THM | AoC 2025 | Day 03-04
Day-03: Splunk Basics | Day-04: AI in Security
SUMMARY
On Day 03 (Splunk Basics), we write SPL queries to ingest web‑ and firewall‑log data, pinpoint the malicious IP address, and trace the stages of reconnaissance, exploitation, and data exfiltration.
On Day 04 (AI in Security), we examine AI applications in cybersecurity—defensive, offensive, and software‑security use cases—and then employ an AI assistant to detect and remediate vulnerabilities.
D-03 | Splunk Basics - Did you SIEM?
- TL;DR: Learn how to ingest and parse custom log data using Splunk.
- Original Room: TryHackMe | Advent of Cyber 2025 | DAY 03: Splunk Basics - Did you SIEM?
Storyline
"The Best Festival Company (TBFC) is preparing for a Christmas event in Wareville when a ransomware alert appears on their SOC dashboard, demanding 1,000 HopSec Coins from King Malhare of HopSec Island. Malhare’s Bandit Bunnies aim to hijack TBFC’s systems and replace Christmas with “EAST‑mas.”
The SOC team will use Splunk to trace the ransomware entry, extract custom fields, apply SPL queries, and investigate the incident to protect the holiday celebration."
Log Analysis with Splunk
Search Queries
- using Splunk Search Processing Language (SPL)
Datasets
web_traffic| events related to web connectionsfirewall_logs| firewall logs (allowed or blocked traffic, to and fro)
Exploring the Logs
- show all ingested logs
index=main
Initial Triage
- all web traffic
index=main sourcetype=web_traffic - visualize the log timeline | chart the total event count over time
index=main sourcetype=web_traffic | timechart span=1d count - sort by count in reversing order
index=main sourcetype=web_traffic | timechart span=1d count | sort by count | reverse
Anomaly Detection | Filtering out Benign Values
- exclude common legitimate user agents (show suspicious agents)
index=main sourcetype=web_traffic user_agent!=*Mozilla* user_agent!=*Chrome* user_agent!=*Safari* user_agent!=*Firefox* - narrow down on the ip
sourcetype=web_traffic user_agent!=*Mozilla* user_agent!=*Chrome* user_agent!=*Safari* user_agent!=*Firefox* | stats count by client_ip | sort -count | head 5 - sort results in reverse order:
sort -count
Tracing the Attack Chain
- checking on targeted paths
sourcetype=web_traffic client_ip="<REDACTED>" AND path IN ("/.env", "/*phpinfo*", "/.git*") | table _time, path, user_agent, status
Enumeration (Vulnerability Testing)
- search for common path traversal and open direct vulnerabilities
sourcetype=web_traffic client_ip="<REDACTED>" AND path="*..*" OR path="*redirect*" - drill down on path traversal attempts (escape the characters with
..\/..\/)sourcetype=web_traffic client_ip="<REDACTED>" AND path="*..\/..\/*" OR path="*redirect*" | stats count by path
SQL Injection Attack
- check on automated attack tools
sourcetype=web_traffic client_ip="<REDACTED>" AND user_agent IN ("*sqlmap*", "*Havij*") | table _time, path, status
Exfiltration Attempts
- looking for large downloads, sensitive file downloads (
curl,zgrab)sourcetype=web_traffic client_ip="<REDACTED>" AND path IN ("*backup.zip*", "*logs.tar.gz*") | table _time path, user_agent
Ransomware Staging & RCE
- requests for sensitive archives like
/logs.tar.gzor/configsourcetype=web_traffic client_ip="<REDACTED>" AND path IN ("*bunnylock.bin*", "*shell.php?cmd=*") | table _time, path, user_agent, status
Correlate Outbound C2 Communication
- filter firewall logs for the the attacker ip
sourcetype=firewall_logs src_ip="10.10.1.5" AND dest_ip="<REDACTED>" AND action="ALLOWED" | table _time, action, protocol, src_ip, dest_ip, dest_port, reason
Volume of Data Exfiltrated
- calculate the sum of the bytes transferred
sourcetype=firewall_logs src_ip="10.10.1.5" AND dest_ip="<REDACTED>" AND action="ALLOWED" | stats sum(bytes_transferred) by src_ip
Summary
- Attacker identified by the highest volume of malicious web traffic from a single external IP.
- Intrusion vector traced through web logs (
sourcetype=web_traffic) showing a clear attack progression. - Reconnaissance used
cURL/Wgetto probe for configuration files (/.env) and test path‑traversal flaws. - Exploitation confirmed by
SQLmapuser agents and payloads likeSLEEP(5). - Payload delivery culminated in executing
cmd=./bunnylock.binvia a webshell. - C2 activity verified in firewall logs (
sourcetype=firewall_logs): compromised server opened an outbound C2 connection to the attacker’s IP.
Q & A
Question-1: What is the attacker IP found attacking and compromising the web server?
198.51.100.55
Question-2: Which day was the peak traffic in the logs? (Format: YYYY-MM-DD)
2025-10-12
Question-3: What is the count of Havij user_agent events found in the logs?
993
Question-4: How many path traversal attempts to access sensitive files on the server were observed?
658
Question-5: Examine the firewall logs. How many bytes were transferred to the C2 server IP from the compromised web server?
126167
Question-6: If you enjoyed today's room, check out the Incident Handling With Splunk room to learn more about analyzing logs with Splunk.
No answer needed
D-04 | AI in Security - old sAInt nick
- TL;DR: Unleash the power of AI by exploring it's uses within cyber security.
- Original Room: TryHackMe | Advent of Cyber 2025 | DAY 04 - AI in Security - old sAInt nick
Storyline
TBFC’s new AI cyber‑security assistant, Van SolveIT, replaces the underperforming Van Chatty to boost elf productivity. It will be used before the holidays to detect, verify, and remediate vulnerabilities across defensive, offensive, and software domains.
AI for Cyber Security Showcase
AI assistants are transforming cybersecurity by automating labor‑intensive tasks:
- Defensive: Real‑time telemetry analysis, contextual alerts, automatic isolation/blocking of threats.
- Offensive: Accelerated OSINT, scanner output parsing, attack‑surface mapping for pen‑tests.
- Software: AI‑driven SAST/DAST scanners spot code flaws; less effective at writing secure code.
Cautions: AI outputs aren’t infallible; verify results, respect limited ownership, guard training data and model integrity, and avoid unintended disruptions.
Q & A
Question-1: Complete the AI showcase by progressing through all of the stages. What is the flag presented to you?
<FLAG>
Question-2: Execute the exploit provided by the red team agent against the vulnerable web application hosted at <targetbox-ip>:5000. What flag is provided in the script's output after it? Remember, you will need to update the IP address placeholder in the script with the IP of your vulnerable machine (<targetbox-ip>:5000)
<FLAG>
Question-3: If you enjoyed today's room, feel free to check out the Defending Adverserial Attacks room, where you will learn how to harden and secure AI models.
No answer needed