advent-of-cyber-2025

Room Link:
https://tryhackme.com/room/webattackforensics-aoc2025-b4t7c1d5f8

▶️ CYBERWOX – Day 15 Video Walkthrough

Official walkthrough for quick onboarding:

🔗 YouTube Link:
https://youtu.be/Gf68YnVjy7k?si=x1xKWxwN-3sB_tAz

🎄 Advent of Cyber 2025 — Day 15 Write-Up

🧩 Web Attack Forensics — Drone Alone

🔐 Logging into Splunk

splunk login

🚨 Detect Suspicious Web Commands

Query:

index=windows_apache_access (cmd.exe OR powershell OR "powershell.exe" OR "Invoke-Expression")
| table _time host clientip uri_path uri_query status

apache access logs

⚠️ Check Apache Error Logs for Command Execution

Query:

index=windows_apache_error ("cmd.exe" OR "powershell" OR "Internal Server Error")

apache error logs

🧬 Trace Suspicious Process Creation via Sysmon

Query:

index=windows_sysmon ParentImage="*httpd.exe"

sysmon apache spawn

Normally, Apache should only spawn worker threads — not system binaries.

Example of malicious behavior:

ParentImage = C:\Apache24\bin\httpd.exe
Image       = C:\Windows\System32\cmd.exe

This confirms successful command injection.

🔍 Confirm Attacker Enumeration Activity

Query:

index=windows_sysmon *cmd.exe* *whoami*

sysmon whoami

🧠 Identify Base64-Encoded PowerShell Payloads

Query:

index=windows_sysmon Image="*powershell.exe"
(CommandLine="*enc*" OR CommandLine="*-EncodedCommand*" OR CommandLine="*Base64*")

base64 powershell

This detects obfuscated PowerShell payloads using Base64 encoding.
If defenses are working properly, no results should appear, meaning the payload (e.g., “Muahahaha”) never executed.

✅ Challenge Answers

1️⃣ What is the reconnaissance executable file name?

recon exe

whoami.exe

2️⃣ What executable did the attacker attempt to run via command injection?

powershell execution

powershell.exe