This project presents a full security investigation of a website defacement incident targeting the domain **imreallynotbatman.com**. The analysis was conducted using Splunk as the primary SIEM platform to identify the attacker’s activities, reconstruct the attack timeline, and determine the root cause of the compromise.
The investigation revealed that the attacker began with reconnaissance using the Acunetix vulnerability scanner, followed by a brute-force attack targeting the Joomla administrator login page. After successfully obtaining valid credentials, the attacker gained administrative access to the server, uploaded a malicious executable (3791.exe), and established a reverse shell connection to a command-and-control (C2) server.
The project documents the full attack lifecycle, including reconnaissance, credential access, initial access, execution, persistence, and command-and-control communication. It also includes detailed Splunk queries, forensic evidence, indicators of compromise (IOCs), and a complete attack timeline based on multiple log sources such as HTTP logs, Suricata alerts, Fortigate firewall logs, and Windows event logs.
Finally, the report provides impact assessment, containment actions, and security recommendations to help prevent similar attacks in the future.
