Mandiant’s free Redline utility allows you to triage Windows operating system (OS) memory and file structure to identify signs of malicious activity. Redline:
- Collects run processes, files, registry data, and memory images from Windows operating systems.
- Helps to identify when a compromise was introduced, which files were affected, and if (and how) it persists.
- Performs Indicators of Compromise (IOC) analysis, looking look for specific artifacts, such as files or processes, that may indicate a breach has occurred.
- Leverages features such as TimeCrunch, TimeWrinkle, filtering by a user and, or process, and whitelisting to hide data and activity that is irrelevant to your analysis.
Redline Version 1.20.1 Introduced
October 23, 2017, Redline version 1.20.1 introduces support Window 10 system collection and analysis. The new release also improves Redline’s initial load time by removing the MRI scoring calculations and addresses a number of other issues. For instance, not being able to run if there is FireEye’s Endpoint Threat Prevention Platform (HX) installed.
Version 1.20.1 also supports multiple new types of data visualization for responders analyzing collections acquired via FireEye HX. The newly added fields are BIOS Type for the System Information audit, Security ID (SID) for registry audits, and the Command Line field for HX agent process events.
Supported Operating Systems: Windows XP, Windows Vista, Windows 7, Windows 8 (32-bit and 64-bit), Windows 10.
You can download Redline here: https://www.fireeye.com/services/
Running Redline Portable Collector on Windows 10
Step 1: Download and Install Redline
First, download Redline, verify its certificate, and install by double clicking on the Redline’s Windows Installer msi file.(“Redline User,” 2017).
Step 2: Create a Redline Collector on a USB flash drive that contains an executable script to collect data from a Windows 10 operating system.
Redline has three collector types: Standard Collector, Comprehensive Collector, and the IOC Search Collector, a full discussion of which is outside the scope this post. But in sort, the Standard Collector configures scripts to gather the minimum amount of data to complete an analysis. The Comprehensive Collector sets scripts to pick most of the data that Redline collects and analyzes. Mandiant recommends that you use this type of Redline Collector if you intend to do a full analysis or if you have only one opportunity to collect data from a system. The IOC Search Collector gathers data that matches selected Indicators of Compromise (IOCs). Mandiant recommends that you use this Redline Collector type when you are looking only for IOC hits and not any other potential compromises. I choose to “Create a Comprehensive Collector” (“Redline User,” 2017):
You can accept the Collector’s scripts default or edit the collector script you selected:
For instance, I edit the script by checking “Strings” and “Aquire an image of memory that can be used to accurately acquire process memory and drivers during analysis is Redline,” which are not checked by default:
After closing the editor, create and select a folder on the USB to save the collector to:
Click “OK” and Redline creates the portable collector:
View of collector files created on USB:
Step 3: Run the Redline Collector
Open an Administrator: Windows PowerShell session. Change directory to the USB folder. Run RunRedlineAudit.bat:
Step 4: Forensic Investigation with Redline
Once the collector script completes, it will create an “AnalysisSession.mans” file in the USB’s AnalysisSession folder (See below snippet). Open it in Redline. On Redline’s main page, click the link for “Open Previous Analysis” under Analyze Data. Go to “Sessions” -> “AnalysisSession” and select the “AnalysisSession.mans” file. Click Open. Redline will load the collector script’s session (This will take time). Once the session opens, select the external source option (See the Redline User Guide, Version 1.2 for a full list of investigation options https://www.fireeye.com/
Once the events load, if you have an exact time of the SOC alert, go to the Time Wrinkle tab and select a few minutes before and after the reported time to focus and speed up your investigation; if you do not have an exact time show more minutes before and after the estimated time. Going through the timeline look for incidents of compromise (e.g., executable in the temp folder, antivirus or EMT blocks, etc.). Use search engines to do additional research to understand the results.
Step 5: Triage
Redline allows for a simple but effective triage process that can help you identify indicators of compromise, attack vectors (i.e., how attackers enter your environment and move about), targeted and infected systems, and where and how your defenses failed. Armed with this information, you can prioritize your response based on the highest-value targets such as removing malware and restoring system(s) from backups and building a stronger defense by prioritized security control investments.
Cybersecurity Framework Control Mapping
As per the Framework for Improving Critical Infrastructure Cybersecurity, Version 1, Detect (DE) function: Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood, including DE.AE-2: Detected events are analyzed to understand attack targets and methods (“Cybersecurity,” 2014).
Informative References include:
- ISA 62443-2-1:2009 220.127.116.11.6, 18.104.22.168.7, 22.214.171.124.8
- ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2
- ISO/IEC 27001:2013 A.16.1.1, A.16.1.4
- NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI- 4
About the Author
David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in various roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado. Regis University’s School of Computer & Information Sciences, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.
About the Author
David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.
Cybersecurity Framework. (2014, February 12) [Web site]. Retrieved October 24, 2017 from https://www.nist.gov/cyberframework
Redline user guide, release 1.20. (2017). Retrieved November 7, 2017 from https://www.fireeye.com/