Access the room: https://tryhackme.com/room/webattackforensics-aoc2025-b4t7c1d5f8
.png)
TBFC’s drone scheduler web UI is getting strange, long HTTP requests containing Base64 chunks. Splunk raises an alert: “Apache spawned an unusual process.” On some endpoints, these requests cause the web server to execute shell code, which is obfuscated and hidden within the Base64 payloads. For this room, your job as the Blue Teamer is to triage the incident, identify compromised hosts, extract and decode the payloads and determine the scope.
You’ll use Splunk to pivot between web (Apache) logs and host-level (Sysmon) telemetry.
Learning Objectives
- Detect and analyze malicious web activity through Apache access and error logs
- Investigate OS-level attacker actions using Sysmon data
- Identify and decode suspicious or obfuscated attacker payloads
- Reconstruct the full attack chain using Splunk for Blue Team investigation
Step by step Walkthrough
Initial Setup
Start the target machine and the AttackBox as instructed to access the lab environment.
After you have started the AttackBox and the target machine in the previous task, allow the system around 3 minutes to fully boot, then use Firefox on the AttackBox to access the Splunk dashboard at http://MACHINE_IP:8000 using the credentials below:
Switch the time range from the last 24 hours to All time to view all event samplings:
Detecting Suspicious Web Commands
Search the web access logs for signs of command execution attempts, such as cmd.exe, PowerShell, or Invoke-Expression. Use the following query to find relevant requests:
index=windows_apache_access (cmd.exe OR powershell OR "powershell.exe" OR "Invoke-Expression")
| table _time host clientip uri_path uri_query status
There we can see a base64-encoded strings in the results. Let's Decode these strings using a base64 decoder to understand the attacker’s intentions:
VABoAGkAcwAgAGkAcwAgAG4AbwB3ACAATQBpAG4AZQAhACAATQBVAEEASABBAEEASABBAEEA
It seems like the attacker has some malicious intentions.
Looking for Server-Side Errors or Command Execution in Error Logs
Inspect the web server error logs for signs of execution attempts or internal failures caused by malicious requests by using the following query:
index=windows_apache_error ("cmd.exe" OR "powershell" OR "Internal Server Error")
Select View: Raw from the dropdown menu above the Event display field to see the raw log data
We can spot error messages mentioning cmd.exe and PowerShell. The 500 “Internal Server Error” means the attacker’s input reached the server but failed during execution, which is a clear sign of an exploitation attempt.
Trace Suspicious Process Creation from Telemetry
Use telemetry to find malicious executable files spawned by the web server. Use the following query to focus on process relationships:
index=windows_sysmon ParentImage="*httpd.exe"Select View: Table to see the process relationships.
Here we found child processes such as:
ParentImage = C:\Apache24\bin\httpd.exe
Image = C:\Windows\System32\cmd.exe
This indicates a successful command injection where the web server executed a system command.
Confirm Attacker Enumeration Activity
Investigate what specific programs the attacker ran using the following query:
index=windows_sysmon *cmd.exe* *whoami*
This query looks for command execution logs where cmd.exe ran the command whoami. Attackers often use whoami to determine which user account their malicious process is running as, finding these events confirms the attacker’s post-exploitation reconnaissance, showing that the injected command was executed on the host.
Identify Base64-Encoded Payloads
Search for all successfully encoded commands to identify obfuscated attacker payloads using the following query:
index=windows_sysmon Image="*powershell.exe" (CommandLine="*enc*" OR
CommandLine="*-EncodedCommand*" OR CommandLine="*Base64*")
This query detects attempts to hide real commands using base64 encoding.
If your defenses are correctly configured, this query should return no results, meaning the encoded payload never ran.
Answers of the THM Lab
What is the reconnaissance executable file name?
whoami.exe.
What executable did the attacker attempt to run through the command injection?
powershell.exe.
