TryHackMe

Endpoint Security Monitoring - SOC Level 1 (Legacy)

Overview

This repository contains complete 2025-2026 walkthroughs for the legendary TryHackMe Endpoint Security Monitoring path. Learn how blue teams actually hunt attackers on Windows workstations using only free tools - exactly what Fortune-500 SOCs run in production. Keywords for SEO: Endpoint Security Monitoring, TryHackMe Endpoint, Sysmon 2025, Osquery Tutorial, Wazuh EDR, Windows Event Logs, Core Windows Processes, Sysinternals Suite, Swiftspend Monday Monitor, Ransomware Investigation, Free EDR Course, Sysmon Config, Threat Hunting Windows, SOC Analyst Training, Retracted Ransomware.

Table of Contents

• Intro to Endpoint Security
• Core Windows Processes
• Sysinternals
• Windows Event Logs
• Sysmon
• Osquery: The Basics
• Wazuh
• Monday Monitor
• Retracted

---

Intro to Endpoint Security Master the fundamentals of endpoint security monitoring and learn why workstations are where 99% of breaches actually happen in 2025. Room Link: https://tryhackme.com/room/introtoendpointsecurity Github: https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/Intro%20to%20Endpoint%20Security Medium: https://rahulcyberx.medium.com/intro-to-endpoint-security-thm-2025-03ba42bf0db8	Core Windows Processes Spot fake svchost.exe, lsass.exe, powershell.exe, and 20+ other processes in under 10 seconds. Includes printable baseline cheat-sheet every SOC analyst keeps on their desk. Room Link: https://tryhackme.com/room/btwindowsinternals Github (Part 1): https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/Core%20Windows%20Process%201 Github (Part 2): https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/Core%20Windows%20Process%202 Medium: https://rahulcyberx.medium.com/core-windows-processes-endpoint-security-monitoring-thm-2025-858539fde18f
Sysinternals Hands-on mastery of Process Explorer, Autoruns, TCPView, ProcMon - the same tools Mandiant Red Team uses in every incident. Room Link: https://tryhackme.com/room/btsysinternalssg Github: https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/Sysinternals Medium: https://rahulcyberx.medium.com/sysinternals-endpoint-security-monitoring-thm-2025-6c5430e15a10	Windows Event Logs The 15 highest-signal Event IDs that caught LockBit, Conti, and BlackCat in real 2025 incidents. Query like a pro with PowerShell one-liners. Room Link: https://tryhackme.com/room/windowseventlogs Github: https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/Windows%20Event%20Logs Medium: https://rahulcyberx.medium.com/windows-event-logs-endpoint-security-monitoring-thm-2025-4640daad26db
Sysmon Deploy the exact 2025 SwiftOnSecurity config that catches Cobalt Strike, Mimikatz, and living-off-the-land attacks. Zero false positives. Room Link: https://tryhackme.com/room/sysmon Github (Part 1): https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/Sysmon%201 Github (Part 2): https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/Sysmon%202 Medium: https://rahulcyberx.medium.com/sysmon-endpoint-security-monitoring-thm-2025-7c40143948e8	Osquery: The Basics 50+ production SQL queries Facebook runs on 300,000 endpoints. Detect unsigned drivers, hidden persistence, and suspicious scheduled tasks instantly. Room Link: https://tryhackme.com/room/osqueryf8 Github (Part 1): https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/OsQuery%201 Github (Part 2): https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/OsQuery%202 Medium: https://rahulcyberx.medium.com/osquery-the-basics-endpoint-security-monitoring-thm-2025-5ff1f6da76b7
Wazuh Free open-source SIEM + EDR that beats CrowdStrike for 90% of companies. Full Docker deployment + pre-built rules for every major ransomware family. Room Link: https://tryhackme.com/room/wazuhct Github: https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/Wazuh Medium: https://rahulcyberx.medium.com/wazuh-endpoint-security-monitoring-thm-2025-2366638bb324	Monday Monitor Swiftspend's legendary live hunting lab. Get dropped on a real compromised workstation and hunt like a Tier-3 analyst. Certificate included. Room Link: https://tryhackme.com/room/mondaymonitor Github: https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/Monday%20Monitor%20(Wazuh) Medium: https://rahulcyberx.medium.com/monday-monitor-endpoint-security-monitoring-thm-2025-32ba08d5b789
Retracted Full ransomware investigation walkthrough - initial access → privilege escalation → credential dumping → $100k ransom note. Every log, every artifact, every lesson. Room Link: https://tryhackme.com/room/retracted Github: https://github.com/RahulCyberX/Endpoint-Security-Monitoring/tree/main/Retracted Medium: https://rahulcyberx.medium.com/retracted-endpoint-security-monitoring-thm-2025-605b79a8cf6c