Apache Header Tampering
Can someone point me to the right track? On this one, I found the hidden directory, used an X-Forwarded-For: to see into that directory where scanning for files showed a lot of 404s, with just a few 403 response codes. I've tried everything I can think of with variations on X-Original-URL:, X-Rewrite-URL:, and X-Forwarded-Uri:, but none of them get me able to see into any of the files/directories. I've even tried a few variations instead of X-Forwarded-For:, such as X-Client-IP: and a few others. I feel like I must be missing something. I didn't find any actual .php files in the hidden directory but the question seems to indicate that there are some in there. I found what I think are other directories within that first hidden directory.
Ransomware: Darkside - Question 9
In terms of determining the name of the service that is installed after the ransomware was executed, there doesn't seem to be any service installation activities observed from the endpoint. Wondering if I should be focusing on a different code, slightly irrelevant towards service creation activities. when searching for file creation for possible service names "api-ms-win-service-management-l1-1-0.dll" is also showcased to not work. Wondering about what different area should I be looking into instead
Immersive Labs – APT29: Threat Hunting with Splunk
Hi everyone, I’m currently working through the Immersive Labs – APT29: Threat Hunting with Splunk lab and got stuck on Question 10. Question: A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this? What I’ve tried so far: Searched PowerShell logs (EventCode 4103 / 4104) in Splunk Looked for base64/encoded content indicators (e.g., FromBase64String, -enc, IEX) Filtered for image-related activity (e.g., .jpg, .png) Reviewed process creation context but struggling to identify the exact ParentCommandLine. Appreciate any guidance—trying to understand the hunting logic, not just the answer. Thanks in advance!Investigating IAM Incidents in AWS: Preparation - Question 7
For the question: The ‘MetrolioQA’ IAM role in your account grants write access to a ‘metrolio’ role from another account. What is the full name of the external principle? I can't seem to find insight onto the role. I am wondering about what is the location of the GUI I should be looking into more of. I have mostly been digging throughout the csv download for any possible insights as well as the IAM access analyzer but I cant seem to get any good leads. Done through the MetrolioIAMAnalyst AWS role account. Summary: I am wondering if there is any direction that can be provided in which I can look into more for finding external principles.Need help in Splunk Lab!
I am attempting the Splunk collection under Upskill. In the final lab i.e. Demonstrate your skill lab, I am getting stuck at a particular task. This is the prompt that I need to solve. The problem is there is no field for Destination IP in the log. Whenever I search according to the prompt, no results are returned and the question won't take 0 as an answer. Please help me move forward.
