Open in app

Sign in

Write

Sign in

Enhance Your Cyber Defenses: A Step-by-Step Guide with Redline and Mandiant IOC Editor

Ansul Kotadia
5 min readMay 15, 2024

--

If you’re looking to boost your cybersecurity game, you’ve likely heard of Redline and Mandiant. These tools are essential for hunting down Indicators of Compromise (IOCs) on your system. Here’s a step-by-step guide to get you started on your hunt.

1. Download and Install Mandiant IOC Editor

  • First things first, head over to the Mandiant website and download the Mandiant IOC Editor tool. Once downloaded, follow the installation instructions. This tool is crucial for creating and managing IOCs, which are the blueprints for identifying potential threats.
  • Purpose: This tool will allow you to create and manage Indicators of Compromise (IOCs) which are the blueprints for identifying potential threats.

2. Create an IOC File

  • Action: Open the Mandiant IOC Editor and create an IOC file that contains the indicators of the files or compromises you want to search for.
  • Example: This could include file hashes, specific registry entries, or network indicators.
  • Refer to the provided figure to ensure your IOC file is correctly set up.
  • Purpose: The IOC file acts as a blueprint for Redline to identify potential threats on your system.

3. Open Redline and Create an IOC Search Collector

Before continuing further let’s review the 3 options of collecting data with Redline:

Standard Collector: This method configures the script to gather a minimal amount of data for analysis. It’s our preferred method for data collection in this scenario due to its efficiency. Typically, it only takes a few minutes to complete, making it the quickest option.

Comprehensive Collector: This approach configures the script to collect the most extensive data from your host for in-depth analysis. It can take an hour or more to complete. Choose this method if you need a thorough examination of the system.

IOC Search Collector (Windows only): This method gathers data that matches the Indicators of Compromise (IOCs) you’ve created using the IOC Editor. Opt for this method when you need to collect data based on known IOCs obtained through threat intelligence, incident response, or malware analysis. You’ll import these IOCs into the IOC Editor. This is the option that we are going to look further into.

Consider a scenario where you are assigned a threat hunting task at your company, and they believe that the intrusion might be due to the fact that the malicious actor was using pass the hash attack for lateral movement

Now in this case you need to use IOC editor and IOC search collector to find the files planted on the victims computer.

  • Action: Launch the Redline tool. On the main screen, select “Create an IOC Search Collector.”
  • Purpose: This step prepares Redline to use the IOC file for scanning your system.

4. Locate and Select the IOC File

  • Action: Navigate to the folder where you saved the IOC file created with the Mandiant software. Select the appropriate IOC file.
  • Purpose: Redline needs to know which IOC file to use for the search.

5. Edit Scripts and Specify Search Locations

  • Action: Click on “Edit your script” within Redline.
  • File Enumeration: Under the “disk” section, ensure the correct options are selected for file enumeration.
  • Set Search and Result Locations: Specify the location on your system where you want Redline to search for the compromise. Additionally, create a new folder for storing the search results. For example, create a folder named “Redline Test”
  • Purpose: Configuring these options tells Redline where to look for potential threats and where to save the results.

6. Run the IOC Search

  • Action: Open the Command Prompt (CMD) as an administrator. This is necessary for Redline to access all required system locations without permission issues.
  • Command: Type CMD in the Windows search bar, right-click on it, and select “Run as administrator.”
  • Navigate to Directory: Use the cd command to navigate to the directory where you saved the collector files. For example:
cd C:/Users/xyz/Desktop/Redline Test
  • Run Audit Script: Execute the following command to start the Redline audit:
.\RunRedlineAudit.bat
  • Purpose: This command initiates the audit process, where Redline will search for the specified indicators of compromise.

7. Analyze the Results

  • Action: Once the audit is complete, open Redline again.
  • Open Previous Analysis: Click on “Open Previous Analysis.”
  • Select Analysis Session: Choose the AnalysisSession1.mans file located in the directory.
  • Purpose: This step loads the audit results into Redline for further analysis.

8. View the IOC Report

  • Once your analysis is ready you will get a report like the one shown in the image:
  • Action: In Redline, navigate to the bottom left corner and click on the “IOC Reports” tab.
  • View Hits: Click on “View Hits +” to see the detailed results of the IOC search.
  • Purpose: The report will display all identified threats based on your IOC file, including file paths, sizes, MD5 hashes, user information, and relevant file dates.

Conclusion: And there you have it! By following these steps, you can effectively use Redline and Mandiant to hunt for and analyze potential threats on your system. Happy hunting!

--

--

Ansul Kotadia
Ansul Kotadia

Written by Ansul Kotadia

75 Followers
90 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams