We just finished the Autopsy room and now we will be learning how to use Redline. I’ve never used it, nor have I heard of it before, so it’ll be interesting what capabilities this tool can provide. I’ve definitely been enjoying the challenges lately and hope the remaining rooms can provide similar difficulties, even if I never used the tools before.
As a reminder, I will mention if I used external sources to show that I still struggle, even if I am doing write-ups. I want to show that we’re all learning together.
Task 1 Introduction
1: Who created Redline?
This can be found in the reading.
Answer: FireEye
Task 2 Data Collection
I used my Kali and RDP’d into the machine. Steps on how I did it are located here!
I followed the instructions on creating my own data analysis. The only obstacle was that when we were told to save to the Analysis folder, the folder already has files inside. You can only save to an empty folder, according to Redline. I simply created my own Analysis folder in the Desktop to solve this issue.
To do this, go to the start menu on the bottom left and go click on File Explorer.
Then go to Desktop on the left side and then right click and empty spot, go to New -> Folder. I already created an Analysis folder here.
I ran the script while following the steps in the reading. The script should take 10–20 minutes. I do have suspicions that the script was already ran for us, which is why the Analysis folder was already existed in Documents in our machine but I’ll run it myself anyways.
1: What data collection method takes the least amount of time?
This can be found in the reading.
Answer: Standard Collector
2: You are reading a research paper on a new strain of ransomware. You want to run the data collection on your computer based on the patterns provided, such as domains, hashes, IP addresses, filenames, etc. What method would you choose to run a granular data collection against the known indicators?
This can be found in the reading.
Answer: IOC Search Collector
3: What script would you run to initiate the data collection process? Please include the file extension.
The reading told us what file to run to start the data collection. As for the extension, you can click on the program, right click it, go to properties.
A new window should pop up. Look at “Type of file” for the extension.
Answer: RunRedlineAudit.bat
4: If you want to collect the data on Disks and Volumes, under which option can you find it?
You may have noticed this while following the reading and starting your data collection. When we were editing our scripts, the “Disk” tab has a section at the bottom that mentions what we are looking for.
Answer: Disk Enumeration
5: What cache does Windows use to maintain a preference for recently executed code?
I used the hint. Looks like we were supposed to read the manual. Here’s where I found the answer by hitting CTRL+F to find key words.
Answer: Prefetch
Task 3 The Redline Interface
1: Where in the Redline UI can you view information about the Logged in User?
I had to wait for the data to load, which took about 10–20 minutes again. Once it loaded, I followed the reading on the overview of different menus and options. One of them, System Information, displays Logged in Users. You have to “System Information” on the left and then look for “User Information” on the right hand side. It’s located at the bottom.
Answer: System Information
Task 4 Standard Collector Analysis
1: Provide the Operating System detected for the workstation.
I was still in System Informations section. I looked around and saw the Operation System.
Answer: Windows Server 2019 Standard 17763
2: What is the suspicious scheduled task that got created on the victim’s computer?
I was looking for any hints of tasks. I saw the Task section on the left. I saw a funny looking comment on the right side which seemed like the answer.
Answer: MSOfficeUpdateFa.ke
3: Find the message that the intruder left for you in the task.
Admittedly, I tried looking for the file but had no luck. Decided to try to put in the comment as the answer, and I guess that was the answer!
Answer: THM-p3R5IStENCe-m3Chani$m
4: There is a new System Event ID created by an intruder with the source name “THM-Redline-User” and the Type “ERROR”. Find the Event ID #.
I went to “Event Logs” section on the left. I saw a search bar at the top so I decided to enter “THM-Redline-User” in hopes of finding a match, and we did! Look at EID for Event ID.
Answer: 546
5: Provide the message for the Event ID.
I double clicked the log and it provides you all the information for that one entry. Now I simply copied the message and pasted into THM.
Answer: Someone cracked my password. Now I need to rename my puppy-++-
6: It looks like the intruder downloaded a file containing the flag for Question 8. Provide the full URL of the website.
I went to “File Download History” on the left and saw a few files were downloaded. I saw a filename called “flag.txt” which seems odd (For screenshot purposes, I did extend File Name column so it can be seen in the screenshot).
Answer: https://wormhole.app/download-stream/gI9vQtChjyYAmZ8Ody0Au
7: Provide the full path to where the file was downloaded to including the filename.
I double clicked on the entry to see the detailed view. You can see the full path it is located at. Remember that the answer wants the filename too!
Answer: C:\Program Files (x86)\Windows Mail\SomeMailFolder\flag.txt
8: Provide the message the intruder left for you in the file.
Now just navigate to the file in file explorer.
Answer: THM{600D-C@7cH-My-FR1EnD}
Task 5 IOC Search Collector
1: What is the actual filename of the Keylogger?
This can be found in the last screenshot provided in the reading for this task.
Answer: psylog.exe
2: What filename is the file masquerading as?
This can be found in the last screenshot provided in the reading for this task.
Answer: THM1768.exe
3: Who is the owner of the file?
This can be found in the last screenshot provided in the reading for this task.
Answer: WIN-2DET5DP0NPT\charles
4: What is the file size in bytes?
This can be found in the last screenshot provided in the reading for this task.
Answer: 35400
5: Provide the full path of where the .ioc file was placed after the Redline analysis, include the .ioc filename as well
This can be found in the 3rd to the last screenshot provided in the reading for this task.
Answer: C:\Users\charles\Desktop\Keylogger-IOCSearch\IOCs\keylogger.ioc
Task 6 IOC Search Collector Analysis
1: Provide the path of the file that matched all the artifacts along with the filename.
I navigated to the folder that has the existing analysis that we are going to use. Double click on that and wait for it to load. Just a bit of heads up, loading the existing analysis file takes a really long time. It took me 15–20 minutes.
While the analysis is loading, I created a new IOC according to the new parameters. The instructions were covered in the reading in the previous task so I will not be going over how it is done.
When the analysis is loaded, and you have created your new IOC file, we will go back to the analysis. At the bottom left, click on IOC Reports and then Create a New IOC Report.
Load the IOC folder that has the IOC file inside.
Make sure the IOC file is loaded with a checkmark. I named mine “Task 6” for Task 6.
Now click on OK and wait for the report to generate. It might take another 5–10 minutes. Once it finishes loading, click on the generated report and then click on your IOC file name. My IOC File name was “Task 6” so that’s why “Task 6” shows up.
After that, click on View Hits and all the information we need should load.
Answer: C:\Users\Administrator\AppData\Local\Temp\8eJv8w2id6IqN85dfC.exe
2: Provide the path where the file is located without including the filename.
Just remove the file name from the above answer.
Answer: C:\Users\Administrator\AppData\Local\Temp
3: Who is the owner of the file?
Look for owner column.
3: BUILTIN\Administrators
4: Provide the subsystem for the file.
For this one, click on Details tab on the right. If nothing loads, click the information icon next to the hit.
We will be presented with more details, one of them will tell us the Subsystem.
Answer: Windows_CUI
5: Provide the Device Path where the file is located.
Continue looking at Details to find this.
Answer: \Device\HarddiskVolume2
6: Provide the hash (SHA-256) for the file.
Well, we weren’t given the SHA256, but I used the MD5 hash and searched it up on VirusTotal. Go to the Details tab and you’ll find the hashes!
Answer:
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4
7: The attacker managed to masquerade the real filename. Can you find it having the hash in your arsenal?
In the same Details tab, I just scrolled down to look for common names. I tried this list.
Answer: psexec.exe
Task 7 Endpoint Investigation
1: Can you identify the product name of the machine?
Now load the Analysis file that’s found in the Endpoint Investigation folder that is located on the Desktop. Once that is loaded, head over the “System Information” on the left side and look for anything that mentions product names.
Answer: Windows 7 Home Basic
2: Can you find the name of the note left on the Desktop for the “Charles”?
I looked around File Downloaded History but found nothing. I decided to look at his Desktop instead. To do that, I went to File System at the left hand side, from there I expanded the menu until I got to his desktop. I then found a weird .txt file name. Double click it to get more details, and it’ll help with copying the answer.
Answer: _R_E_A_D___T_H_I_S___AJYG1O_.txt
3: Find the Windows Defender service; what is the name of its service DLL?
Similarly, I checked the Windows Services tab first, and searched for “Windows Defender” and got one result. Double clicking it will help us find the answer.
Answer: MpSvc.dll
4: The user manually downloaded a zip file from the web. Can you find the filename?
I checked the File Downloaded History tab on the left side and used the search function. Unfortunately, it didn’t give me anything. I then just organized the list by “Download Type” column and I found the Manual download entry. It was after the fact that I found out I was searching for .zip in “Target Directory” column.
Answer: eb5489216d4361f9e3650e6a6332f7ee21b0bc9f3f3a4018c69733949be1d481.zip
5: Provide the filename of the malicious executable that got dropped on the user’s Desktop.
I went back to check the desktop and I did find an .exe file.
Answer: Endermanch@Cerber5.exe
6: Provide the MD5 hash for the dropped malicious executable.
I went back to File Download History to grab the URL and I posted it in VirusTotal but I found nothing.
Afterwards, I grabbed the .zip file name and searched it on VirusTotal. It looked promising but led me nowhere.
I then looked in couple of tabs, one of them was “Timeline.” I saw that it had MD5 in some of the results, which seemed promising. I searched for the .exe file and found a result. I double clicked on it to open the detailed view and copied the MD5 hash. Looks like I found it!
Answer: fe1bc60a95b2c2d77cd5d232296a7fa4
7: What is the name of the ransomware?
I posted the hash into VirusTotal. I went to Details tab and then look at the names. I saw Cerber pop up often and I just decided to Google what it was. Looks like it’s a ransomware.
Answer: Cerber
Thoughts:
This room gave me a lot of frustration, mainly due to the extremely long waiting time when I was loading the analysis, or even just opening the application. I think I struggled more with how slow the machine was than the challenge / hands-on itself. The challenge was actually fun, and I really enjoy digging around stuff. I feel like the entire SOC Level 1 module has started making me use VirusTotal and Whois to dig further into what the file is or where it redirects to. I don’t know how it is in an enterprise setting, but this way of thinking seems beneficial as I continue to analyze and dig for answers.