This room is about learning the ropes with Redline, a tool you can use to analyze a potentially compromised endpoint through the memory dump, including various file structures. It’s similar to Volatility, but gives a general overview of an endpoint for a quicker analysis. This room has 2 practical experiences, and this is the writeup for both tasks.
Table of Contents
Scenario 1: IOC Search Collector Analysis
You are assigned to do a threat hunting task at Osinski Inc. They believe there has been an intrusion, and the malicious actor was using the tool to perform the lateral movement attack, possibly a “pass-the-hash” attack.
Task: Can you find the file planted on the victim’s computer using IOC Editor and Redline IOC Search Collector?
So far, you only know the following artifacts for the file:
File Strings:
- 20210513173819Z0w0=
- <?<L<T<g=
File Size (Bytes):
- 834936
Scenario 1: Solution
First, we need to make the IOC (Indicators Of Compromise) rule in the Mandiant’s IOC Editor. Simple task, it’s just about using the provided information and getting the logic right. In a real-case investigation one would need to find these artifacts details either through an analysis of files found on a compromised machine, or via some online references provided by other researchers.
This is the rule I created for this scenario:
With the .ioc created, I could open the analysis file in Redline, load the IOC rule and get the results:
There was one hit, a file got detected using the rule, so let’s check the details I used to answer the room questions:
The first few questions could easily be completed by looking at the above screenshot:
- Provide the path of the file that matched all the artifacts along with the filename.
- Provide the path where the file is located without including the filename.
- Who is the owner of the file?
- Provide the subsystem for the file.
- Provide the Device Path where the file is located.
For the remaining ones, one needed to go looking on an outside resource (like in a real-life investigation), VirusTotal.
On this website it’s possible to search for hash values and gather additional information about suspicious files. So, in this case, here’s what I’ve found:
The above screenshots’ details allowed me to answer the remaining questions of this scenario:
- Provide the hash (SHA-256) for the file.
- The attacker managed to masquerade the real filename. Can you find it having the hash in your arsenal?
Scenario 2: Endpoint investigation
Scenario: A Senior Accountant, Charles, is complaining that he cannot access the spreadsheets and other files he has been working on. He also mentioned that his wallpaper got changed with the saying that his files got encrypted. This is not good news!
Are you ready to perform the memory analysis of the compromised host? You have all the data you need to do some investigation on the victim’s machine. Let’s go hunting!
Scenario 2: Solution
It starts with analysing the data collected from the endpoint. The needed answers were easy to find thanks to Redline’s easy access to the most common and useful information one needs during an investigation. Here are the screenshots for this investigation:
- Can you identify the product name of the machine?
- Can you find the name of the note left on the Desktop for the “Charles”?
- Find the Windows Defender service; what is the name of its service DLL?
This could be answered thanks to the convenient “Windows Services” analysis data on the left panel, searching for a keyword (in this case “defender”) and scrolling through the details of the service until finding the correct info (not shown in the screenshot):
- The user manually downloaded a zip file from the web. Can you find the filename?
This was also quicker to find thanks to a Redline feature, which allows to specifically select “Manual Downloads” in the overall list of File Download History in the left panel: this option shows aIl manual downloads (i.e. any file, such as an installer that was not automatically downloaded as part of viewing the page.):
- Provide the filename of the malicious executable that got dropped on the user’s Desktop.
- Provide the MD5 hash for the dropped malicious executable.
The above two questions can be answered again by going to the file tree structure, searching for the file and scrolling through the additional details to find the MD5 hash (not shown in the following screenshot):
- What is the name of the ransomware?
This could be infered by looking at the file name, but just to be sure, I searched on VirusTotal for the MD5 hash of the file and got the answer:
Conclusion
It was interesting learning about this software. I already knew about Volatility, but having had the chance to use and learn Redline gave me the opportunity to add a good and easy-to-use tool in my arsenal.