• Explore
  • Blog
  • Podcast
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • About
  • Services
  • Contact

Blue Team Starter Kit - Forensics with Redline

December 8, 2015

“I guess we’ll just re-image the box then” is the phrase I often used early in my IT career. That was standing operating procedure for a compromised machine. We would receive a SOC alert. We would go kick the user off the box and have it re-imaged. That is until I found Mandiant’s (Now Fireye’s) Redline tool.

What is Redline?

It’s a free tool that allows me to do an investigation on potentially compromised boxes. With the tool, I started getting a better understanding of why compromises occurred. That information allowed us to make better decisions about defenses in place. It also allowed us to provide valuable feedback to the Security Operations Center (SOC).

The tool has several features that can be useful for analysis. This article will focus on the timeline feature. The timeline collects all the log sources from the computer and puts it all in one location for analysis. This is useful for investigating incidents where an incidents specific time frame is available.

The tool also features a Malware Risk Index (MRI) score and Indicators of Compromise (IOCs).  MRI is for analyzing processes and IOCs for artifact defining. Refer to the user guide for more information on using these.

Alternative Tools

Before we get to Redline, I would like to mention a few alternatives. Volatility is a tool that I hear a lot of infosec people raving about. It’s a memory forensics and analysis tool and from the sound of it does a lot of the same things Redline does. I have never used the tool, but I see plenty of professionals talking about it.

There’s also the SANS Investigative Forensics Toolkit (SIFT). Which is a VMware workstation loaded with forensics tools. It’s been awhile since I’ve used the tool. From what I remember this tool requires a little more advanced knowledge of forensics. Still, it’s another free option to perform forensics analysis on potentially compromised computers.*

*As you may have noticed by now I keep using the word “potentially” compromised computers. That’s because one of things I discovered using Redline is that false positives happen.

How to use Redline

Download and install Redline. I would also recommend downloading the user guide as well. The user guide is how I got started using the tool. It will explain the ins and the outs in much more depth than I intend to here. In fact, I recommend stopping here and just using the user guide.

Still with me? Let us proceed.

Launch Redline and, click on the “Create a Comprehensive Collector” link. This will create the collection package. Check the box for “Acquire Memory Image.” A lot of malicious activities happen in memory. Collecting what’s in memory is vital.* Next, decide where the collection package will reside on the computer. Click OK to create the package.

*When responding to an incident, disconnect the computer from the network or contain it in a separate VLAN. Avoid rebooting or shutting down. A reboot or shutdown will wipe whatever is in memory.

When a compromised computer is discovered, get the collection package on the computer. There are a few options for getting the package on a computer. Packages can be pre-deployed to all boxes in the organization. USB is another option. The organization’s environment will determine the best method for accomplishing this.

To run the package, execute the “RunRedlineAudit” batch file in the collection package. A command prompt (black box) will pop-up and begin run a script to collect all the events on the computer. The collection can take several hours depending on how much is on the computer, it’s processing power, how much memory it has, etc.

Once the script completes, open it in Redline. On Redline’s main page, click the link for “Open Previous Analysis” under Analyze Data. Go to Sessions -> AnalysisSession and select the .mans file. Click Open. Redline will now load the session. This part of the process can take some time as well.

After the session opens, click on the option to investigate based on an external source. There are other options for starting an investigation. Refer to the user guide for explanations on these. A Timeline will appear with all events from registry changes, browsing history, event logs. A Timeline Configuration pane is available for refining the timeline. Computers create a ton of events, so it can take some time to load everything. Which is why it's a good idea to define a time period. Go to the Time Wrinkle tab and set a number of minutes before and after a certain time period. If the information available on the incident is vague, a wider time period may be needed. For more accurate time a smaller time period can be used.

For the most part, when I received a SOC alert the information I received was exact down to the second. I would use only two minutes before and after a specific time. When I didn’t have an exact time, I would go as high as 15 mins before and after. One thing to note is that the time on events is in GMT time. A conversion to GMT is needed to match the time from the incident to the computer (+4 or +5 hours).

Now go through the timeline and look for anything associated with the incident. Use Google to research any suspicious events. One incident I responded to, several users had clicked a phishing email. A block box had popped up on their machine and then went away. We ran Redline on the machines and found that an .exe had been dropped in the Windows temp folder. In other instances I would see the anti-virus or EMET step in and block the attack. Look for anything suspicious. If unsure Google it.

That's pretty much it. The process I use is very simple. It gets me the answers within a relatively quick time period and helped me make better decisions. Doing the analysis above I was able to determine when our defenses failed. I also discovered that we were being sent false positives and that the machines were perfectly fine. In those instances we could put the computers back in service with a high level of confidence. The benefits of doing that is that people aren't without machines for longer than needed. It also helped reduce workload in the IT department by reducing the number of computers that needed to be re-imaged.

The tool and its alternatives are much deeper and offer valuable information for decision making.

Conclusion

With Fireye’s Redline, security teams can make better decisions about potentially compromised computers. It’s a free tool, so it should fit nicely in the budget (no procurement process). It’s also an easy tool to pickup and just start using. There’s some good documentation and I know of at least one YouTube video available.

Of course, there are plenty of other reputable options. Volatility being the one that I see most people talking about. Whatever tool, taking the time to do some analysis on potentially compromised boxes is important. That information will provide a better picture of what’s happening in an environment. How to adjust defenses and identify false positives and just make better decisions overall.

This post first appeared on Exploring Information Security.

In Technology Tags Blue Team, Redline, Forensics, Incident Response
Comment

Blue Team Starter Kit - Introduction

November 5, 2015

I recently gave this talk at BSides Augusta and DerbyCon this past September. BSides Augusta is a longer version where I demonstrate each tool. DerbyCon is a shorter version where I talk about each tool. After presenting at IT-ology Trends 2015, I decided to document the talk here on my site as a reference for people interested in the content.

My talk Blue Team Starter Kit presents several security challenges with low cost solutions. It is for security professionals with limited resources including time, money, and people.

LIMITED RESOURCES IS ONLY AN EXCUSE

Limited resources can be it’s own challenge.

“If only we could buy this appliance, all our problems would be solve.”

Except that when that appliance come in, it takes time to configure and train. Oh, and that function that the salesmen says would solve all our problems, ya, that doesn’t work. Some appliances work great. Other times not so great. Unfortunately, when the not so great happens we lose money and time. Look in house before even beginning to research solutions that can solve problems.

Often, I’ve found that appliances are not configured correctly or fully implemented. A little tender, love, and care (TLC) can get appliances running more efficiently and potentially help solve certain challenges. After looking in-house, if the problem still isn't solved, fire up the browser and start researching solutions.

Here are some of the challenges I've had to deal with in the past and the low cost solutions that helped meet those challenges.

CHALLENGE #1 - Research

Google is a fantastic tool for doing research. It is the first stop to begin solving difficult challenges. Understanding Google’s search techniques is a vital in becoming a proficient IT professional. COST: Behavioural data

CHALLENGE #2 - Threat Intelligence

So, how do I keep up with information security and it’s every changing ways? How do I keep my thumb on the pulse of the industry? Might I suggest social media and more precisely Twitter. The platform is a wonderful tool for the latest news and tools in information security. It also acts as a forum to interact with people to ask questions and make connections. Sure there is drama, but that can be tuned out (like any appliance). Don’t overlook this as a tool for your security team. I have found a lot of benefit using this in my day-to-day job. COST: Behavioural data

CHALLENGE #3 - Application Security

Management approached me with the challenge of doing security assessments on all new applications. With the help of Google, I found a non-profit organization called the Open Web Application Security Project (OWASP). OWASP is an open source community. Within the community is a vast amount of resources to help with application security.  This is where I discovered a wonderful tool called the Zed Attack Proxy (ZAP). Setup as a proxy ZAP can be a powerful tool to help security professionals and developers find vulnerabilities in applications. COST: Free

An alternative to this tool is Burp Suite which has a community version and a paid version. COST: $300 year (Professional version)

CHALLENGE #4 - Forensics

As part of my job I respond to alerts from the state's Security Operations Center (SOC). Initially, we were just re-imaging the machines. At some point we decided we wanted to get a better understanding of how machines were being infected. I can't remember exactly where I found Redline from Mandiant (now FireEye), but it's helped with meeting this challenge. The tool (largely memory based) collects browsing history, registry and file changes and much more. It then puts it all in one location for automatic and manual analysis. COST:Free

An alternative to this tool is Volatility. COST: Free

CHALLENGES #5 - Endpoint Security

Microsoft’s Enhanced Mitigation Experienced Toolkit (EMET) adds an extra layer of protection to machines with Adobe Flash, Java, and Microsoft products involved. Sure, all the Windows XP machines should be off the network, but damn those legacy applications. Worried about that latest Internet Explorer vulnerability? Articles reporting on new vulnerabilities often times have the sentence "EMET mitigates this vulnerability." Like this one.  COST: Free

CHALLENGE #6 - Patch Management

This is a big one and one that might be the most difficult of all the challenges. I tried a couple internal applications (it's amazing how many solutions have a deploy software function), with frustrating results. That is until the sysadmin I worked with suggested Admin Arsenal’s PDQ Deploy. It is a software deployment application that just works. Combined with PDQ Inventory it has the potential to help patch third-party software. COST: $500 (Enterprise version)

CONCLUSION

The challenges and tools above I plan to dive deeper into over the coming weeks. Working with limited resources can be tough and frustrating, but there are solutions. Look internally at existing solutions, first. Then look at external options. There are plenty of expensive appliances out there that will solve the problem. When those are determined to be outside of the budget, start looking at some of the inexpensive options. Often there are simpler and cheaper solutions to challenges. It might take a little more research, but they have the potential to do just as good of a job.

Feedback and suggestions are welcome in the comment section or by email: timothy.deblock[at]gmail[dot]com.

This post first appeared on Exploring Information Security.

In Technology Tags infosec, Blue Team, Google, Twitter, OWASP, Zed Attack Proxy, Microsoft, EMET, Redline, Patch management, PDQ Deploy
Comment

Latest PoDCASTS

Featured
Jul 15, 2025
[RERELEASE] What are BEC attacks?
Jul 15, 2025
Jul 15, 2025
Jul 8, 2025
[RERELEASE] How to crack passwords
Jul 8, 2025
Jul 8, 2025
Jul 2, 2025
[RERELEASE] How to find vulnerabilites
Jul 2, 2025
Jul 2, 2025
Jun 24, 2025
[RERELEASE] What is data driven security?
Jun 24, 2025
Jun 24, 2025
Jun 17, 2025
[RERELEASE] What is a CISSP?
Jun 17, 2025
Jun 17, 2025
Jun 10, 2025
[RERELEASE] From ShowMeCon 2017: Dave Chronister, Johnny Xmas, April Wright, and Ben Brown talk about Security
Jun 10, 2025
Jun 10, 2025
Jun 4, 2025
How to Perform Incident Response and Forensics on Drones with Wayne Burke
Jun 4, 2025
Jun 4, 2025
Jun 3, 2025
That Shouldn't Have Worked: A Red Teamer's Confessions with Corey Overstreet
Jun 3, 2025
Jun 3, 2025
May 28, 2025
when machines take over the world with Jeff Man
May 28, 2025
May 28, 2025
May 20, 2025
How to Disconnect From Cybersecurity
May 20, 2025
May 20, 2025

Powered by Squarespace