TryHackMe Logless Hunt Full Walkthrough 2025 - Detecting Attacks Without Security Logs

💧Can You Detect a Logless Attack? TryHackMe - Logless Hunt Walkthrough

💧Detect every attack step on a Windows machine even after threat actors cleared Security logs.

💧Threat actors clearing logs? No problem! Join us as we explore the TryHackMe "Logless Hunt" room and discover techniques to detect every stage of a cyber attack on a Windows system, even without traditional Security logs. We'll investigate web access, PowerShell commands, RDP logins, persistent threats, and credential harvesting. Test your blue team skills!


😺 [00:00] Task 1 & 2: Introduction & Scenario

😺 [02:47] Task 3: Initial Access | Web Access Logs
⚡What is the title of the HR01-SRV web app hosted on 80 port?
⚡ Which IP performed an extensive web scan on the HR01-SRV web app?
⚡What is the absolute path to the file that the suspicious IP uploaded?
⚡ Clearly, that's suspicious! What would you call the uploaded malware / backdoor?

😺 [11:36] Task 4: From Web to RDP | PowerShell Logs
⚡What was the first command entered by the attacker?
⚡What is the full URL of the file that the attacker attempted to download?
⚡What command was run to exclude the file from Windows Defender?
⚡Which remote access service was tunnelled using the uploaded binary?

😺 [25:13] Task 5: Breached Admin | RDP Session Logs
⚡What is the timestamp of the first suspicious RDP login?
⚡What user did the attacker breach?
⚡What IP is shown as the source of the RDP login?
⚡What is the timestamp when the attacker disconnected from RDP?

😺 [29:24] Task 6: Persistence Traces | Scheduled Tasks
⚡What is the name of the suspicious scheduled task?
⚡When was the suspicious scheduled task created?
⚡What is the task's "Trigger" value as shown in Task Scheduler GUI?
⚡What is the full command line of the malicious task?

😺 [35:07] Task 7: Credential Access | Windows Defender
⚡What is the threat family ("Name") of the first quarantined file?
⚡And what is the threat family of the next detected malware?
⚡What is the file name of the downloaded Mimikatz executable?
⚡Finally, which Mimikatz command was used to extract hashes from LSASS memory?

Room Link: https://tryhackme.com/room/loglesshunt

👍 Don’t forget to like, subscribe, and hit the bell icon for more cybersecurity walkthroughs!

👍 these tutorials are for educational purposes and to encourage responsible and legal use of hacking knowledge.

#TryHackMe #LoglessHunt #BlueTeam #DFIR #WindowsSecurity #Cybersecurity