Recently, Mandiant® released a new version of Redline™.
If you are not familiar with Redline, it is a great tool for
investigating a specific Windows host in depth. We will have a more
thorough look into Redline in the next month or so. What I wanted to
touch on today is one of Redline's brand new features: you can now
use Indicators of Compromise (IOCs) to drive your Redline
If you are not familiar with IOCs, I urge to
you take a moment and head over to http://OpenIOC.org and have a look
around. IOCs are the best way for finding indications of compromise
and/or intrusion throughout your enterprise. IOCs are one of the
main technologies that power Mandiant Intelligent Response,
Mandiant's flagship IR appliance, and have previously been
accessible in free products with IOC
Editor & IOC
Finder. Some blog entries that might help bring you up to speed
are Ryan Kazanciyan's recent post on using Redline for investigation
and to create an IOC, and Carrie Jung's post on investigations into
the Duqu worm, including looking at Duqu with Redline and
creating an IOC
to help you find Duqu.
Previously, if you wanted to
look for an IOC, you would create an IOC using IOC
Editor, and then collect data from a host using IOC Finder. As
an additional step, you would run a match against that data and
generate a report using IOC Finder in a different configuration.
With the latest release of Redline you will still start making your
IOC in the Editor, but you can collect the data from a host and
match against it in a much simpler manner.
When you first
fire up the latest version of Redline with IOC support (Version 1.5)
you will see options that look very similar to previous
For the sake of simplicity, we will analyze the machine that
Redline is running on. In most instances, if you are using Redline
to look at any real cases, you will NOT want to analyze the machine
that Redline is running on. You will want to dedicate a workstation
to running Redline analysis, and then you will want to collect data
from suspect machines through a method such as creating a portable
agent from Redline (which is discussed in the Redline
User Guide). By doing this you do not have to install Redline
on every machine you want to investigate, and thus are not
potentially contaminating machines that you need to do real
Clicking on the link that says "By
Analyzing this Computer" will open a new window in Redline
entitled "Start your Analysis Session." Another nice
feature of Redline is that you can do more than one thing at a time
-- a useful feature once you have some investigation data saved. In
this new window, you can choose to add IOCs to your investigation.
You can still use Redline the old fashioned way by clicking
"Next" and bypassing this screen, but what fun would that
be? Instead we are going to select the check box that says
"Indicators of Compromise Location:"
and then "Browse" to the folder that you are keeping
your IOCs in. Assuming that you select a folder that has valid IOCs
in it, you should quickly see a listing of the IOCs you populated
Following the prompt "Choose an Indicator from the list on
the left to see full details," if you click on one of the
Indicator Names, you will see information about that Indicator. If
you want to use only one Indicator, or a specific subset of the
Indicators in your IOC directory, click the check box at the top
next to Name, and then select the specific Indicator(s) that you
want to use by checking just those checkboxes:
So, what if you are new to this? What if you do not have any IOCs
on hand? Well, as a shortcut, you can go to http://openioc.org/ and grab a few
sample ones that we have available. Ideally, you will eventually
build your own IOCs from the investigation data that you discover,
but these samples will help you get started for learning purposes.
Windows is a great test IOC, as it requires no malware on your
system - it is an IOC designed to find various components of Windows
that are common across several different versions of the operating
system. Grab one IOC, or grab them all, put them in a directory you
can write to, and you will be ready to investigate.
keep moving along towards conducting an investigation. In the lower
right hand corner of Redline, we are going to click the
"Next" button, which will take us to a page that says
"Configure your Script." You will note that the
"Custom" radio button is currently selected. Please do not
touch any of the buttons or checks on this page until you read a
little further down.
So, what is going on here? The way the Mandiant investigative
workflow functions is around the idea of gathering data from a host
and then analyzing it. With IOC Finder running in the default
configuration, you would gather ALL the possible information from a
host -- a process that could take hours depending on the type of
computer and how much you were gathering. While desirable for real,
in- depth investigations, it may be a bit frustrating if you are
trying to learn how to use the tools or just try things out. We
revealed that it is possible to script IOC Finder to limit the
amount of data that is being collected, but you still had to know
what types of audits you wanted to complete on the host, write the
script to limit those audits, and then make sure that everything
still ran correctly. That is a lot more than most folks want to
worry about when they are trying to conduct a quick
With Redline, this process has gotten a lot
easier. Redline looks at the IOCs that you have selected, and
determines the audits that have to be run to gather the data that
you need to match those IOCs. Thus, assuming you do not change
anything on the "Configure your Script" screen, Redline
builds the appropriate script to gather the information for the
audits that you need. Redline still always gathers enough
information to do a full memory audit - but now IOC audit
information required to match IOCs is added to that, including items
like disk and registry audits.
If you want to customize the
audits being done, you can do so on this screen. If you deselect
options that are needed for your IOCs, you will get a warning
letting you know that what you deselected is in fact needed for your
IOCs to match properly.
This warning is down at the bottom of the screen near the
"Previous" & "OK" buttons. If you click on
the link to "fix," Redline will restore the audit choices
to the state they were in when you first arrived at this screen,
displaying the "Custom Audit" based on your IOCs.
If you are using Redline for IOC-driven investigation, you can
just move on to the next step and have all the information you need
for your current IOCs included in the script that will run and
collect information without having to do any additional work. Click
the "OK" button to run the collection script with the
options that Redline has selected for you.
You will see the
script fire up, and you should (unless you have disabled UAC) be
asked to allow the script to run with elevated privileges:
Once you give permission to the script, it will continue to run.
If you do not give permissions, it will usually error out (since the
script Redline generates cannot write its results or conduct most of
the audits without being granted elevated privileges).
can watch it run, but likely you will want to go do something else
and come back a bit later, since for any decent sized collection of
IOCs it is going to take a while, unless you are doing a very small
IOC or very simple IOCs. For the sample IOCs on http://openioc.org/ it took around
two hours on a Windows 7 VM with 2 Gigs of RAM allocated. Faster
machines with more resources are going to usually run faster, with
Disk I/O being the main bottleneck, along with Processor. RAM is
less of an issue. If you want to have things run faster, you can
also try using the Portable Agent version of Redline. We will cover
that more next week in an upcoming post on Redline Pro Tips.
Once you have the items you need, you can look through the
results of the audit data gathered as you would a normal Redline
analysis -- but you will notice another task running - "Redline
is Creating an IOC Report," matching the audit data against
IOCs just like IOC Finder would have -- but with no need to run any
Once the IOC report is done, you will see it in the "IOC
Reports Tab" of the Redline results.
Click on the IOC Report that you just ran (by date/time) to see
any matches that were turned up from those IOCs. In this case, there
was a hit on the "Find Windows" IOC. Click on the
"Find Windows" title to expand the findings.
The IOC matches are displayed in a format that will look very
familiar, if you have ever used IOC Finder in reporting mode. You
can click on the "i" icon by any matches indicated in the
results for details that show much more in depth information on what
matched and why.
You will see the IOC that matched listed in the Definition
section of the details, and you will see the particular piece of the
IOC that hit highlighted in yellow. Clicking the Details tab again
will hide this window.
Using IOCs with Redline in investigative workflows:
If you are currently using Redline to do host-based
investigations, and you have already amassed a large amount of data
for hosts that you test against, or you want to gather all the data
you can from hosts so you can have it for future reference instead
of having to go back to the host again should you expand the scope
of your investigation, and still want to use the new IOC feature,
fear not! The new version of Redline allows this as well.
you have standard audit sets that you capture, or if you capture all
of the audit data on hosts as a matter of course, you can add IOCs
in after the fact. However, be aware that if you do not have the
audit data for a given element of an IOC, obviously the IOC will not
be able to match (at least for that element).
Load the audit
data as you normally would in Redline depending on the audit type,
and then in the "IOC Reports Tab," look for a button at
the bottom that says "Create a New IOC Report."
Clicking on this will open up a new "Start your Analysis
Session" window, which you can then select the directory that
houses your IOCs and generate a report on that set of IOCs.
We've looked at the new feature in Redline 1.5
that allows you to use it to create audits and match IOCs against
that audit data. This is only scratching the surface of what you can
do with either Redline or with IOCs. Next week, we'll have another
blog post with some "Pro Tips" on using Redline 1.5
(including discussing Portable Agents), and there will be an
upcoming webinar that focuses on Redline more in depth in May.
For more information on IOCs and OpenIOC, you can visit the OpenIOC.org website. Will Gibb and I
will also be doing a webinar, Fresh Prints of
Mal-ware: IOCing Red, on Thursday, April 19 on IOCs and
Redline where we will discuss writing a real world IOC from an
investigation. We hope you can tune in!