TryHackMe Windows Threat Detection 2 Full Walkthrough 2025

🚨😸 Discover how to detect and analyze the first steps of threat actors after breaching Windows. 😸Room Link: https://tryhackme.com/room/windowsthr... 🚨😸 After breaching a host, threat actors are faced with a choice: quietly establish a backdoor to maintain long-term access or take immediate action to achieve their objectives. This room covers the second approach and continues your Windows threat detection journey by exploring what typically follows the Initial Access, beginning with Discovery and Collection. Learning Objectives 🐻‍❄️ Detect common Discovery techniques using Windows Event Log 🪘 Learn how to trace the attack origin by reconstructing a process tree 🦢 Find out what data threat actors look for and how they exfiltrate it 📝See how the malicious commands are logged by running them yourself 🧸 [00:00] Introduction Lab 🍎 [02:50] Discovery Overview Open CMD and type "net user Administrator". Which privileged group does the user belong to? Open Event Viewer and try to find your command in Sysmon logs. What is the "Image" field of the net command you just run? 🪘 [08:33] Detecting Discovery Looking at Sysmon logs, what is the first command the invoice.pdf.exe executes? Which command did the malware use to check the presence of MS Defender EDR? To which domain did the malware send the discovered data? 🐻 [19:47] Collection Overview What is the Facebook password that the user saved in Chrome? Which interesting SSH key does the user store on disk? What is the secret PDF file explaining TryHackMe's internal network? 🍏 [26:14] Detecting Collection Looking at Sysmon logs, what directory does the stealer create? Which three file extensions does the malware search for? Which PowerShell cmdlet does the malware use to get clipboard content? Which domain does the malware exfiltrate the data to? 🍍 [36:37] Ingress Tool Transfer Open the Chrome browser on the VM and navigate to the URL. Next, open CMD and download the file from the same URL using curl.exe. Continue with the same CMD and URL, but now using certutil.exe. Finally, download the same file using PowerShell IWR. 🚨Tools Used: Windows event viewer Sysmon cmd #tryhackme #windowsthreat #DFIR ⚠️ Educational Purpose Only This content is for educational and authorized penetration testing purposes only. Always ensure you have permission before testing on any systems.