Redline
This is a Try Hack Me premium room so to access it you will need a subscription, if you don't have one go get one with my Referral Link
Task 1 - Introduction
Question 1
Who created Redline?
Answer
FireEye
Task 2 - Data Collection
Question 1
What data collection method takes the least amount of time?
Answer
standard collector
Question 2
You are reading a research paper on a new strain of ransomware. You want to run the data collection on your computer based on the patterns provided, such as domains, hashes, IP addresses, filenames, etc. What method would you choose to run a granular data collection against the known indicators?
Answer
IOC Search collector
Question 3
What script would you run to initiate the data collection process? Please include the file extension.
Answer
runredlineaudit.bat
Question 4
If you want to collect the data on Disks and Volumes, under which option can you find it?
Answer
disk enumeration
Question 5
What cache does Windows use to maintain a preference for recently executed code?
Notes
In the Redline User Guide Cache is mentioned 13 times, there is a section dedicated to the cache which answers this question.
Answer
prefetch
Task 3 - The Redline Interface
Question 1
Where in the Redline UI can you view information about the Logged in User?
Answer
System Information
Task 4 - Standard Collector Analysis
Question 1
Provide the Operating System detected for the workstation.
Notes
There is a bug in this room which is discussed in the forum, the System Information in Redline shows the OS to be Windows 7 Home Basic Service Pack 1, but that is not the answer.
Read the instructions carefully, if you analyse the wrong file you will get the wrong answer!
Be sure you did the previous task to setup the standard collector, ran the analysis and you have opened that file to get the answers.
I added my reply in the forum.
Answer
Windows Server 2019 Standard 17763
Question 2
Be sure to check the rest of the System Information section for other useful data.
Question 3
What is the suspicious scheduled task that got created on the victim's computer?
Answer
MSOfficeUpdateFa.ke
Question 4
Find the message that the intruder left for you in the task.
Answer
THM-p3R5IStENCe-m3Chani$m
Question 5
There is a new System Event ID created by an intruder with the source name "THM-Redline-User" and the Type "ERROR". Find the Event ID #.
Answer
546
Question 6
Provide the message for the Event ID.
Answer
Someone cracked my password. Now I need to rename my puppy-++-
Question 7
It looks like the intruder downloaded a file containing the flag for Question 8. Provide the full URL of the website.
Answer
Question 8
Provide the full path to where the file was downloaded to including the filename.
Answer
C:\Program Files (x86)\Windows Mail\SomeMailFolder\flag.txt
Question 9
Provide the message the intruder left for you in the file.
Answer
THM{600D-C@7cH-My-FR1EnD}
Task 5 - IOC Search Collector
Question 1
What is the actual filename of the Keylogger?
Answer
psylog.exe
Question 2
What filename is the file masquerading as?
Answer
thm1768.exe
Question 3
Who is the owner of the file?
Answer
WIN-2DET5DP0NPT\charles
Question 4
What is the file size in bytes?
Answer
35400
Question 5
Provide the full path of where the .ioc file was placed after the Redline analysis, include the .ioc filename as well
Answer
C:\Users\charles\Desktop\Keylogger-IOCSearch\IOCs\keylogger.ioc