“I guess we’ll just re-image the box then” is the phrase I often used early in my IT career. That was standing operating procedure for a compromised machine. We would receive a SOC alert. We would go kick the user off the box and have it re-imaged. That is until I found Mandiant’s (Now Fireye’s) Redline tool.
What is Redline?
It’s a free tool that allows me to do an investigation on potentially compromised boxes. With the tool, I started getting a better understanding of why compromises occurred. That information allowed us to make better decisions about defenses in place. It also allowed us to provide valuable feedback to the Security Operations Center (SOC).
The tool has several features that can be useful for analysis. This article will focus on the timeline feature. The timeline collects all the log sources from the computer and puts it all in one location for analysis. This is useful for investigating incidents where an incidents specific time frame is available.
The tool also features a Malware Risk Index (MRI) score and Indicators of Compromise (IOCs). MRI is for analyzing processes and IOCs for artifact defining. Refer to the user guide for more information on using these.
Before we get to Redline, I would like to mention a few alternatives. Volatility is a tool that I hear a lot of infosec people raving about. It’s a memory forensics and analysis tool and from the sound of it does a lot of the same things Redline does. I have never used the tool, but I see plenty of professionals talking about it.
There’s also the SANS Investigative Forensics Toolkit (SIFT). Which is a VMware workstation loaded with forensics tools. It’s been awhile since I’ve used the tool. From what I remember this tool requires a little more advanced knowledge of forensics. Still, it’s another free option to perform forensics analysis on potentially compromised computers.*
*As you may have noticed by now I keep using the word “potentially” compromised computers. That’s because one of things I discovered using Redline is that false positives happen.
How to use Redline
Download and install Redline. I would also recommend downloading the user guide as well. The user guide is how I got started using the tool. It will explain the ins and the outs in much more depth than I intend to here. In fact, I recommend stopping here and just using the user guide.
Still with me? Let us proceed.
Launch Redline and, click on the “Create a Comprehensive Collector” link. This will create the collection package. Check the box for “Acquire Memory Image.” A lot of malicious activities happen in memory. Collecting what’s in memory is vital.* Next, decide where the collection package will reside on the computer. Click OK to create the package.
*When responding to an incident, disconnect the computer from the network or contain it in a separate VLAN. Avoid rebooting or shutting down. A reboot or shutdown will wipe whatever is in memory.
When a compromised computer is discovered, get the collection package on the computer. There are a few options for getting the package on a computer. Packages can be pre-deployed to all boxes in the organization. USB is another option. The organization’s environment will determine the best method for accomplishing this.
To run the package, execute the “RunRedlineAudit” batch file in the collection package. A command prompt (black box) will pop-up and begin run a script to collect all the events on the computer. The collection can take several hours depending on how much is on the computer, it’s processing power, how much memory it has, etc.
Once the script completes, open it in Redline. On Redline’s main page, click the link for “Open Previous Analysis” under Analyze Data. Go to Sessions -> AnalysisSession and select the .mans file. Click Open. Redline will now load the session. This part of the process can take some time as well.
After the session opens, click on the option to investigate based on an external source. There are other options for starting an investigation. Refer to the user guide for explanations on these. A Timeline will appear with all events from registry changes, browsing history, event logs. A Timeline Configuration pane is available for refining the timeline. Computers create a ton of events, so it can take some time to load everything. Which is why it's a good idea to define a time period. Go to the Time Wrinkle tab and set a number of minutes before and after a certain time period. If the information available on the incident is vague, a wider time period may be needed. For more accurate time a smaller time period can be used.
For the most part, when I received a SOC alert the information I received was exact down to the second. I would use only two minutes before and after a specific time. When I didn’t have an exact time, I would go as high as 15 mins before and after. One thing to note is that the time on events is in GMT time. A conversion to GMT is needed to match the time from the incident to the computer (+4 or +5 hours).
Now go through the timeline and look for anything associated with the incident. Use Google to research any suspicious events. One incident I responded to, several users had clicked a phishing email. A block box had popped up on their machine and then went away. We ran Redline on the machines and found that an .exe had been dropped in the Windows temp folder. In other instances I would see the anti-virus or EMET step in and block the attack. Look for anything suspicious. If unsure Google it.
That's pretty much it. The process I use is very simple. It gets me the answers within a relatively quick time period and helped me make better decisions. Doing the analysis above I was able to determine when our defenses failed. I also discovered that we were being sent false positives and that the machines were perfectly fine. In those instances we could put the computers back in service with a high level of confidence. The benefits of doing that is that people aren't without machines for longer than needed. It also helped reduce workload in the IT department by reducing the number of computers that needed to be re-imaged.
The tool and its alternatives are much deeper and offer valuable information for decision making.
With Fireye’s Redline, security teams can make better decisions about potentially compromised computers. It’s a free tool, so it should fit nicely in the budget (no procurement process). It’s also an easy tool to pickup and just start using. There’s some good documentation and I know of at least one YouTube video available.
Of course, there are plenty of other reputable options. Volatility being the one that I see most people talking about. Whatever tool, taking the time to do some analysis on potentially compromised boxes is important. That information will provide a better picture of what’s happening in an environment. How to adjust defenses and identify false positives and just make better decisions overall.