Mandiant® - Detect. Respond. Contain.

Software Downloads

Redline

Accelerated Live Response
Redline is Mandiant’s free tool for investigating hosts for signs of malicious activity through memory andfile analysis, and subsequently developing a threat assessment profile. It provides several benefits:

Rapid Triage
When confronted with a potentially compromised host, responders must first assess whether the system has active malware. Without installing software or disrupting the current state of the host, Redline thoroughly auditsall currently-running processes and drivers on the system for a quick analysis; for a detailed analysis, it also collects the entire file structure, network state, and system memory.

Reveals Hidden Malware
The Redline Portable Agent can collect and analyze a complete memory image, working below the level at which kernel rootkits and other malware-hiding techniques operate. Many hiding techniques become extremely obvious when examined at the physical memory level, making memory analysis a powerful tool for finding malware. It also reveals “memory only” malware that is not present on disk.

Guided Analysis
Mandiant Redline streamlines memory analysis by providing a proven workflow for analyzing malware based on relative priority. This takes the guesswork out of task and time allocation, allowing investigators to provide a focused response to the threats that matter most.

Redline calculates a “Malware Risk Index” that highlights processes more likely to be worth investigating, and encourages users to follow investigative steps that suggest how to start. As users review more audits from clean and compromised systems, they build up the experience to recognize malicious activity more quickly.

As you investigate a system, here’s how Redline will help you focus your attention on the most productive data:

Investigative Steps
Redline can collect a daunting amount of raw information. Its investigative steps help provide a starting place by highlighting specific data and providing views that are most commonly productive in identifying malicious processes. Unless you are pursuing a specific “lead”, we recommend working through the steps in order, examining the information for entries that don’t match your expectations.

The key to becoming an effective investigator is to review Redline data from a variety of “clean” and “compromised” systems. Over time, your sense of which entries are normal and which are of concern will develop quickly as you view more data.

Malware Risk Index Scoring
Redline analyzes each process and memory section using a variety of rules and techniques to calculate a “Malware Risk Index” for each process. This score is a helpful guide to identifying those processes that are more likely to be worth investigating. Processes at the highest risk of being compromised by malware are highlighted with a red badge. Those with some risk factors have a grey badge, and low-risk processes have no badge.

The MRI is not an absolute indication of malware. During an investigation you can refine the MRI scoring by adjusting specific hits (identifying false positives and false negatives) for each process, adding your own hits, and generally tuning the results.

Indicators of Compromise (IOCs)
Mandiant has developed an open, extendable standard for defining and sharing threat information in a machine-readable format. Going well beyond static signature analysis, IOCs combine over 500 types of forensic
evidence with grouping and logical operators to provide advanced threat detection capability.

Redline provides the option of performing IOC analysis in addition to MRI scoring. Supplied a set of IOCs,
the Redline Portable Agent will be automatically configured to gather the data required to perform a subsequent IOC analysis; after the analysis is run, IOC hit results are available for further investigation.

Works with Mandiant Intelligent Response
Combined with MIR, Redline is a powerful tool for accelerated live response. Here’s a typical case:
- IDS or other system detects suspicious activity on a host
- From MIR, an investigator launches a remote live response script
- The MIR Agent running on the host captures and analyzes memory locally, streaming back a small XML audit that downloads in minutes rather than hours
- From MIR, the user can open the audit directly in Redline
- Using Redline, the investigator quickly identifies a malicious process, and writes an IOC describing the forensic attributes found in Redline
- Using MIR and MCIC, the investigator is quickly able to sweep for that IOC and discover all other systems on the network with the same (or similar) malware running.
Want more information about Redline? Check out our User Forums.

Current Version: Redline 1.5
Release Date: March 21, 2012

Supported Operating Systems: Windows XP, Windows Vista, Windows 7 (32-bit and 64-bit)

File Size: 34.6 MB

Integrity Hashes:

MD5: 1c74d04fcfedea4fde94039e672b028d
SHA-1: 8138235297dfd7b8d7aea4038ad751a672d69659

Release Notes: MANDIANT Redline 1.5

User Guide: MANDIANT Redline 1.5

Download Redline

Community Resources
M-unition Blog

M-Trends #2: Everything Old is New Again – Targeted Attackers Using Passive Backdoors to Evade Networks

Earlier this week, I talked about malware threats. Today, we’ll address a new trend. Turns out the perpetrators of targeted attacks are pragmatic, and are happy to borrow techniques that are even a decade old.

Trend #2 in M-Trends: An Evolving Threat is titled “Everything Old Is New Again,” and talks about how we saw a real uptick in the use of web shells and miniport drivers for persistence in 2011. Read the rest

Software Downloads

Redline

Accelerated Live Response

Community Resources

M-unition Blog

M-Trends #2: Everything Old is New Again – Targeted Attackers Using Passive Backdoors to Evade Networks