diff --git a/advance_Redline/Helper.bat b/advance_Redline/Helper.bat
new file mode 100644
index 0000000..6eac784
--- /dev/null
+++ b/advance_Redline/Helper.bat
@@ -0,0 +1,93 @@
+@ECHO off
+
+SETLOCAL enableextensions enabledelayedexpansion
+
+ECHO Ensuring the proper working directory
+%~d0
+cd %~dp0
+
+REM Verify the files exist
+SET agent64=.\x64\
+SET agent32=.\x86\
+SET script=MemoryzeAuditScript.xml
+SET outputdir=.
+SET bitness=%PROCESSOR_ARCHITECTURE%
+SET sessionsFolder=Sessions
+SET analysisFolderCommonName=AnalysisSession
+SET auditsFolder=Audits
+
+IF NOT EXIST "%agent64%" GOTO :failed
+REM IF NOT EXIST "%agent32%" GOTO :failed
+IF NOT EXIST "%script%" GOTO :failed
+
+IF "%1"=="" (
+ SET "outputdir=%~dp0"
+ GOTO :usedefault
+)
+
+SET "outputdir=%1"
+REM Check that the directory exists, and if not create it.
+IF NOT EXIST "%outputdir%" CALL mkdir "%outputdir%"
+
+:usedefault
+SET "sessionsFolder=%outputdir%\%sessionsFolder%"
+SET "analysisFolderCustomName=%analysisFolderCommonName%1"
+
+IF EXIST "%sessionsFolder%" (
+ FOR /f "delims=" %%a IN ('cscript //nologo "%~dp0\getNextSessionFolder.js" "%sessionsFolder%" "%analysisFolderCommonName%"') DO (SET analysisFolderCustomName=%%a)
+) ELSE (
+ MKDIR "%sessionsFolder%"
+)
+MKDIR "%sessionsFolder%\%analysisFolderCustomName%"
+SET "fullAuditsPath=%sessionsFolder%\%analysisFolderCustomName%\%auditsFolder%"
+MKDIR "%fullAuditsPath%"
+SET args=-o "%fullAuditsPath%" -f "%script%"
+
+SET agent=%agent32%
+IF "%bitness%"=="x86" GOTO :agentset
+IF "%bitness%"=="IA64" GOTO :unsupported
+SET agent=%agent64%
+:agentset
+
+FOR /f "delims=" %%a IN ('cscript //nologo "%~dp0\getPath.js" "%agent%"') DO (SET "agent=%%a")
+
+SET "fullAgentPath=%agent%xagt.exe"
+
+ECHO "%fullAgentPath%" %args%
+rem PAUSE
+call "%fullAgentPath%" %args%
+
+SET iocExists=false
+IF EXIST IOCs (
+ SET iocExists=true
+)
+cscript //nologo "%~dp0\finishAnalysis.js" "%sessionsFolder%\%analysisFolderCustomName%" "%analysisFolderCustomName%" "%fullAuditsPath%" "%auditsFolder%" "%iocExists%"
+
+GOTO :end
+
+:failed
+ECHO.
+ECHO.
+ECHO Failure Encountered:
+ECHO Agent and/or Redline Audit Script not found.
+GOTO :end
+
+:unsupported
+ECHO.
+ECHO.
+ECHO Failure Encountered:
+ECHO This Operating System is not supported by the FireEye Agent
+GOTO :end
+
+:auditfail
+ECHO.
+ECHO.
+ECHO Failure Encountered
+ECHO %errorlevel% return from "%lastcmd%"
+IF EXIST "%buildlog%" START notepad "%buildlog%"
+GOTO :end
+
+:end
+REM PAUSE
+ENDLOCAL
+@ECHO on
\ No newline at end of file
diff --git a/advance_Redline/MemoryzeAuditScript.xml b/advance_Redline/MemoryzeAuditScript.xml
new file mode 100644
index 0000000..a885673
--- /dev/null
+++ b/advance_Redline/MemoryzeAuditScript.xml
@@ -0,0 +1,545 @@
+
+
\ No newline at end of file
diff --git a/advance_Redline/Readme.txt b/advance_Redline/Readme.txt
new file mode 100644
index 0000000..5ba8e03
--- /dev/null
+++ b/advance_Redline/Readme.txt
@@ -0,0 +1,3 @@
+On the Windows machine you want to audit, run the 'RunRedlineAudit.bat' script, preferably from removable media (e.g. a USB Hard Drive). The script will run the Collector, as you configured it, and save the results to a folder named 'Sessions\AnalysisSession1'. Every time you run the script, a new AnalysisSession folder (AnalysisSession2, AnalysisSession3, etc.) is created.
+
+When the collection is finished, transfer the results back to your analysis machine, then double-click 'AnalysisSession.mans' file located inside the AnalysisSession folder.
diff --git a/advance_Redline/RunRedlineAudit.bat b/advance_Redline/RunRedlineAudit.bat
new file mode 100644
index 0000000..6a305f1
--- /dev/null
+++ b/advance_Redline/RunRedlineAudit.bat
@@ -0,0 +1,40 @@
+@ECHO off
+
+SETLOCAL enableextensions enabledelayedexpansion
+SET elevate="%~dp0\elevate.cmd"
+SET helper="%~dp0\Helper.bat"
+SET "args=%1"
+
+IF NOT EXIST %elevate% goto :failed
+IF NOT EXIST %helper% goto :failed
+
+For /f "tokens=2 delims=[]" %%G in ('ver') Do (set _version=%%G)
+For /f "tokens=2,3,4 delims=. " %%G in ('echo %_version%') Do (set _major=%%G& set _minor=%%H& set _build=%%I)
+Echo Major version: %_major% Minor Version: %_minor%.%_build%
+
+if "%_major%"=="5" goto sub5
+if "%_major%"=="6" goto sub6
+if "%_major%"=="10" goto sub6
+
+Echo unsupported OS version
+goto:eof
+
+:sub5
+call %helper% %args%
+GOTO :end
+
+:sub6
+ECHO Requesting elevation
+call %elevate% %helper% %args%
+GOTO :end
+
+:failed
+ECHO.
+ECHO.
+ECHO Failure Encountered:
+ECHO Privilege Escalation Script and/or Helper Script not found.
+GOTO :end
+
+:end
+ENDLOCAL
+@ECHO on
\ No newline at end of file
diff --git a/advance_Redline/elevate.cmd b/advance_Redline/elevate.cmd
new file mode 100644
index 0000000..932abd7
--- /dev/null
+++ b/advance_Redline/elevate.cmd
@@ -0,0 +1,33 @@
+:: //***************************************************************************
+:: // ***** Script Header *****
+:: // =======================================================
+:: // Elevation PowerToys for Windows Vista v1.1 (04/29/2008)
+:: // =======================================================
+:: //
+:: // File: Elevate.cmd
+:: //
+:: // Additional files required: Elevate.vbs
+:: //
+:: // Purpose: To provide a command line method of launching applications that
+:: // prompt for elevation (Run as Administrator) on Windows Vista.
+:: //
+:: // Usage: elevate.cmd application
+:: //
+:: // Version: 1.0.0
+:: // Date : 01/02/2007
+:: //
+:: // History:
+:: // 1.0.0 01/02/2007 Created initial version.
+:: //
+:: // ***** End Header *****
+:: //***************************************************************************
+
+@setlocal
+@echo off
+
+:: Pass raw command line agruments and first argument to Elevate.vbs
+:: through environment variables.
+set ELEVATE_CMDLINE=%*
+set ELEVATE_APP=%1
+
+start wscript //nologo "%~dpn0.vbs" %*
diff --git a/advance_Redline/elevate.vbs b/advance_Redline/elevate.vbs
new file mode 100644
index 0000000..d8eff04
--- /dev/null
+++ b/advance_Redline/elevate.vbs
@@ -0,0 +1,93 @@
+' //***************************************************************************
+' // ***** Script Header *****
+' // =======================================================
+' // Elevation PowerToys for Windows Vista v1.1 (04/29/2008)
+' // =======================================================
+' //
+' // File: Elevate.vbs
+' //
+' // Additional files required: Elevate.cmd
+' //
+' // Purpose: To provide a command line method of launching applications that
+' // prompt for elevation (Run as Administrator) on Windows Vista.
+' //
+' // Usage: (Not used directly. Launched from Elevate.cmd.)
+' //
+' // Version: 1.0.1
+' // Date : 01/03/2007
+' //
+' // History:
+' // 1.0.0 01/02/2007 Created initial version.
+' // 1.0.1 01/03/2007 Added detailed usage output.
+' //
+' // ***** End Header *****
+' //***************************************************************************
+
+
+Set objShell = CreateObject("Shell.Application")
+Set objWshShell = WScript.CreateObject("WScript.Shell")
+Set objWshProcessEnv = objWshShell.Environment("PROCESS")
+
+' Get raw command line agruments and first argument from Elevate.cmd passed
+' in through environment variables.
+strCommandLine = objWshProcessEnv("ELEVATE_CMDLINE")
+strApplication = objWshProcessEnv("ELEVATE_APP")
+strArguments = Right(strCommandLine, (Len(strCommandLine) - Len(strApplication)))
+
+If (WScript.Arguments.Count >= 1) Then
+ strFlag = WScript.Arguments(0)
+ If (strFlag = "") OR (strFlag="help") OR (strFlag="/h") OR (strFlag="\h") OR (strFlag="-h") _
+ OR (strFlag = "\?") OR (strFlag = "/?") OR (strFlag = "-?") OR (strFlag="h") _
+ OR (strFlag = "?") Then
+ DisplayUsage
+ WScript.Quit
+ Else
+ objShell.ShellExecute strApplication, strArguments, "", "runas"
+ End If
+Else
+ DisplayUsage
+ WScript.Quit
+End If
+
+
+Sub DisplayUsage
+
+ WScript.Echo "Elevate - Elevation Command Line Tool for Windows Vista" & vbCrLf & _
+ "" & vbCrLf & _
+ "Purpose:" & vbCrLf & _
+ "--------" & vbCrLf & _
+ "To launch applications that prompt for elevation (i.e. Run as Administrator)" & vbCrLf & _
+ "from the command line, a script, or the Run box." & vbCrLf & _
+ "" & vbCrLf & _
+ "Usage: " & vbCrLf & _
+ "" & vbCrLf & _
+ " elevate application " & vbCrLf & _
+ "" & vbCrLf & _
+ "" & vbCrLf & _
+ "Sample usage:" & vbCrLf & _
+ "" & vbCrLf & _
+ " elevate notepad ""C:\Windows\win.ini""" & vbCrLf & _
+ "" & vbCrLf & _
+ " elevate cmd /k cd ""C:\Program Files""" & vbCrLf & _
+ "" & vbCrLf & _
+ " elevate powershell -NoExit -Command Set-Location 'C:\Windows'" & vbCrLf & _
+ "" & vbCrLf & _
+ "" & vbCrLf & _
+ "Usage with scripts: When using the elevate command with scripts such as" & vbCrLf & _
+ "Windows Script Host or Windows PowerShell scripts, you should specify" & vbCrLf & _
+ "the script host executable (i.e., wscript, cscript, powershell) as the " & vbCrLf & _
+ "application." & vbCrLf & _
+ "" & vbCrLf & _
+ "Sample usage with scripts:" & vbCrLf & _
+ "" & vbCrLf & _
+ " elevate wscript ""C:\windows\system32\slmgr.vbs"" �dli" & vbCrLf & _
+ "" & vbCrLf & _
+ " elevate powershell -NoExit -Command & 'C:\Temp\Test.ps1'" & vbCrLf & _
+ "" & vbCrLf & _
+ "" & vbCrLf & _
+ "The elevate command consists of the following files:" & vbCrLf & _
+ "" & vbCrLf & _
+ " elevate.cmd" & vbCrLf & _
+ " elevate.vbs" & vbCrLf
+
+End Sub
diff --git a/advance_Redline/finishAnalysis.js b/advance_Redline/finishAnalysis.js
new file mode 100644
index 0000000..3c1454b
--- /dev/null
+++ b/advance_Redline/finishAnalysis.js
@@ -0,0 +1,40 @@
+var analysisFolder = WScript.Arguments(0);
+var mansFileName = WScript.Arguments(1);
+var fullAuditsPath = WScript.Arguments(2);
+var auditsFolder = WScript.Arguments(3);
+
+var isIocExist = false;
+if (WScript.Arguments.Length >= 5)
+{
+ isIocExists = WScript.Arguments(4);
+}
+
+var SourceScriptFileName = ".\\MemoryzeAuditScript.xml";
+var fso = new ActiveXObject("Scripting.FileSystemObject");
+var folder = fso.GetFolder(fullAuditsPath);
+
+// Copy script
+var fullTargetFileName = fullAuditsPath + "\\Script.xml";
+fso.CopyFile(SourceScriptFileName, fullTargetFileName, true);
+
+// Create platform information file
+var fullPlatformFileName = fullAuditsPath + "\\platform.xml";
+var f = fso.CreateTextFile(fullPlatformFileName, true);
+f.WriteLine("");
+f.WriteLine("");
+f.WriteLine("\tWindows");
+f.WriteLine("");
+f.Close();
+
+// Create .mans file with proper path
+var fullMansFileName = analysisFolder + "\\" + mansFileName + ".mans";
+f = fso.CreateTextFile(fullMansFileName, true);
+f.WriteLine("");
+f.WriteLine("");
+f.WriteLine("\t" + auditsFolder + "");
+if (isIocExists.toUpperCase() == "TRUE")
+{
+ f.WriteLine("\t..\\..\\IOCs");
+}
+f.WriteLine("");
+f.Close();
\ No newline at end of file
diff --git a/advance_Redline/getNextSessionFolder.js b/advance_Redline/getNextSessionFolder.js
new file mode 100644
index 0000000..ad8dbb3
--- /dev/null
+++ b/advance_Redline/getNextSessionFolder.js
@@ -0,0 +1,24 @@
+var sessionsFolder = WScript.Arguments(0);
+var analysisFolderName = WScript.Arguments(1);
+
+//WScript.Echo ("Param 0: " + sessionsFolder);
+//WScript.Echo ("Param 1: " + analysisFolderName);
+
+var fso = new ActiveXObject("Scripting.FileSystemObject");
+var folder = fso.GetFolder(sessionsFolder);
+var colSubfolders = new Enumerator(folder.SubFolders);
+
+var lastUsedNumber = 0;
+for (; !colSubfolders.atEnd(); colSubfolders.moveNext())
+{
+ if (colSubfolders.item().Name.toUpperCase().indexOf(analysisFolderName.toUpperCase()) != -1)
+ {
+ var number = parseInt(colSubfolders.item().Name.substring(analysisFolderName.length));
+ if (number > lastUsedNumber)
+ {
+ lastUsedNumber = number;
+ }
+ }
+}
+//WScript.Echo ("Next session number is " + (lastUsedNumber + 1));
+WScript.Echo (analysisFolderName + (lastUsedNumber + 1));
diff --git a/advance_Redline/getPath.js b/advance_Redline/getPath.js
new file mode 100644
index 0000000..4d75f21
--- /dev/null
+++ b/advance_Redline/getPath.js
@@ -0,0 +1,89 @@
+var HKLM = 0x80000002;
+var HKLM_text = "HKEY_LOCAL_MACHINE";
+var Name = "\\DisplayName";
+var Location = "\\InstallLocation";
+var agentNames = new Array("xagt", "FireEye Endpoint Agent");
+var regKeyPath = new Array(
+ "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
+ "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall");
+
+var ret = "";
+
+if (WScript.Arguments.Length >= 1)
+{
+ ret = WScript.Arguments(0);
+}
+
+for (var i = 0; i < regKeyPath.length; ++i)
+{
+ if (isInstalled(regKeyPath[i]))
+ {
+ break;
+ }
+}
+
+if (ret.lastIndexOf("\\") != (ret.length - 1))
+{
+ ret = ret.concat("\\");
+}
+WScript.Echo(ret);
+
+//-----
+function isInstalled(path)
+{
+ var found = false;
+ var rtn = regGetSubKeys(".", path)
+ if ( rtn.Results == 0 )
+ {
+ var objShell = WScript.CreateObject("WScript.Shell");
+ var subKeyValue;
+ for (var idx=0;idx