Redline

• Who created Redline?

FireEye

• What data collection method takes the least amount of time?

Standard Collector

• You are reading a research paper on a new strain of ransomware. You want to run the data collection on your computer based on the patterns provided, such as domains, hashes, IP addresses, filenames, etc. What method would you choose to run a granular data collection against the known indicators?

IOC Search Collector

• What script would you run to initiate the data collection process? Please include the file extension.  

RunRedlineAudit.bat

• If you want to collect the data on Disks and Volumes, under which option can you find it?  

Disk Enumeration

• What cache does Windows use to maintain a preference for recently executed code? 

prefetch

• Where in the Redline UI can you view information about the Logged in User?

System Information

• Provide the Operating System detected for the workstation.

Windows Server 2019 Standard 17763

• Provide the BIOS Version for the workstation.

AMAZON - 1

• What is the suspicious scheduled task that got created on the victim's computer? 

MSOfficeUpdateFa.ke

• Find the message that the intruder left for you in the task.

THM-p3R5IStENCe-m3Chani$m

• There is a new System Event ID created by an intruder with the source name "THM-Redline-User" and the Type "ERROR". Find the Event ID #.

546

• Provide the message for the Event ID.

Someone cracked my password. Now I need to rename my puppy-++-

• It looks like the intruder downloaded a file containing the flag for Question 8. Provide the full URL of the website.

https://wormhole.app/download-stream/gI9vQtChjyYAmZ8Ody0AuA

• Provide the full path to where the file was downloaded to including the filename.

C:\Program Files (x86)\Windows Mail\SomeMailFolder\flag.txt

• Provide the message the intruder left for you in the file.

THM{600D-C@7cH-My-FR1EnD}

• What is the actual filename of the Keylogger? 

psylog.exe

• What filename is the file masquerading as? 

THM1768.exe

• Who is the owner of the file? 

WIN-2DET5DP0NPT\charlies

• What is the file size in bytes? 

35400

• Provide the full path of where the .ioc file was placed after the Redline analysis, include the .ioc filename as well

C:\Users\charles\Desktop\Keylogger-IOCSearch\IOCs\keylogger.ioc

• Provide the path of the file that matched all the artifacts along with the filename.

C:\Users\Administrator\AppData\Local\Temp\8eJv8w2id6IqN85dfC.exe

• Provide the path where the file is located without including the filename.

C:\Users\Administrator\AppData\Local\Temp\

• Who is the owner of the file?

BUILTIN\Administrators

• Provide the subsystem for the file.

Windows_CUI

• Provide the Device Path where the file is located.

\Device\HarddiskVolume2

• Provide the hash (SHA-256) for the file.

57492D33B7C0755BB411B22D2DFDFDF088CBBFCD010E30DD8D425D5FE66ADFF4

• The attacker managed to masquerade the real filename. Can you find it having the hash in your arsenal? 

psexec.exe

• Can you identify the product name of the machine?

Windows 7 Home Basic

• Can you find the name of the note left on the Desktop for the "Charles"?

_R_E_A_D___T_H_I_S___AJYG1O_.txt

• Find the Windows Defender service; what is the name of its service DLL? 

MpSvc.dlll

• The user manually downloaded a zip file from the web. Can you find the filename? 

eb5489216d4361f9e3650e6a6332f7ee21b0bc9f3f3a4018c69733949be1d481.zip

• Provide the filename of the malicious executable that got dropped on the user's Desktop.

Endermanch@Cerber5.exe

• Provide the MD5 hash for the dropped malicious executable.

fe1bc60a95b2c2d77cd5d232296a7fa4

• What is the name of the ransomware? 

Cerber