Redline Tryhackme Walkthrough

Learn how to use Redline to perform memory analysis and to scan for IOCs on an endpoint.

This write-up covers the Redline Room on TryHackMe.
Learning Path (s): Cyber Defense, SOC Level 1
Module: Incident Response and Forensics, Digital Forensics and Incident Response
Skill: Forensics Tool
Protocol/Tools: Redline

Introduction

Redline is a FireEye tool that provides a quick assessment of potentially compromised endpoints through memory dumps and file structures. It has a GUI and can collect registry data, running processes, memory images, browser history, and more. Installation is straightforward by running the MSI file.

Redline is a powerful tool for analyzing compromised hosts, but the accuracy of the analysis depends on the data collected. Redline collects various data, including running processes, services, files, registry structures, and event logs. Timeline can be useful for searching specific keywords and determining when an attack started and what actions the attacker took.

Redline can be used to perform memory analysis and to scan for IOCs on an endpoint. Using Redline, you can analyze a potentially compromised endpoint through the memory dump, including various file structures.

The Redline User Guide and IOC Editor User Guide are useful references.

Here is what you can do using Redline:

Setting up: Connect to the Start the Tryhackme VM or deploy the machine locally via OpenVPN
Redline is pre-installed in the virtual machine attached to this room
RDP into the Machine using the credentials Below
User: administrator
Password: letmein123!

Task Question(s)

Note: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.

DFIR & IFR

• Who created Redline? FireEye

Data Collection

There are three ways or options to collect data using Redline:

• Standard Collector: gathers the minimum amount of data for analysis and is the preferred method for this room. It takes only a few minutes to complete.
• Comprehensive Collector: gathers the most data for further analysis and takes up to an hour or more.
• IOC Search Collector (Windows only): collects data that matches with the IOCs created in IOC Editor. It is used to run the data collection against known IOCs gathered through threat intelligence, incident response, or malware analysis.

In this task, we will be using the Standard Collector method.

• From Redline, click on “Create a Standard Collector”.
• You will have an option to choose the target platform. In our case, we will select Windows.

• Under the Review Script Configuration, click on “Edit your script”

Click OK. And then click on “Browse” under “Save Your Collector To”
You will need to create a folder where your analysis file will be saved and the script for collecting the data you need.

In the folder, run the “RunRedlineAudit” script as Administrator to collect the data we need. This will automatically open a command prompt window; It will close automatically (15–20 mins) when the data collection process finishes.

Task Question(s)ㅤ

Note: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.

DFIR & IFR

• What data collection method takes the least amount of time?
• You are reading a research paper on a new strain of ransomware. You want to run the data collection on your computer based on the patterns provided, such as domains, hashes, IP addresses, filenames, etc. What method would you choose to run a granular data collection against the known indicators?
• What script would you run to initiate the data collection process? Please include the file extension.
• If you want to collect the data on Disks and Volumes, under which option can you find it?
• What cache does Windows use to maintain a preference for recently executed code?

The Redline Interface

Import AnalysisSession1 (in the Sessions folder) with the .mans extension to Redline for investigation

• The left panel displays different types of analysis data, including:
• System Information
• Processes contains: Handles, Memory Sections, Strings, Ports
• Others include: File System, Registry, Windows Services, Tasks, Event Logs, ARP and Route Entries, Browser URL History, File Download History
• The Timeline records every action on the file and helps understand when the compromise occurred.
• TimeWrinkles™ filters out the timeline to only the events that took place around that time.
• TimeCrunches™ reduce the excessive amount of data not relevant in the table view.
• The Redline User Guide provides more information on each type of data analysis.

Task Question(s)

Note: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.

DFIR & IFR

• Where in the Redline UI can you view information about the Logged in User?

Standard Collector Analysis

Armed with this knowledge, can you find what the intruder planted for you on the computer?

Note: You will analyze the .mans file you imported from the previous task to answer the questions below.

Task Question(s)

Provide the Operating System detected for the workstation.

• Check System Information.

Be sure to check the rest of the System Information section for other useful data.

What is the suspicious scheduled task that got created on the victim’s computer?

• Find the message that the intruder left for you in the task.
• Check the “Comment” section for the scheduled task.

There is a new System Event ID created by an intruder with the source name “THM-Redline-User” and the Type “ERROR”. Find the Event ID #.

• Provide the message for the Event ID.
• Don’t forget to also include ‘-++-’ at the end of the message.

It looks like the intruder downloaded a file containing the flag for Question 8. Provide the full URL of the website.

• Manually navigate to the folder location identified in Redline.

Provide the full path to where the file was downloaded to, including the filename.

• Manually navigate to the folder location identified in Redline.

Provide the message the intruder left for you in the file.

• Manually navigate to the folder location identified in Redline.

IOC Search Collector

Indicators of Compromise: artifacts of the potential compromise and host intrusion on the system or network that you need to look for when conducting threat hunting or performing incident response. IOCs can be MD5, SHA1, SHA256 hashes, IP address, C2 domain, file size, filename, file path, a registry key, etc.

One of the great tools you can use is IOC Editor, created by FireEye, to create IOC files.

There are three types of collectors in the Redline tool: Standard Collector, Comprehensive Collector, and IOC Search Collector (Windows only).

• IOC Search Collector collects data that matches with the IOCs created in IOC Editor.
• To create an IOC file, you can use IOC Editor by FireEye.
• Once you create and save the IOC file, you can use it in the IOC Search Collector in the Redline tool.

Open IOC Editor: create the directory which will store the IOC file (IOC Directory)

Keylogger indicators in IOC Editor:

The actual IOCs will be added under,, Add.

Here are the values from the image above:

• File Strings — psylog.exe
• File Strings — RIDEV_INPUTSINK
• File MD5 — 791ca706b285b9ae3192a33128e4ecbb
• File Size — 35400

Adding specific IOCs to the IOC file.

• After executing the .bat file, you need to wait for the analysis to finish.
• When the report generation completes, you can see the “Hits” and expand the list by clicking on the entries in each row.

ㅤ

IOC Search Collector ignores data that doesn’t match an IOC you have gathered, but you can collect additional data if needed.

• To create an IOC Search Collector, you need to browse and choose the location of the .ioc file.

• After reviewing the configured IOCs, you can edit the script to configure what data will be collected for the analysis.
• After executing the .bat file, you need to wait for the analysis to finish and then open the .mans file in Redline.
• If Redline fails to generate the IOC Report automatically, you can manually generate it by clicking “Create a New IOC Report” and importing your .ioc file.

It’s important to gather granulated and accurate artifacts to add to your IOC file to avoid false positives.

Task Question(s)

What is the actual filename of the Keylogger?

• Check the “File Info” section for the actual filename of the Keylogger.

What filename is the file masquerading as?

• Identify the filename that the file is pretending to be.

Who is the owner of the file?

• Check the “File Info” section to find the owner of the file.

What is the file size in bytes?

• Examine the “File Info” section to determine the file size in bytes.

Provide the full path of where the .ioc file was placed after the Redline analysis, including the .ioc filename as well.

• Refer to the IOC Report screenshot to find the full path where the .ioc file was placed after the Redline analysis.

IOC Search Collector Analysis

Scenario: You are assigned to do a threat hunting task at Osinski Inc. They believe there has been an intrusion, and the malicious actor was using the tool to perform the lateral movement attack, possibly a “pass-the-hash” attack.

Task: Can you find the file planted on the victim’s computer using IOC Editor and Redline IOC Search Collector?

So far, you only know the following artifacts for the file:

File Strings:

• 20210513173819Z0w0=
• <?<L<T<g=

File Size (Bytes):

• 834936

Note: Open Previous Analysis, and use the existing Redline Session found in C:\Users\Administrator\Documents\Analysis\Sessions\AnalysisSession1.

Task Question(s)

Provide the path of the file that matched all the artifacts along with the filename.

• Locate the matched file using the information gathered from the IOC search collector.

Provide the path where the file is located without including the filename.

• Obtain the directory path without the filename information.

Who is the owner of the file?

• Check the “File Info” to identify the owner of the file.

Provide the subsystem for the file.

• Check “PE Info” to gather details about the subsystem of the file.

Provide the Device Path where the file is located.

• Obtain the device path where the file is stored.

Provide the hash (SHA-256) for the file.

• Use the “Get-FileHash” command in PowerShell to calculate the SHA-256 hash for the identified file.

The attacker managed to masquerade the real filename. Can you find it having the hash in your arsenal?

• Check VirusTotal using the hash obtained to identify the real filename associated with the hash.

Endpoint Investigation

Scenario: A Senior Accountant, Charles, is complaining that he cannot access the spreadsheets and other files he has been working on. He also mentioned that his wallpaper got changed with the saying that his files got encrypted. This is not good news!

Are you ready to perform the memory analysis of the compromised host? You have all the data you need to do some investigation on the victim’s machine. Let’s go hunting!

Task:

1. Navigate to the folder on your desktop titled Endpoint Investigation.
2. Double-click on the AnalysisSession1.mans file. The data will be imported automatically into Redline.
3. Analyze the file to answer the questions below.

Note: Give it up to 10 minutes for all the data import.

Task Question(s)

Can you identify the product name of the machine?

• Check System Information.

Can you find the name of the note left on the Desktop for “Charles”?

• Take a look at the NOTEPAD.exe process.

Find the Windows Defender service; what is the name of its service DLL?

• Check the Windows Services section.

The user manually downloaded a zip file from the web. Can you find the filename?

• Check File Download History.

Provide the filename of the malicious executable that got dropped on the user’s Desktop.

Provide the MD5 hash for the dropped malicious executable.

What is the name of the ransomware?