Lab: Hunting IOCs using Mandiant RedLine

Goals

- Learn how to automate IOC hunting using Mandiant Redline

- Learn how to leverage IOC Editor to automate the hunt of IOCs given from
threat intelligence

Scenario

- You were asked to hunt a certain malware and your manager gave you the IOC
reports. You need to identify if there’s a match or hits from the IOC given to the
target folder that you are about to hunt.

Requirements

- Windows VM (CDTH-Analyst)
- Mandiant RedLine
- Mandiant IOC Editor
- TARGETDIRECTORY Files

Questions

1. How many entries are there in the IOC reports?

2. What is the file name (including the extension) that has the MD5 has of
ce5e1b1e7a22526c638eaf06fd3a7911?

3. What is the file path that contains the file with a size of 144557 bytes? (format:
TARGETDIRECTORY\<path>\<filename+extension>)

4. What is the hash value of a file “report2.txt”?

5. Which is the file name (including extension) that has the MD5 hash of
7a1b4c5bb6b2de2952bd2eb725aa2020?

GUIDEM I.T. TRAINING CENTER HUNTING: IOCS USING REDLINE 1 | PAGE

 1. Set-up the Lab Environment

- You can get the Mandiant RedLine & IOC Editor installer and the lab files on this
link.

- https://mega.nz/#P!AgA4tkOUhAPbPl-
K8f6e7dXailS_dH0hsC4snU0jdlHBl8XdPsTnNkW695EFQUlUs4wvHxqfQsw_SUg4pbVWH
mxkx0iKBO11xC6Nqww_sijfsgXAwuV6Uw

- sdl-ioc-editor.zip – Mandiant IOC Editor Installer

- sdl-redline.zip – Mandiant RedLine Installer Version
- TARGETDIRECTORY.zip – Bunch of files needed for this lab + the .ioc file

- Install RedLine and IOC Editor before you proceed on this lab. Make sure that
the redline installed is on version 1.20.2
- Once finished, extract the TARGETDIRECTORY.zip file and find the .ioc file
inside the folder.

f527691b-dd1f-4398-804f-5bc262baf456.ioc

- Open IOC Editor by typing “IOC” on the search bar and click Mandiant IOCe

GUIDEM I.T. TRAINING CENTER HUNTING: IOCS USING REDLINE 2 | PAGE

 - After opening the application, browse to the extracted “TARGETDIRECTORY”
folder and click OK.

GUIDEM I.T. TRAINING CENTER HUNTING: IOCS USING REDLINE 3 | PAGE

 - You may notice that we have 1 .ioc file entry here. These are the IOCs that we
have entered for you. We will be using this to locate files that have HITS on the
target folder.

- Let’s assume that these are the IOCs of malware that we will be looking at and
we need to automate the search by looking into our target folder if there’s any
hit matches based on the IOC above.

2. Open Mandiant RedLine

- Let’s open Mandiant RedLine to start the hunt.

GUIDEM I.T. TRAINING CENTER HUNTING: IOCS USING REDLINE 4 | PAGE

 - Select “Create an IOC Search Collector” and put the path of the extracted
“TARGETDIRECTORY”

- Once you’ve imported the IOC file into Redline, when it asks you to select a
location to export your Collector to, click “Edit your script” at the top, as this lets
us change a number of different settings before deployment.

- Navigate to the Disk tab, and tick the Show Advanced Parameters checkbox in
the top right. This will allow you to view and edit the Path value for file
enumeration. Fill this field in with the full file path you found in the previous step.
Now Redline won’t spend ages scanning your whole system!

- Find the screenshot below for the proper configuration. Once done with the set-
up, hit OK!

GUIDEM I.T. TRAINING CENTER HUNTING: IOCS USING REDLINE 5 | PAGE

 - Once you set it up, hit OK.
- Save your collector to a new folder. Create a new folder called “RedLine” under
Desktop and select the newly created folder then hit OK.

GUIDEM I.T. TRAINING CENTER HUNTING: IOCS USING REDLINE 6 | PAGE

 - After all the set up, you will get the files under “RedLine” folder in your Desktop.
- Make sure you have all of these files based on the screenshot below.

- Let’s run the “RunRedLineAudit.bat” using cmd.exe. Let’s open cmd.exe first
and run it with “Run As Admin” privilege.
Type “cd” and point it to the RedLine folder under Desktop and run the
“RunRedLineAudit.bat” file.

GUIDEM I.T. TRAINING CENTER HUNTING: IOCS USING REDLINE 7 | PAGE

 3. Analyze the .mans File

- After running the “RunRedLineAudit.bat”, it will create a new folder called

“Sessions” after a min.
- Go to that folder and find the .mans file. You can find it here
“C:\Users\IEUser\Desktop\RedLine\Sessions\AnalysisSession1”

- Double click the “AnalysisSession1.mans” and it will open using RedLine

- When you open it using RedLine, go to the bottom part and click “IOC Reports”

- Click the IOC Report generated named “Hunting IOCs using RedLine”
- Click “View hits” and it will expand the list.

GUIDEM I.T. TRAINING CENTER HUNTING: IOCS USING REDLINE 8 | PAGE

 Answers:

1. How many entries are there in the IOC reports?

Answer: 7

2. What is the file name (including the extension) that has the MD5 has of
ce5e1b1e7a22526c638eaf06fd3a7911?

Answer: k3yl0gg3rv2.exe

3. What is the file path that contains the file with a size of 144557 bytes? (format:
TARGETDIRECTORY\<path>\<filename+extension>)

Answer: TARGETDIRECTORY\WebDev work\unfinished webpages\to-do\young-

golden-retriever-1404848-639x424.jpg

4. What is the hash value of a file “report2.txt”?

Answer: 1c9e7eff27eef69aa66dfdece8bab951

5. Which is the file name (including extension) that has the MD5 hash of
7a1b4c5bb6b2de2952bd2eb725aa2020?

Answer: tue

GUIDEM I.T. TRAINING CENTER HUNTING: IOCS USING REDLINE 9 | PAGE