How To Use FireEye RedLine For Incident Response P1 | TryHackMe RedLine
Summary
TLDRهذا النص يلخص محتوى فيديو يشرح استخدام البرمجيات Redline، التي تنتج بواسطة Fire Eye لتحليل الاستجابة الفورية والتحقيقات. الفيديو يتضمن تعليمات لاستخدام الواجهة والميزات والخصائص، ويعرض مثالًا على تحليل البيانات. يتحدث الفيديو أيضًا عن التحديات المتعلقة بجمع البيانات والتحليل، ويتضمن تعليمات لكيفية البدء في جمع البيانات والتحليل، بالإضافة إلى كيفية العثور على العناصر المشتبه بها في الأنظمة ال受感染.
Takeaways
- 🔐 يتناول الفيديو شرح برنامج Redline وهو أحد أحدث الأدوات في مجال الأمن السيبراني المستخدمة في تحليل الحوادث الجنائية الرقمية.
- 💼 البرنامج Redline تم تطويره بواسطة FireEye ويستخدم في جمع بيانات النظام وتحليلها عند حدوث اختراقات أو إصابات ببرمجيات خبيثة.
- 💻 يقدم البرنامج ثلاثة أنواع لجمع البيانات: جامع البيانات القياسي، جامع البيانات الشامل، وجامع البيانات باستخدام مؤشرات الاختراق (IOC).
- 🕵️♂️ يتناول الفيديو شرحًا لكيفية استخدام Redline لجمع البيانات من أنظمة Windows وLinux، وأهمية اختيار جامع البيانات المناسب حسب طبيعة التحليل.
- 📁 من الميزات التي يقدمها Redline إمكانية جمع معلومات حول العمليات الجارية في النظام، الملفات الموجودة، حسابات المستخدمين، وسجلات النظام والشبكة.
- 🛠 يتم شرح كيفية استخدام محرر مؤشرات الاختراق (IOC Editor) لإنشاء ملفات مؤشرات الاختراق وتحميلها في Redline للبحث عن تطابقات في النظام.
- ⏳ تحليل الجدول الزمني للأحداث يساعد في تحديد وقت وقوع الحادثة وفحص الأنشطة المشبوهة التي تمت في الفترة الزمنية المحددة.
- 📊 يتناول الفيديو أيضًا كيفية تصفية وتحليل الجدول الزمني باستخدام ميزة Time Wrinkles لتحديد الأحداث المهمة المرتبطة بالحادثة.
- 📜 يستعرض الفيديو أسئلة مرتبطة بتحدي TryHackMe، مثل تحديد نظام التشغيل، إصدار BIOS، والمهام المجدولة المشبوهة التي أنشأها المهاجم.
- 🎯 في الجزء الثاني من الفيديو، يتم التركيز على حل التحديات باستخدام بيانات التحليل المستخلصة، مثل اكتشاف رسائل المهاجم وملفات الضحايا التي تم تحميلها.
Q & A
ما هو برنامج Redline المستخدم في الفيديو؟
-برنامج Redline هو أداة طورتها شركة FireEye وتستخدم في الاستجابة للحوادث وتحليل الأدلة الجنائية الرقمية.
ما هي طرق جمع البيانات التي يوفرها برنامج Redline؟
-يوفر Redline ثلاث طرق لجمع البيانات: جامع البيانات القياسي، جامع البيانات الشامل، وجامع البحث عن مؤشرات الاختراق (IOC).
متى يُفضل استخدام جامع البيانات الشامل؟
-يفضل استخدام جامع البيانات الشامل عند تحليل جهاز تعرض لهجوم ويحتاج إلى جمع جميع المعلومات المتاحة بدون الحاجة للسرعة.
ما هي وظيفة جامع البحث عن مؤشرات الاختراق (IOC)؟
-يستخدم جامع البحث عن مؤشرات الاختراق لفحص النظام بحثًا عن تطابق مع مؤشرات اختراق معينة مثل عناوين IP، أسماء الملفات، وهاشات الملفات.
كيف يتم تشغيل عملية جمع البيانات في برنامج Redline؟
-يتم تشغيل عملية جمع البيانات من خلال تشغيل السكريبت 'runredlineaudit.bat' بعد تكوين الخيارات المطلوبة في البرنامج.
ما هي المعلومات التي يمكن جمعها حول النظام باستخدام Redline؟
-يمكن جمع معلومات حول النظام مثل قائمة العمليات، معلومات الذاكرة، الملفات، نشاط الشبكة، وسجلات النظام بما في ذلك المستخدمين والمهام المجدولة.
كيف يمكن استخدام Redline لتحليل الجدول الزمني للحدث؟
-يمكن استخدام ميزة 'Timeline' في Redline لفهم توقيت حدوث الهجوم باستخدام عوامل التصفية لتحديد الأنشطة التي حدثت في فترات زمنية محددة.
أين يمكن العثور على معلومات حول المستخدم الذي تم تسجيل دخوله في النظام باستخدام Redline؟
-يمكن العثور على معلومات حول المستخدم الذي تم تسجيل دخوله تحت قسم 'System Information' في واجهة Redline.
ما هو التهديد المكتشف في المهام المجدولة على الجهاز المصاب؟
-تم اكتشاف مهمة مجدولة مشبوهة باسم 'MS Office Update FA.K.A' حيث يتم تنفيذ ملف تحت مسار مريب غير متطابق مع اسم المهمة.
ما هو مصدر الحدث الجديد الذي تم إنشاؤه بواسطة المخترق؟
-تم إنشاء حدث جديد بواسطة المخترق باستخدام المصدر 'THM Redline User' ونوع الحدث هو 'Error' ورقم الحدث هو 546.
Outlines
👋 مقدمة حول Redline
يرحب المتحدث بالمشاهدين ويشرح أن الفيديو يتناول تحليل الغرفة الجديدة 'Redline' على منصة Troy HackMe ضمن مسار الدفاع السيبراني. البرنامج يُستخدم للاستجابة للحوادث والتحليل الجنائي، ويتم تقسيم الفيديو إلى جزئين لتغطية المهام المختلفة والتحليل العملي.
🖥️ خطوات تسجيل الدخول واستخدام Redline
يشرح المتحدث خطوات الدخول إلى الجهاز باستخدام RDP، وتحديد البرامج المتاحة مثل Redline و IOC Editor. ثم يوضح كيفية البدء باستخدام Redline لجمع البيانات من الجهاز، بما في ذلك الخيارات المختلفة لجمع المعلومات مثل Standard Collector و Comprehensive Collector و IOC Search Collector.
📊 تكوين جمع البيانات
يتم هنا شرح كيفية اختيار العناصر التي سيتم جمع البيانات عنها مثل العمليات، الملفات، الأقسام، ومعلومات الشبكة. يوضح كيفية تحديد التفضيلات في تكوين الجمع مثل فحص الملفات، النظام، الأقراص، والشبكة للحصول على تحليل شامل للنشاطات المرتبطة بالجهاز.
📝 استعراض نتائج التحليل
يشرح المتحدث كيفية الوصول إلى نتائج التحليل التي تم جمعها بواسطة Redline. يتم استعراض تفاصيل النظام، العمليات الجارية، المقابض، المنافذ، والمعلومات المتعلقة بالسجل الزمني للأنشطة، بما في ذلك استخدام 'Time Wrinkles' لتحليل الفترات الزمنية المرتبطة بالهجوم.
📂 تحديد المهام المجدولة المشبوهة
يتم استعراض قائمة المهام المجدولة على الجهاز وتحليلها لتحديد المهام المشبوهة. يتم العثور على مهمة مشبوهة تدعى 'MS Office Update' والتي تشير إلى ملف غريب بمسار غير معتاد. يتعرف المتحدث على الرسالة التي تركها المخترق في المهمة ويعرض تفاصيل إضافية.
🔍 التحقيق في الأحداث والتحميلات المشبوهة
يتحدث المتحدث عن تحليل السجلات النظامية والأحداث، بما في ذلك حدث تركه المخترق يتضمن رسالة نصية. بعد ذلك يتم استعراض سجل التحميلات لمعرفة الملفات التي تم تحميلها من الإنترنت، ويتم تحديد ملف يحمل الراية المطلوبة مع تقديم المسار الكامل لتحميله.
🎯 التحضير للتحدي التالي
يختتم المتحدث الفيديو بالإشارة إلى أن الفيديو القادم سيتناول التحديات المرتبطة بالمهام 6 و 7، حيث سيتم استخدام خاصية 'IOC Search Collector' للتعامل مع مؤشرات الاختراق وتقديم الحلول.
Mindmap
Keywords
💡Redline
💡FireEye
💡Standard Collector
💡Comprehensive Collector
💡IOC Editor
💡Indicator of Compromise (IOC)
💡Tasks
💡Event Logs
💡Prefetch
💡Timeline
Highlights
Introduction to the Redline software, a tool used for incident response and forensic analysis, produced by FireEye.
Redline offers three types of data collection methods: Standard Collector, Comprehensive Collector, and IOC Search Collector.
Standard Collector gathers the minimum amount of data about the system and is the fastest method.
Comprehensive Collector gathers more in-depth information but takes longer, useful in scenarios where time is not a concern.
IOC Search Collector is used to match system data against an Indicator of Compromise (IOC) file, such as IP addresses or file hashes.
How to configure the data collection by selecting specific options like processes, file system information, and network activity.
The Redline interface provides system information, including Windows and BIOS versions, user accounts, and more.
Processes in Redline can be analyzed to see details like process names, PIDs, and arguments, which are useful for forensic analysis.
How to analyze network connections and identify suspicious remote connections through the Ports section in Redline.
Timeline analysis helps to pinpoint when an incident occurred, allowing the user to filter events by time.
Detailed walkthrough of identifying suspicious scheduled tasks and the tools to investigate those tasks in Redline.
Example of finding a suspicious task named 'MS Office Update' which actually points to an executable in the user's pictures folder.
How to investigate event logs in Redline and find specific errors that might indicate intruder activity, such as an event named 'someone cracked my password.'
Identifying a downloaded file containing a flag by analyzing the system's download history through Redline.
Navigation through system directories to find the actual file path of the downloaded file, verifying its presence and content.
Transcripts
welcome back what's going on today we
will be doing
red line
red line is one of the newest rooms
released by troy hackme the room is part
of the cyber defense pathway
the room talks about the
software redline produced by file eye so
if you go to google and type just
redline
file i
so the software is produced by the first
security firm or the known security firm
fire eye it's used for instant response
and forensic analysis
today we will be talking about redline
all right
and we will be going over the tasks
basically i have splitted the video or i
have made two videos
first one we will go over
task one through task five and in the
last video or the second video we will
be going over tasks six and seven we
will be solving a challenge
okay so in this video we will be
introducing the software how to use it
the interface the features the
properties and we will take an analysis
example
uh
the second video we will be going over
the challenges so it's kind of long but
i have tried to i've tried my best to
make it short
so let's get started
the first thing you do you log into the
machine using rdb so basically remember
that
once you deploy the machine you will
have the credentials here
use a software called remina to log in
which i have used so basically if you
look at my
let me see here
so this is
wait
so this is my desktop i used
i use the mina
filled in
the information by clicking on plus
adding the connection details
and you will be connecting to the
machine
okay
so
once you connect
go to you will have you you will see the
two uh programs here one is red line and
the other one is
ioc editor indicators of compromise
editor we will be talking about this in
the next video
now but in this video we were talking
about the redline interface so if you
click on that
and wait a bit for the program to start
so as you know
okay so it opened so here you see
we have
um
three types of data collection so
basically redline collects data about
your system in order to analyze it
so first you have the standard collector
second you have the comprehensive
collector the third you have ioc search
collector
the standard collector is the standard
one where it gathers the minimum amount
of data about your system
all right and it's the most popular one
the compressive correct collector it's
the same as standard as far as the data
collection process but it takes more
time to complete
so if you are analyzing a machine that
has been hit
with a malware or an incident and you
want to gather all the information and
you have all the time in the world you
can just go with the comprehensive
collector
the last one is the create an ioc search
collector
and it only applies on windows systems
so you cannot do that on linux systems
so basically the last method takes an
indicator of compromise indicators of
compromised file
such as a file that contains hashes ip
domain names strings
indicators of compromise right and
it searches
your system for
uh and uh for
something
that has or that matches the indicators
you just you just created so you load
the red line with a file
and then you ask it to to find
what is in your system that matches the
properties of the file you created you
create indicators of compromise file
with
this software ioc editor
this one here we will talk about that
so
we will use the standard collector for
this video if you click on standard
collector
here you have you can select the
operating system windows os or linux for
this video we will use windows
next we edit our script here we choose
what we want to collect about the
current system
edit your script so here you have some
pre-selected options about the memory
you can select whatever you want to
collect about the system such as for
example for me i selected the process
listing
right the handles sections imports
um
also
if you go to
disk
here we we can also gather information
about the file system
so most probably when you have an
indicator of indicators of compromised
file and you want to get matches with
this file you want to enumerate the disk
so you enable a file enumeration and you
select strings
include files include directories md5
and that's all you can also select to
enumerate the disks and volumes if you
want to navigate the file system
now if you go to system
here we select to gather information
about the system such as os information
registry hive
analyze the event logs
uh any version of the registry user
accounts
prefetch
to analyze the executables that are most
recently used
and of course we can
click on network and select what we want
to gather about the network activity
such as the browser history cookies
file downloads url history
uh dns tables port enumeration we can
also select
routing tables and arc tables to see
connection information
or connections the machine has initiated
to other systems
here others include services tasks
most importantly you want to select the
tasks in order to
understand more about the schedule tasks
you have to select this
md5
sha j1
services md5 ssh1
and we don't need these so basically you
can
now run your
analysis
make sure also to select the entropy
here and you can click on okay
so once you click on ok
let's click on ok now the next step is
to select a folder
now the folder here will be used to save
the analysis files so you browse so make
sure to click let's create a new folder
in your desktop
and name it
analysis
two
make sure it's empty browse
and once you click on ok it will start
to recycle locking data
it will take some time to finish
that's why the author of the machine has
prepared a ready analysis file for you
to start with so once this finishes you
go to the folder
and you start a script called run
redline audit once you start this you're
gonna wait some time
to for the job to finish
and then you will be able to access your
analysis file now
i'm not going to do that
right because it has already been done
so to save time and to make it shorter i
will just jump to the analysis results
so suppose that you clicked on that you
run the script and then the script
finished
now you will be ready to to
navigate to the analysis results so
click x on that
x here
x here
delete this
this was for demonstration purposes
now we go to the analysis files it is on
documents
analysis
now see when the analysis finishes there
is a new folder
created which is sessions
you click on that
analysis sessions session one
click on that
and here you see a file
with
this extension
m a f or mandiant analysis file this is
your analysis file
now this is what you want to click in
order to start analyzing the machine
all right so let's click on that double
click
it will open the analysis file with red
line
all right so once the analysis file
has been imported you will see here
the results so on the left we got all
the information we asked the program to
collect
so we got first
the system information
if you click on that you will see the
information about the system such as the
windows version the bios version
operating system
and other information about the user
now if you go to processes
you can expand the arrow here
here you will see
information about the processes such as
the process name
pid path arguments parent process most
importantly to
most importantly is the arguments here
see how the
process got executed
now if you go to handles
handle is the connection from the
program or the from the process
to a resource on the system such as
files dlls whatsoever you see we have
new handles here if you click on show
hand all handles
uh we've got nothing okay so memory
sections
here we can investigate
uh unsigned dlls so
review named sections only injected all
memory sections
and we got nothing because maybe we
didn't collect them we didn't select to
collect these or
there is none
so there is no unsigned dealers if you
click on strings
now here we see information about the
capture strings but we've got also
nothing which is weird
okay ports
here we see the connections made
to the outside world what where what
what what where the ports
on this tab the local port the local
address the remote port and the remote
address and the remote ports and what is
the process
or the path of the process
all right what do we have else
also we have the registry information
now most importantly if you go to
timeline here i'm going to skip this so
timeline
here we can understand more about the
incident and when it happened
by using the filters on here
so now it's taking some time to load
i'm going to give it some time
but we can use the filters here to
understand when the compromise happened
on the system
and if we know when the host or what the
compromise happened on the system we can
use something called the type wrinkles
in this tab
to filter out the timeline the only
events
which took place around the time we know
the compromise happened
so if you click on time wrinkles no
wrinkles filters created we can create a
new custom time wrinkle and we can
select here the time
for example i want to show the events
that happened
around
say
13 to 14.
yep
okay
so here 013 there is nothing we can edit
that and get because i mean
there was nothing on the machine so we
get it back to 15
and
select
nothing
back to
the correct date which is sixteen
five minutes before five minutes after
nothing
let's see here why we get nothing so 16
10
today
so zero items on that dates okay let's
go back to fields
so now
after we have determined
or after we have
[Music]
explored the interface and
the information i've gathered about the
system now it's time to
just go back to the questions and see
what is required
uh to find so
now the intro the intro the data
collection to the questions
so the first question what data
collection method takes the least amount
of time
we
we said it was standard collector
you are
reading a research paper on a new strain
of ransomware you want to run the data
collection on your computer based on the
patterns provided
such as domains hashes ip addresses file
names what method would you choose to
run a granular data collection against
indicators
we spoke and we said that it is ioc
search collector
what script would you run to initiate
the data collection process
please include the file extension
and we said it was the run redline
audit.bat which is the
a script that is created once you have
configured all of the options or data
collection options on the program
the next one if you want article if you
want to collect the data on disks and
volumes under which option you can find
it
and we know that when we edit when we
configure the options we have an option
to edit the script there's a tab called
disks we can from there
select disk enumeration
what cache does windows use to maintain
a preference for a recently for recently
executed code is the prefetch
um
okay next task
redline interface
where in redirect line ui can you view
information about the logged in user
okay let's see so if you click on system
information you will see here
information about the user and
under that tab we see logged in user
it is administrator
so basically here it's here where we can
see information about the login system
information
now the questions
so
now you should be familiar with some of
the data collection terms and techniques
are shown in the previous task armed
with this knowledge can you find
what the intruder planted for you on the
computer so we are analyzing
analysis file of a victim machine that
got infected with malware we want to
find out some information about that
so the first thing provide operating
system detected for the workstation
if you go to system information
and go to operating system information
you will see the operating system was
windows server 2019 standard
17763
and this is the answer next one provide
the bios version for the workstation the
bias version of course is written
also under the system information
and it is zen 4 2 amazon
what is the suspicious schedule task
that got created on the victim's
computer so now we have to find
information about the scheduled tasks
to do that we go to tasks
and we click on tasks
now we will see kinda
long list right
so
to find the task
i got to actions
and in the actions i could also hear
another long
list
if i scroll to the right let me make
this
okay so we have the type of the action
the actions are the commands or the
applications that get executed
when that when the uh task or the
schedule task
gets triggered or when that when it's
time
just uh is here so when the time is here
or when it's time comes the action is
triggered or
applied so here we see the actions or
the applications
but if you scroll to the very right
you see all the task name right task
names
so now here what's the question
what is the suspicious schedule task
let's look for something suspicious
so you see google update google updates
amazon easy to launch
but we see one here there is no
certificate subject there is no
certificate issuer no signature no sha
the attributes of this task are
near to empty right we have only with
only the
executable path
uh
the path to the application or the
program or whatever it is that will be
launched and we see it is see users
administrator pictures thm bluetooth.png
it's a picture right but if you go to
the task
you see it's saying ms office update
fa.k.a
so the name
doesn't match
with
the kind
of application that is
uh launched right so
we put this aside and we scroll down to
see if we have something else
scroll down you see here dot net
framework
scroll down i'm not saying that if you
see a familiar name it means that the
task is not suspicious but the
methodology is to look for the clearly
suspicious ones
and if you don't find anything you will
start investigating
the ones that look familiar
now if you see we have here something
called device and it is signed all the
signed ones you can ignore them
this one is called scheduled let's see
what it is
scheduled is there is no executable path
it means it does nothing it's just a
schedule task
scroll down scroll down
so anything else seems okay
of course okay for the initial analysis
not for the
uh
in-depth analysis now for now we got
this one
and
it is the answer for our question find
the message that the intruder left for
you in the task
now the intruder has left a message for
us in this task
so basically
until far we know the task name and we
know the executable path
if we don't click on the task
it doesn't open okay let's go to tasks
and find it
so we can just copy the name and use the
search feature to jump directly to task
not restricting your time with the long
list
so here it is
now we can get more details about this
we see here the name we see the comment
the comment is the answer for the
question we see also the creator which
is administrator
now this is the answer for the question
next one
there is a new system event id
created by an intruder with the source
name dhm redline user and the type error
find the emit id so now investigate the
event
logs or even
yeah the events
so go to event logs
and again we see a long list
so here we come to the search feature so
we go back
now the sort the name of the or the
source name of that is this one we copy
that
and we search for the events
uh-huh
so here it is the source name
now the message is someone cracked my
password
i need to rename my puppy so this is the
event
uh required from us to investigate and
it is
uh it has the id
546
and it is error right so maybe the the
guy here was trying to log in but he
realized he forgot his password
so this is the event id
provide the message for the event id you
saw it
it looks like the intruder downloaded a
file
it looks like the intruder downloaded a
file containing the flag for question a
provide the full url of the website now
we go to the network activity and then
our activity we have something
we have defined download history if you
click on that it will give us a list of
all of the files the
all the files yeah that have been
downloaded
in the victim machine
now the question is to find
a file containing the flag for question
8. now this is the question 8 the
questionnaire is saying provide the full
path to where the file was downloaded
so
again we read the question it looks like
the intruder downloaded a file
containing the flag
provide the url of the website now
the
file contains the flag right
so we look among the file names
we see a file called flag.txt
all right and we see the url so this is
our answer why because the answer the
question is saying look for the file
that contains the flag
so obviously this is the file contains
the flag and this is the url where it
came from
which is your answer
provide the full path to where the file
once downloaded now to find out the
place or the path
where the victim machine has saved the
file
we see under the target directory is the
path
to which the file has been downloaded
now if we navigate to that path
we go to
this pc
navigate to c program files
windows mail
some folder and we see a file called
flag we open it
and it is your flag
okay then
so that's the first challenge of the
room
now ioc search collector
you can just follow the screenshots you
don't need to
do anything because the challenge of the
is the ioc challenge starts at task 6
and task 7. but i will provide you you
can see the answers from here
you can find these answers by just
looking at the screenshots the author
provided no worries about the iec search
collector i'm going to explain them
in the challenge here where we will be
using the indicators of compromise
search collector
in the program and we will provide the
answers from here
so
for now we are done
in the next video we will be doing tasks
six and seven so
see you in the next video
Ver Más Videos Relacionados
تعلم تدريج الشعر بطريقة احترافية وسهلة ،أسرار تدريج الشعر للرجال بماكينة WaahiL # حلاقين مصر #
دورة كاملة : شرح برنامج الاكسل Excel من البداية حتى الاحتراف :3:
5 - Insertion des objets
كيفية إنشاء شخصية متحركة تتحدث باستخدام أدوات الذكاء الاصطناعي مجانية و الربح منها
Introduction to Biostatistics
Google Analytics 4 for better ROI / Think Measurement - Ready. Set. Grow.
5.0 / 5 (0 votes)