Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

This video continues the discussion of the Redline IOC tool introduced in the previous video. Dean goes over the Redline results along with the dashboard, web history data, discovered IOCs. user and OS enumeration, and many other features of this powerful, free tool.

Video Transcription

00:04
Okay, So Red Line has finished running the analysis on my local machine.
00:09
Hey, and I met this full screens. We can see a little bit better.
00:15
A lot of good information here, for instance,
00:18
uh, at the home screen, Will home icon here
00:22
we get the
00:24
the dashboard is essentially showing.
00:27
These are all the areas where you can launch your investigation. I've got information about my system,
00:33
God's domain, its name, its I P address.
00:37
And depending on one of the tools you're using, like a checks
00:42
or the memory analyzer, for instance, you can
00:46
go further into looking at this. This data, for instance, I can click investigate for my system information, and it basically starts taking me down these side areas here
00:59
reviewing a live response or memory image
01:02
when history data
01:03
looking at IOC's that might be might have been discovered So you can go further with that.
01:10
I'm gonna go ahead and click these US. We can just review the information that's provided
01:15
a lot of good data about the OS users, even bios, settings,
01:19
a little bit about network adapters.
01:25
I've got a bunch of virtual network adapters because I work with the EMS.
01:29
I can see my service is
01:33
any persistance related programs that have registry injuries. As you can see here,
01:38
that could be important because often malware will
01:42
try to install itself in such a way that it starts up every time the system is booted
01:48
and I've got user information.
01:52
My event logs
01:57
a bit of information about D. N s
02:00
showing whatever sites I visited recently.
02:06
Different
02:07
records,
02:08
a records point of records
02:10
and so on,
02:13
even routing information.
02:15
And this is all good to look at because
02:19
there could be anomalies here. You know that
02:22
sometimes malware will try to change the default route for man the middle attack purposes, for instance.
02:28
But I could look at my discs
02:30
looking at internal drives, even partitions,
02:34
uh,
02:37
I think showing up there
02:38
on different volumes You are l history
02:43
cookie history,
02:46
history with forms.
02:47
And I didn't even select all of the different
02:51
options for gathering information. So
02:53
still quite a bit of data to look at
02:55
timeline. I can look at all this information and different timelines
03:00
and others,
03:01
obviously, ways to drill down and work detail is gonna take a moment for this to load the items we can see here.
03:13
You get the idea
03:16
quite a bit.
03:17
And I can also go to my IOC reports tab.
03:24
That might take a moment cause it's still trying to load items.
03:28
Once that finishes, you can You could look to see if any were discovered.
03:31
And, uh, there we go.
03:35
So no reports are available. I could run a report.
03:38
I can create a new IOC report,
03:39
but you can see it found a lot of things that could be interesting. I've got registry modifications,
03:46
files that were modified, falls created.
03:51
Many of these things might be completely innocent,
03:53
but you won't know until you dig a little deeper and do some analysis.
04:00
All right, so that's a nice little overview of the red line tool.
04:04
So you're the next section.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor