Advent of Cyber 2025 - Day 15


🔍 Web Attack Forensics with Splunk

Day 15 – Blue Team Investigation (TBFC Incident)

Introduction

On Day 15, TBFC’s drone scheduler web UI began receiving unusually long HTTP requests containing Base64-encoded chunks. Shortly after, Splunk triggered an alert:

“Apache spawned an unusual process.”

Investigation revealed that some requests attempted to execute obfuscated shell commands via Base64 payloads.

As a Blue Teamer, the objective was to:

  • Triage the incident

  • Identify compromised hosts

  • Decode malicious payloads

  • Reconstruct the attack chain

All analysis was performed using Splunk, pivoting between Apache web logs and Sysmon host telemetry to uncover the full story.

🎯 Learning Objectives

By completing this task, you learn to:

  • Detect malicious web activity via Apache logs

  • Investigate OS-level attacker behavior using Sysmon logs

  • Identify and decode obfuscated Base64 payloads

  • Reconstruct a complete attack timeline in Splunk

🔑 Logging into Splunk

After starting the AttackBox and target machine:

  • URL: http://MACHINE_IP:8000

  • Username: Blue

  • Password: Pass1234

Set the time range to Last 7 Days or All Time for full event visibility.

Detecting Suspicious Web Commands

To identify potential command injection, the following Splunk query was used:

index=windows_apache_access (cmd.exe OR powershell OR "powershell.exe" OR "Invoke-Expression")
| table _time host clientip uri_path uri_query status

Observation:
A Base64-encoded PowerShell string was detected in request parameters:

VABoAGkAcwAgAGkAcwAgAG4AbwB3ACAATQBpAG4AZQAhACAATQBVAEEASABBAEEASABBAEEA

Decoding revealed a harmless test message — likely used to confirm command execution.

Analyzing Apache Error Logs

Check whether malicious input reached the backend:

index=windows_apache_error ("cmd.exe" OR "powershell" OR "Internal Server Error")

Findings:
Multiple HTTP 500 Internal Server Error responses indicated that the server attempted to process attacker input but failed — a strong sign of exploitation attempts.

Tracing Suspicious Process Creation

Sysmon logs were used to verify OS-level execution:

index=windows_sysmon ParentImage="*httpd.exe"

Critical Indicator:
Apache (httpd.exe) spawned system processes such as:

  • cmd.exe

  • powershell.exe

This confirmed that command injection succeeded on the host.

Confirming Attacker Reconnaissance

Attackers performed basic reconnaissance after execution:

index=windows_sysmon *cmd.exe* *whoami*

Result:
The whoami command confirmed the current user context — evidence of post-exploitation activity.

Investigating Base64-Encoded PowerShell

Further investigation of encoded PowerShell commands:

index=windows_sysmon Image="*powershell.exe"
(CommandLine="*enc*" OR CommandLine="*-EncodedCommand*" OR CommandLine="*Base64*")

Outcome:
No encoded PowerShell payloads executed successfully. While attackers tried obfuscation, the payloads did not fully run.

🏁 Final Answers

  • Reconnaissance executable file name: whoami.exe

  • Executable attempted via command injection: powershell.exe

Conclusion

This investigation highlights how Splunk can correlate web-level attacks with host-level execution. By pivoting between:

  • Apache access logs

  • Apache error logs

  • Sysmon process telemetry

…analysts reconstructed the full attack chain, from command injection to post-exploitation reconnaissance.

Key Takeaways

  • Ensure proper log visibility across all layers

  • Monitor parent-child process relationships

  • Detect encoded payloads (e.g., Base64)

  • Even simple encoded strings can hide malicious intent

Splunk enables SOC teams to uncover hidden threats and respond effectively before damage escalates.

Comments

Post a Comment