Investigating Indicators of Compromise In Your Environment With Latest Version of Redline

Recently, Mandiant® released a new version of Redline. If you are not familiar with Redline, it is a great tool for investigating a specific Windows host in depth. We will have a more thorough look into Redline in the next month or so. What I wanted to touch on today is one of Redline's brand new features: you can now use Indicators of Compromise (IOCs) to drive your Redline investigations.

If you are not familiar with IOCs, I urge to you take a moment and head over to http://OpenIOC.org and have a look around. IOCs are the best way for finding indications of compromise and/or intrusion throughout your enterprise. IOCs are one of the main technologies that power Mandiant Intelligent Response, Mandiant's flagship IR appliance, and have previously been accessible in free products with IOC Editor & IOC Finder. Some blog entries that might help bring you up to speed are Ryan Kazanciyan's recent post on using Redline for investigation and to create an IOC, and Carrie Jung's post on investigations into the Duqu worm, including looking at Duqu with Redline and creating an IOC to help you find Duqu.

Previously, if you wanted to look for an IOC, you would create an IOC using IOC Editor, and then collect data from a host using IOC Finder. As an additional step, you would run a match against that data and generate a report using IOC Finder in a different configuration. With the latest release of Redline you will still start making your IOC in the Editor, but you can collect the data from a host and match against it in a much simpler manner.

When you first fire up the latest version of Redline with IOC support (Version 1.5) you will see options that look very similar to previous versions:

For the sake of simplicity, we will analyze the machine that Redline is running on. In most instances, if you are using Redline to look at any real cases, you will NOT want to analyze the machine that Redline is running on. You will want to dedicate a workstation to running Redline analysis, and then you will want to collect data from suspect machines through a method such as creating a portable agent from Redline (which is discussed in the Redline User Guide). By doing this you do not have to install Redline on every machine you want to investigate, and thus are not potentially contaminating machines that you need to do real investigations on.

Clicking on the link that says "By Analyzing this Computer" will open a new window in Redline entitled "Start your Analysis Session." Another nice feature of Redline is that you can do more than one thing at a time -- a useful feature once you have some investigation data saved. In this new window, you can choose to add IOCs to your investigation. You can still use Redline the old fashioned way by clicking "Next" and bypassing this screen, but what fun would that be? Instead we are going to select the check box that says "Indicators of Compromise Location:"

and then "Browse" to the folder that you are keeping your IOCs in. Assuming that you select a folder that has valid IOCs in it, you should quickly see a listing of the IOCs you populated Redline with.

Following the prompt "Choose an Indicator from the list on the left to see full details," if you click on one of the Indicator Names, you will see information about that Indicator. If you want to use only one Indicator, or a specific subset of the Indicators in your IOC directory, click the check box at the top next to Name, and then select the specific Indicator(s) that you want to use by checking just those checkboxes:

So, what if you are new to this? What if you do not have any IOCs on hand? Well, as a shortcut, you can go to http://openioc.org/ and grab a few sample ones that we have available. Ideally, you will eventually build your own IOCs from the investigation data that you discover, but these samples will help you get started for learning purposes. Find Windows is a great test IOC, as it requires no malware on your system - it is an IOC designed to find various components of Windows that are common across several different versions of the operating system. Grab one IOC, or grab them all, put them in a directory you can write to, and you will be ready to investigate.

Let us keep moving along towards conducting an investigation. In the lower right hand corner of Redline, we are going to click the "Next" button, which will take us to a page that says "Configure your Script." You will note that the "Custom" radio button is currently selected. Please do not touch any of the buttons or checks on this page until you read a little further down.

So, what is going on here? The way the Mandiant investigative workflow functions is around the idea of gathering data from a host and then analyzing it. With IOC Finder running in the default configuration, you would gather ALL the possible information from a host -- a process that could take hours depending on the type of computer and how much you were gathering. While desirable for real, in- depth investigations, it may be a bit frustrating if you are trying to learn how to use the tools or just try things out. We revealed that it is possible to script IOC Finder to limit the amount of data that is being collected, but you still had to know what types of audits you wanted to complete on the host, write the script to limit those audits, and then make sure that everything still ran correctly. That is a lot more than most folks want to worry about when they are trying to conduct a quick investigation.

With Redline, this process has gotten a lot easier. Redline looks at the IOCs that you have selected, and determines the audits that have to be run to gather the data that you need to match those IOCs. Thus, assuming you do not change anything on the "Configure your Script" screen, Redline builds the appropriate script to gather the information for the audits that you need. Redline still always gathers enough information to do a full memory audit - but now IOC audit information required to match IOCs is added to that, including items like disk and registry audits.

If you want to customize the audits being done, you can do so on this screen. If you deselect options that are needed for your IOCs, you will get a warning letting you know that what you deselected is in fact needed for your IOCs to match properly.

This warning is down at the bottom of the screen near the "Previous" & "OK" buttons. If you click on the link to "fix," Redline will restore the audit choices to the state they were in when you first arrived at this screen, displaying the "Custom Audit" based on your IOCs.

If you are using Redline for IOC-driven investigation, you can just move on to the next step and have all the information you need for your current IOCs included in the script that will run and collect information without having to do any additional work. Click the "OK" button to run the collection script with the options that Redline has selected for you.

You will see the script fire up, and you should (unless you have disabled UAC) be asked to allow the script to run with elevated privileges:

Once you give permission to the script, it will continue to run. If you do not give permissions, it will usually error out (since the script Redline generates cannot write its results or conduct most of the audits without being granted elevated privileges).

You can watch it run, but likely you will want to go do something else and come back a bit later, since for any decent sized collection of IOCs it is going to take a while, unless you are doing a very small IOC or very simple IOCs. For the sample IOCs on http://openioc.org/ it took around two hours on a Windows 7 VM with 2 Gigs of RAM allocated. Faster machines with more resources are going to usually run faster, with Disk I/O being the main bottleneck, along with Processor. RAM is less of an issue. If you want to have things run faster, you can also try using the Portable Agent version of Redline. We will cover that more next week in an upcoming post on Redline Pro Tips.

Once you have the items you need, you can look through the results of the audit data gathered as you would a normal Redline analysis -- but you will notice another task running - "Redline is Creating an IOC Report," matching the audit data against IOCs just like IOC Finder would have -- but with no need to run any additional tools!

Once the IOC report is done, you will see it in the "IOC Reports Tab" of the Redline results.

Click on the IOC Report that you just ran (by date/time) to see any matches that were turned up from those IOCs. In this case, there was a hit on the "Find Windows" IOC. Click on the "Find Windows" title to expand the findings.

The IOC matches are displayed in a format that will look very familiar, if you have ever used IOC Finder in reporting mode. You can click on the "i" icon by any matches indicated in the results for details that show much more in depth information on what matched and why.

You will see the IOC that matched listed in the Definition section of the details, and you will see the particular piece of the IOC that hit highlighted in yellow. Clicking the Details tab again will hide this window.

 

Using IOCs with Redline in investigative workflows:

If you are currently using Redline to do host-based investigations, and you have already amassed a large amount of data for hosts that you test against, or you want to gather all the data you can from hosts so you can have it for future reference instead of having to go back to the host again should you expand the scope of your investigation, and still want to use the new IOC feature, fear not! The new version of Redline allows this as well.

If you have standard audit sets that you capture, or if you capture all of the audit data on hosts as a matter of course, you can add IOCs in after the fact. However, be aware that if you do not have the audit data for a given element of an IOC, obviously the IOC will not be able to match (at least for that element).

Load the audit data as you normally would in Redline depending on the audit type, and then in the "IOC Reports Tab," look for a button at the bottom that says "Create a New IOC Report."

Clicking on this will open up a new "Start your Analysis Session" window, which you can then select the directory that houses your IOCs and generate a report on that set of IOCs.

Conclusion

We've looked at the new feature in Redline 1.5 that allows you to use it to create audits and match IOCs against that audit data. This is only scratching the surface of what you can do with either Redline or with IOCs. Next week, we'll have another blog post with some "Pro Tips" on using Redline 1.5 (including discussing Portable Agents), and there will be an upcoming webinar that focuses on Redline more in depth in May.

For more information on IOCs and OpenIOC, you can visit the OpenIOC.org website. Will Gibb and I will also be doing a webinar, Fresh Prints of Mal-ware: IOCing Red, on Thursday, April 19 on IOCs and Redline where we will discuss writing a real world IOC from an investigation. We hope you can tune in!