Windows Threat Detection 1 | TryHackMe | SOC Level 1 2025

This walkthrough of the TryHackMe – Windows Threat Detection 1 room explores how attackers gain Initial Access to Windows systems and how SOC analysts detect these intrusions using Windows Event Logs, Sysmon telemetry, and phishing‑case analysis. According to the room outline, you’ll investigate RDP brute‑force attempts, successful RDP compromise, phishing attachments, malicious LNK files, double‑extension malware, and USB‑based execution. These topics are confirmed in multiple walkthroughs and room summaries, including detection of brute‑forced Administrator logins, attacker workstation identification, phishing COM files, malicious LNK download URLs, and double‑extension executables such as best-cat.jpg.exe. You’ll use Event IDs such as 4624/4625 for authentication, Sysmon process‑creation logs, and file‑execution traces to identify attacker behavior. You’ll also analyze phishing cases where malicious COM, LNK, and EXE files execute next‑stage payloads, as well as USB‑based malware execution. 🔍 What you’ll learn: • How attackers brute‑force RDP and how to detect it in logs • How to identify successful RDP compromise (Logon Type 10) • How to extract attacker IPs, workstation names, and login patterns • How phishing attachments execute malware and how to trace them • How malicious LNK files download next‑stage payloads • How USB‑based malware execution appears in Windows logs • How SOC analysts correlate Windows logs + Sysmon to confirm Initial Access 🚀 Try it yourself: https://tryhackme.com/room/windowsthr... FOR EDUCATIONAL PURPOSES ONLY 👍 Like, comment, and subscribe to ‪@wiredogsec‬ for more SOC, blue‑team, and Windows‑forensics walkthroughs. #TryHackMe #WindowsSecurity #ThreatDetection #Sysmon #EventLogs #Phishing #RDP #SOCAnalyst #BlueTeam #CyberSecurityTraining #WireDogSec