TryHackMe Volt Typhoon Full Walkthrough 2025

Step into the shoes of a SOC analyst and investigate a high-level cyber intrusion by the APT group Volt Typhoon, known for targeting critical infrastructure and high-value organizations. Room Link: https://tryhackme.com/room/volttyphoon In this video, we explore: ✅ Log analysis with Splunk ✅ Real-world APT attack simulation ✅ Initial access via ADSelfService Plus ✅ Credential dumping with Mimikatz ✅ Web shell persistence ✅ Lateral movement and C2 communications ✅ Defense evasion techniques like log wiping & file renaming ✅ Key forensic artifacts and IOC identification 🛡️ Whether you're training for the Blue Team, SOC analysis, or cyber defense, this room offers hands-on experience with real-world APT tactics aligned with the MITRE ATT&CK framework. 🔎 Scenario Overview: The SOC detects suspicious activity attributed to Volt Typhoon. As a security analyst, your task is to: 🍃Trace the attacker's steps 🍃Analyze logs 🍃Identify persistence and C2 techniques 🍃Uncover credentials and lateral movement 🍃Document defense evasion and cleanup activities 💡 Tools Used: Splunk 📅 Timeframe: 2-week log window provided for investigation 😸[00:00] Task 1: IR Scenario ☘️ 🐧Scenario: The SOC has detected suspicious activity indicative of an advanced persistent threat (APT) group known as Volt Typhoon, notorious for targeting high-value organizations. Assume the role of a security analyst and investigate the intrusion by retracing the attacker's steps. 🐧You have been provided with various log types from a two-week time frame during which the suspected attack occurred. Your ability to research the suspected APT and understand how they maneuver through targeted networks will prove to be just as important as your Splunk skills. 😸[03:51] Task 2: Initial Access ☘️ Volt Typhoon often gains initial access to target networks by exploiting vulnerabilities in enterprise software. In recent incidents, Volt Typhoon has been observed leveraging vulnerabilities in Zoho ManageEngine ADSelfService Plus, a popular self-service password management solution used by organizations. 🐍Comb through the ADSelfService Plus logs to begin retracing the attacker’s steps. At what time (ISO 8601 format) was Dean's password changed and their account taken over by the attacker? 🐍Shortly after Dean's account was compromised, the attacker created a new administrator account. What is the name of the new account that was created? 😸[16:29] Task 3: Execution: ☘️ 🐍In an information gathering attempt, what command does the attacker run to find information about local drives on server01 & server02? 🐍The attacker uses ntdsutil to create a copy of the AD database. After moving the file to a web server, the attacker compresses the database. What password does the attacker set on the archive? 😸[21:26] Task 4: Persistence ☘️ 🐍To establish persistence on the compromised server, the attacker created a web shell using base64 encoded text. In which directory was the web shell placed? 😸[31:34] Task 5: Defense Evasion ☘️ 🐍In an attempt to begin covering their tracks, the attackers remove evidence of the compromise. They first start by wiping RDP records. What PowerShell cmdlet does the attacker use to remove the “Most Recently Used” record? 🐍The APT continues to cover their tracks by renaming and changing the extension of the previously created archive. What is the file name (with extension) created by the attackers? 🐍Under what regedit path does the attacker check for evidence of a virtualized environment? 😸[39:34] Task 6: Credential Access ☘️ 🐍Using reg query, Volt Typhoon hunts for opportunities to find useful credentials. What three pieces of software do they investigate? 🐍What is the full decoded command the attacker uses to download and run mimikatz? 😸[43:20] Task 7: Discovery & Lateral Movement ☘️ 🐍The attacker uses wevtutil, a log retrieval tool, to enumerate Windows logs. What event IDs does the attacker search for? 🐍Moving laterally to server-02, the attacker copies over the original web shell. What is the name of the new web shell that was created? 😸[] Task 8:Collection ☘️ 🐍The attacker is able to locate some valuable financial information during the collection phase. What three files does Volt Typhoon make copies of using PowerShell? 😸[] Task 9: C2 & Cleanup☘️ 🐍The attacker uses netsh to create a proxy for C2 communications. What connect address and port does the attacker use when setting up the proxy? 🐍To conceal their activities, what are the four types of event logs the attacker clears on the compromised system? 👍 Like the video if this helped you. 💬 Comment your thoughts or techniques you used. 🔔 Subscribe for more TryHackMe & cyber defense walkthroughs. 👍 these tutorials are for educational purposes and to encourage responsible and legal use of hacking knowledge. #cybersecurity #tryhackme #voltTyphoon #splunk #APT #threatdetection #SOC