Day 15: Web Attack Forensics – Drone Alone

The Mission: Decoding the Drone Disturbance

The town's drone scheduler started behaving erratically, receiving strange, unusually long HTTP requests containing Base64 chunks. The goal for this "Boss Rush" stage was to act as a Blue Teamer (defender) to triage the incident, identify compromised hosts, and decode the malicious payloads to determine the full scope of the attack.

The Setup: Splunk as the Ultimate Detective

To solve this, I utilised Splunk, a powerful SIEM (Security Information and Event Management) platform. Splunk allows us to pivot between different types of data:

• Apache Access and Error Logs: To see the initial web-based attack.

• Sysmon (System Monitor) Telemetry: To track OS-level actions, such as what processes were spawned on the Windows host after the web server was hit.

The Technical Breakdown: The Investigation Chain

1. Detecting Suspicious Web Commands I started by searching the windows_apache_access index for HTTP requests containing execution attempts like cmd.exe or powershell.

• The Findings: The logs showed an attacker attempting to run commands through a vulnerable CGI script called hello.bat.

• Decoding the Payload: The attacker sent a Base64 string that, when decoded, revealed a taunting message: "This is now mine! MUHAHAHAHA".

2. Identifying Internal Server Failures Next, I audited the Apache error logs for "Internal Server Error" (500) messages. If a request like /cgi-bin/hello.bat?cmd=powershell triggers a 500 error, it often means the server processed the input but failed during execution—a major indicator of an exploitation attempt reaching the backend.

3. The Smoking Gun: Sysmon Process Creation The most critical part of the investigation was correlating web logs with Sysmon logs.

• The Rule: Normally, Apache (httpd.exe) should only spawn worker threads, not system processes.

• The Breach: I found evidence that Apache had spawned cmd.exe and powershell.exe, proving that the web attack successfully penetrated the operating system.

4. Confirming Attacker Reconnaissance Once the attacker had execution rights, they immediately performed reconnaissance to see which user account they were running as.

• The Evidence: I found logs showing the execution of the whoami command.

• Recon Executable: The reconnaissance file was identified as whoami.exe.

Mission Status:

• Reconnaissance Executable Found: whoami.exe.

• Attack Executable Found: PowerShell.exe.

• Skill Gained: Correlating web application logs with host-level telemetry to reconstruct an attack chain.

-----------------------------------------------------------------------------------------

Analogy for Web Forensics: Think of Web Forensics with Splunk like a security camera system in a shopping mall. The Apache logs are the cameras at the front doors showing who walked in. The Sysmon logs are the cameras inside the individual shops showing what those people actually picked up. Without both, you might see someone enter, but you wouldn't know they managed to walk out with the merchandise.