then you ask it to to find

04:18

what is in your system that matches the

04:20

properties of the file you created you

04:23

create indicators of compromise file

04:25

with

04:26

this software ioc editor

04:29

this one here we will talk about that

04:32

so

04:33

we will use the standard collector for

04:35

this video if you click on standard

04:36

collector

04:39

here you have you can select the

04:40

operating system windows os or linux for

04:43

this video we will use windows

04:46

next we edit our script here we choose

04:48

what we want to collect about the

04:50

current system

04:52

edit your script so here you have some

04:54

pre-selected options about the memory

04:57

you can select whatever you want to

04:58

collect about the system such as for

05:00

example for me i selected the process

05:02

listing

05:03

right the handles sections imports

05:08

um

05:10

also

05:11

if you go to

05:12

disk

05:14

here we we can also gather information

05:16

about the file system

05:19

so most probably when you have an

05:20

indicator of indicators of compromised

05:22

file and you want to get matches with

05:24

this file you want to enumerate the disk

05:27

so you enable a file enumeration and you

05:29

select strings

05:31

include files include directories md5

05:35

and that's all you can also select to

05:37

enumerate the disks and volumes if you

05:39

want to navigate the file system

05:43

now if you go to system

05:46

here we select to gather information

05:48

about the system such as os information

05:51

registry hive

05:52

analyze the event logs

05:54

uh any version of the registry user

05:56

accounts

05:57

prefetch

05:59

to analyze the executables that are most

06:00

recently used

06:05

and of course we can

06:07

click on network and select what we want

06:09

to gather about the network activity

06:11

such as the browser history cookies

06:14

file downloads url history

06:17

uh dns tables port enumeration we can

06:19

also select

06:21

routing tables and arc tables to see

06:23

connection information

06:25

or connections the machine has initiated

06:27

to other systems

06:29

here others include services tasks

06:32

most importantly you want to select the

06:34

tasks in order to

06:36

understand more about the schedule tasks

06:38

you have to select this

06:40

md5

06:42

sha j1

06:44

services md5 ssh1

06:47

and we don't need these so basically you

06:50

can

06:52

now run your

06:55

analysis

06:58

make sure also to select the entropy

07:00

here and you can click on okay

07:03

so once you click on ok

07:06

let's click on ok now the next step is

07:08

to select a folder

07:10

now the folder here will be used to save

07:12

the analysis files so you browse so make

07:15

sure to click let's create a new folder

07:17

in your desktop

07:18

and name it

07:20

analysis

07:21

two

07:23

make sure it's empty browse

07:32

and once you click on ok it will start

07:35

to recycle locking data

07:37

it will take some time to finish

07:40

that's why the author of the machine has

07:42

prepared a ready analysis file for you

07:45

to start with so once this finishes you

07:47

go to the folder

07:49

and you start a script called run

07:52

redline audit once you start this you're

07:54

gonna wait some time

07:56

to for the job to finish

07:59

and then you will be able to access your

08:00

analysis file now

08:02

i'm not going to do that

08:04

right because it has already been done

08:06

so to save time and to make it shorter i

08:09

will just jump to the analysis results

08:12

so suppose that you clicked on that you

08:14

run the script and then the script

08:16

finished

08:17

now you will be ready to to

08:19

navigate to the analysis results so

08:20

click x on that

08:22

x here

08:24

x here

08:25

delete this

08:27

this was for demonstration purposes

08:29

now we go to the analysis files it is on

08:32

documents

08:34

analysis

08:35

now see when the analysis finishes there

08:37

is a new folder

08:39

created which is sessions

08:41

you click on that

08:43

analysis sessions session one

08:45

click on that

08:48

and here you see a file

08:50

with

08:51

this extension

08:54

m a f or mandiant analysis file this is

08:58

your analysis file

09:00

now this is what you want to click in

09:02

order to start analyzing the machine

09:09

all right so let's click on that double

09:11

click

09:12

it will open the analysis file with red

09:15

line

09:27

all right so once the analysis file

09:30

has been imported you will see here

09:33

the results so on the left we got all

09:35

the information we asked the program to

09:37

collect

09:38

so we got first

09:40

the system information

09:42

if you click on that you will see the

09:44

information about the system such as the

09:46

windows version the bios version

09:49

operating system

09:51

and other information about the user

09:53

now if you go to processes

09:56

you can expand the arrow here

10:01

here you will see

10:02

information about the processes such as

10:04

the process name

10:06

pid path arguments parent process most

10:09

importantly to

10:11

most importantly is the arguments here

10:13

see how the

10:14

process got executed

10:17

now if you go to handles

10:19

handle is the connection from the

10:21

program or the from the process

10:24

to a resource on the system such as

10:26

files dlls whatsoever you see we have

10:29

new handles here if you click on show

10:31

hand all handles

10:34

uh we've got nothing okay so memory

10:36

sections

10:37

here we can investigate

10:40

uh unsigned dlls so

10:43

review named sections only injected all

10:46

memory sections

10:48

and we got nothing because maybe we

10:50

didn't collect them we didn't select to

10:52

collect these or

10:54

there is none

10:56

so there is no unsigned dealers if you

10:58

click on strings

11:03

now here we see information about the

11:04

capture strings but we've got also

11:06

nothing which is weird

11:10

okay ports

11:12

here we see the connections made

11:14

to the outside world what where what

11:16

what what where the ports

11:18

on this tab the local port the local

11:22

address the remote port and the remote

11:25

address and the remote ports and what is

11:27

the process

11:28

or the path of the process

11:31

all right what do we have else

11:36

also we have the registry information

11:40

now most importantly if you go to

11:41

timeline here i'm going to skip this so

11:44

timeline

11:45

here we can understand more about the

11:48

incident and when it happened

11:50

by using the filters on here

11:53

so now it's taking some time to load

11:55

i'm going to give it some time

11:57

but we can use the filters here to

11:58

understand when the compromise happened

12:00

on the system

12:03

and if we know when the host or what the

12:06

compromise happened on the system we can

12:08

use something called the type wrinkles

12:11

in this tab

12:14

to filter out the timeline the only

12:16

events

12:17

which took place around the time we know

12:19

the compromise happened

12:21

so if you click on time wrinkles no

12:24

wrinkles filters created we can create a

12:26

new custom time wrinkle and we can

12:28

select here the time

12:30

for example i want to show the events

12:31

that happened

12:33

around

12:35

say

12:36

13 to 14.

12:41

yep

12:46

okay

12:51

so here 013 there is nothing we can edit

12:54

that and get because i mean

12:56

there was nothing on the machine so we

12:59

get it back to 15

13:02

and

13:02

select

13:06

nothing

13:08

back to

13:09

the correct date which is sixteen

13:14

five minutes before five minutes after

13:16

nothing

13:19

let's see here why we get nothing so 16

13:21

10

13:24

today

13:31

so zero items on that dates okay let's

13:34

go back to fields

13:39

so now

13:40

after we have determined

13:42

or after we have

13:44

[Music]

13:45

explored the interface and

13:48

the information i've gathered about the

13:50

system now it's time to

13:52

just go back to the questions and see

13:54

what is required

13:56

uh to find so

13:58

now the intro the intro the data

14:01

collection to the questions

14:04

so the first question what data

14:06

collection method takes the least amount

14:08

of time

14:09

we

14:10

we said it was standard collector

14:13

you are

14:14

reading a research paper on a new strain

14:16

of ransomware you want to run the data

14:18

collection on your computer based on the

14:20

patterns provided

14:22

such as domains hashes ip addresses file

14:24

names what method would you choose to

14:27

run a granular data collection against

14:29

indicators

14:32

we spoke and we said that it is ioc

14:34

search collector

14:35

what script would you run to initiate

14:37

the data collection process

14:41

please include the file extension

14:43

and we said it was the run redline

14:45

audit.bat which is the

14:48

a script that is created once you have

14:51

configured all of the options or data

14:54

collection options on the program

14:56

the next one if you want article if you

14:59

want to collect the data on disks and

15:01

volumes under which option you can find

15:03

it

15:04

and we know that when we edit when we

15:07

configure the options we have an option

15:09

to edit the script there's a tab called

15:10

disks we can from there

15:12

select disk enumeration

15:15

what cache does windows use to maintain

15:18

a preference for a recently for recently

15:20

executed code is the prefetch

15:23

um

15:24

okay next task

15:27

redline interface

15:30

where in redirect line ui can you view

15:32

information about the logged in user

15:34

okay let's see so if you click on system

15:37

information you will see here

15:38

information about the user and

15:41

under that tab we see logged in user

15:44

it is administrator

15:46

so basically here it's here where we can

15:49

see information about the login system

15:51

information

15:52

now the questions

15:54

so

15:56

now you should be familiar with some of

15:57

the data collection terms and techniques

15:59

are shown in the previous task armed

16:01

with this knowledge can you find

16:04

what the intruder planted for you on the

16:06

computer so we are analyzing

16:09

analysis file of a victim machine that

16:12

got infected with malware we want to

16:14

find out some information about that

16:16

so the first thing provide operating

16:18

system detected for the workstation

16:22

if you go to system information

16:24

and go to operating system information

16:25

you will see the operating system was

16:28

windows server 2019 standard

16:31

17763

16:34

and this is the answer next one provide

16:36

the bios version for the workstation the

16:39

bias version of course is written

16:41

also under the system information

16:43

and it is zen 4 2 amazon

16:49

what is the suspicious schedule task

16:52

that got created on the victim's

16:54

computer so now we have to find

16:56

information about the scheduled tasks

16:58

to do that we go to tasks

17:01

and we click on tasks

17:05

now we will see kinda

17:08

long list right

17:09

so

17:10

to find the task

17:13

i got to actions

17:16

and in the actions i could also hear

17:19

another long

17:21

list

17:22

if i scroll to the right let me make

17:25

this

17:25

okay so we have the type of the action

17:29

the actions are the commands or the

17:31

applications that get executed

17:34

when that when the uh task or the

17:37

schedule task

17:38

gets triggered or when that when it's

17:41

time

17:42

just uh is here so when the time is here

17:44

or when it's time comes the action is

17:47

triggered or

17:49

applied so here we see the actions or

17:51

the applications

17:53

but if you scroll to the very right

17:55

you see all the task name right task

17:57

names

17:59

so now here what's the question

18:02

what is the suspicious schedule task

18:05

let's look for something suspicious

18:08

so you see google update google updates

18:12

amazon easy to launch

18:14

but we see one here there is no

18:16

certificate subject there is no

18:17

certificate issuer no signature no sha

18:21

the attributes of this task are

18:25

near to empty right we have only with

18:29

only the

18:30

executable path

18:32

uh

18:33

the path to the application or the

18:35

program or whatever it is that will be

18:37

launched and we see it is see users

18:40

administrator pictures thm bluetooth.png

18:44

it's a picture right but if you go to

18:46

the task

18:48

you see it's saying ms office update

18:52

fa.k.a

18:56

so the name

18:57

doesn't match

18:58

with

18:59

the kind

19:01

of application that is

19:03

uh launched right so

19:07

we put this aside and we scroll down to

19:09

see if we have something else

19:11

scroll down you see here dot net

19:13

framework

19:14

scroll down i'm not saying that if you

19:17

see a familiar name it means that the

19:20

task is not suspicious but the

19:22

methodology is to look for the clearly

19:24

suspicious ones

19:26

and if you don't find anything you will

19:28

start investigating

19:30

the ones that look familiar

19:34

now if you see we have here something

19:36

called device and it is signed all the

19:38

signed ones you can ignore them

19:41

this one is called scheduled let's see

19:43

what it is

19:46

scheduled is there is no executable path

19:48

it means it does nothing it's just a

19:50

schedule task

19:53

scroll down scroll down

20:06

so anything else seems okay

20:09

of course okay for the initial analysis

20:11

not for the

20:13

uh

20:13

in-depth analysis now for now we got

20:15

this one

20:16

and

20:18

it is the answer for our question find

20:20

the message that the intruder left for

20:22

you in the task

20:24

now the intruder has left a message for

20:26

us in this task

20:28

so basically

20:29

until far we know the task name and we

20:32

know the executable path

20:34

if we don't click on the task

20:42

it doesn't open okay let's go to tasks

20:44

and find it

20:47

so we can just copy the name and use the

20:50

search feature to jump directly to task

20:52

not restricting your time with the long

20:54

list

20:55

so here it is

20:58

now we can get more details about this

21:00

we see here the name we see the comment

21:04

the comment is the answer for the

21:06

question we see also the creator which

21:08

is administrator

21:10

now this is the answer for the question

21:13

next one

21:15

there is a new system event id

21:18

created by an intruder with the source

21:20

name dhm redline user and the type error

21:24

find the emit id so now investigate the

21:27

event

21:28

logs or even

21:29

yeah the events

21:31

so go to event logs

21:39

and again we see a long list

21:43

so here we come to the search feature so

21:46

we go back

21:47

now the sort the name of the or the

21:49

source name of that is this one we copy

21:51

that

21:52

and we search for the events

22:00

uh-huh

22:01

so here it is the source name

22:04

now the message is someone cracked my

22:07

password

22:09

i need to rename my puppy so this is the

22:13

event

22:14

uh required from us to investigate and

22:17

it is

22:18

uh it has the id

22:20

546

22:21

and it is error right so maybe the the

22:24

guy here was trying to log in but he

22:26

realized he forgot his password

22:29

so this is the event id

22:32

provide the message for the event id you

22:35

saw it

22:36

it looks like the intruder downloaded a

22:39

file

22:40

it looks like the intruder downloaded a

22:42

file containing the flag for question a

22:45

provide the full url of the website now

22:47

we go to the network activity and then

22:49

our activity we have something

22:51

we have defined download history if you

22:53

click on that it will give us a list of

22:56

all of the files the

22:58

all the files yeah that have been

22:59

downloaded

23:01

in the victim machine

23:02

now the question is to find

23:06

a file containing the flag for question

23:08

8. now this is the question 8 the

23:10

questionnaire is saying provide the full

23:12

path to where the file was downloaded

23:14

so

23:15

again we read the question it looks like

23:17

the intruder downloaded a file

23:20

containing the flag

23:23

provide the url of the website now

23:26

the

23:27

file contains the flag right

23:30

so we look among the file names

23:33

we see a file called flag.txt

23:36

all right and we see the url so this is

23:39

our answer why because the answer the

23:41

question is saying look for the file

23:44

that contains the flag

23:46

so obviously this is the file contains

23:47

the flag and this is the url where it

23:49

came from

23:51

which is your answer

23:52

provide the full path to where the file

23:55

once downloaded now to find out the

23:57

place or the path

23:59

where the victim machine has saved the

24:01

file

24:02

we see under the target directory is the

24:05

path

24:06

to which the file has been downloaded

24:08

now if we navigate to that path

24:12

we go to

24:15

this pc

24:16

navigate to c program files

24:19

windows mail

24:22

some folder and we see a file called

24:23

flag we open it

24:25

and it is your flag

24:29

okay then

24:31

so that's the first challenge of the

24:33

room

24:34

now ioc search collector

24:36

you can just follow the screenshots you

24:39

don't need to

24:40

do anything because the challenge of the

24:43

is the ioc challenge starts at task 6

24:47

and task 7. but i will provide you you

24:49

can see the answers from here

24:51

you can find these answers by just

24:52

looking at the screenshots the author

24:54

provided no worries about the iec search

24:56

collector i'm going to explain them

24:59

in the challenge here where we will be

25:01

using the indicators of compromise

25:03

search collector

25:04

in the program and we will provide the

25:06

answers from here

25:10

so

25:10

for now we are done

25:13

in the next video we will be doing tasks

25:14

six and seven so

25:17

see you in the next video