SOC lv.1
from Try Hack Me

# Introduction

While the Jr. Penetration tester was a red team path and also more in-line with the Complete Beginner path; the SOC lv.1 path ,as expected, dives in the opposite spectrum (also known as the blue team).

The Path covers lots of subjects and it is definitely overwhelming in size.
I must say though, once you start the challenges you soon realize that to complete them, you don’t need to know all the different tools…
That’s said I love the fact that they explain so many different ones and they all have pro and cons.

This article differs from previous ones, as the goal here, is to summarize and briefly describe what we learn in each module and room so I can quickly come back to compare my notes with the material learned.

Let’s begin…

# Section 1: Cyber Defence Framework

– Jr Sec Analyst Intro

SOC’s Three-Tier Model, responsibilities and a Practical Example

– Pyramid of Pain

Illustrates how, increasing difficulty for adversaries to operate, corresponds to the type of indicators you detect and counter.
Trvial (hash value), Easy (IP addr,), Simple (domain names), Annoying (network and host artifacts), Challenging (tools) and Tough (TTPs).

– Cyber Kill Chain

Outlines the steps attackers take, from Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, to data exfiltration, to help us as defenders detect and stop threats at each stage.

– Unified Kill Chain

Combines attack stages from various models to provide a comprehensive framework for identifying and disrupting cyberattacks. Divided in three phases: In (Initial Foothold), Through (Network propagation) and Out (Action on Objective).

– Diamond Model

Links adversaries, victims, capabilities and infrastructure to analyses and understand better cyber threats.

– MITRE

Describes the Mitre ATT&CK which is a comprehensive framework that categorizes and tracks cyber adversary tactics, techniques, and procedures (TTPs) to help organizations detect, respond to, and defend against cyber threats.
But also dives in the Repository (CAR), Mitre Engage Framework and Mitre D3F3ND: a website resource for cybersecurity countermeasure.

– Summit

A challenge where we use Pyramid of Pain and Mitre’s acquired knowledge.

– Eviction

Another challenge to put into practices more MITRE ATT&CK teachings.

# Section 2: Cyber Threat Intelligence

– Intro to Cyber Threat Intel

Introduce us to CTI (cyber threat intelligence) lifecycle, frameworks & standards.

– Threat Intelligence tools

Introduce us to OSINT research and tools such as Urlscan.io, Abuse.ch, Phishtool and Cisco Talos.

– YARA

Used for identifying and classifying malware by creating rules that match patterns of malicious code, files, or behaviors. It’s often called the “pattern-matching Swiss army knife” for malware researchers

– OpenCTI

Open-source threat intelligence platform that centralizes, structures, and visualizes cyber threat information, helping organizations track and analyse threats for improved decision-making and response. It supports collaboration by integrating various data sources, including MITRE ATT&CK, to enhance threat intelligence operations.

– MISP

Malware Information Sharing Platform is an open-source threat intelligence platform for sharing and correlating structured threat data across organizations.

– Friday Overtime

End of the section challenge

– Trooper

Another end of the section challenge focused on OpenCTI

# Section 3: Network Security & Traffic Analysis

– Traffic Analysis Essential

Explains the levels of security Control: Physical, Technical and Administrative.
And also the main approaches: Access Control (Firewall, NAC, IAM, Segmentation, VPN…) and Threat Control (IDS/IPS, Endpoint Protection, SIEM…)

– Snort

Open-source network intrusion detection system (NIDS) used to monitor and analyze network traffic for signs of malicious activity. Can be also use in IPS mode

– Snort Challenge – The Basics

– Snort Challenge – Live Attacks

– NetworkMiner

Network forensics tool that extracts and analyzes data from network traffic captures to help identify and investigate network incidents.

– Zeek

Formerly known as Bro, is a network security monitoring platform that provides detailed logs and insights into network traffic for threat detection and analysis.

– Zeek Exercise

– Brim

Brim is an open-source tool for viewing and analyzing big network traffic files, offering a user-friendly interface to explore and investigate network data collected by Zeek and other sources.

– Whireshark: the basics

Widely used GUI network protocol analyses that captures and displays network traffic in real-time, allowing detailed inspection and troubleshooting of network issues.

– Whireshark: Packet Operation

Packet filtering: prior (Capture Filter) or later (Display Filter) by using syntax, operators and expressions

– Whireshark: Traffic Analysis

How to recognise anomalies such as if we are victim of a NMAP scan, Man In the Middle and from other sources and protocols

– Tshark: The Basics

Basically the command-line version of Wireshark, used in the same way for capturing and analyzing network traffic without a graphical interface.

– Tshark: CLI Wireshark Feature

Wireshark commands translated in the CLI

– Tshark Challenge 1: Teamwork

– Tshark Challenge 2: Directory

# Section 4: Endpoint Security Monitoring

– Intro to Endpoint Security

Start introducing us to the client logs

– Core Windows Process

Show us what a normal behaviour looks like on a windows operating system.

– Sysinternals

Sysinternals is a suite of advanced system utilities for Windows that help with system troubleshooting, monitoring, and diagnostics.

– Windows Event Logs

Record system, security, and application events on Windows machines, aiding in troubleshooting and monitoring.

– Sysmon

System Monitor is a Windows Sysinternals tool that provides detailed information about system activity, including process creation, network connections, and file modifications, to help with forensic analysis and threat detection.

– Osquery: The Basics

Tool for querying system data with SQL-like queries.

– Wazuh

Open-source security monitoring platform for intrusion detection, log analysis, and compliance management.

– Monday Monitor

End of the section challenge focused on Wazuh and Sysmon

– Retracted

End of the section challenge

# Section 5: SIEM (Security Information and Event Managment)

– Introduction to SIEM

Security Information and Event Management is a centralized system for collecting, analysing, and managing security data from across an organization’s IT infrastructure.

– Investigating with ELK 101

A set of tools (Elasticsearch, Logstash, and Kibana) used for searching, analysing, and visualizing log data in real-time

– ItsyBitsy

Challenge focused on ELK

– Splunk: Basics

A SIEM platform for searching, monitoring, and analyzing machine data through a web-based interface, commonly used for log management and operational intelligence.

– Incident Handling with Splunk

Use Splunk by following the Cyber Kill Chain Phases.

– Investigation with Splunk

Challenge focused on Splunk

– Benign

Another Challenge focused on Splunk

# Section 6: DFIR (Digital Forensic & Incident Response)

– DIFR: An Introduction

Digital Forensics and Incident Response is the field focused on investigating cyber incidents and breaches to identify, mitigate, and recover from security threats.

– Windows Forensic 1

Exploring Windows Registry and system infos

– Windows Forensic 2

File system (FAT/NTFS) and file recovery

– Linux Forensic

System infos and configuration followed by logs files

– Autopsy

A digital forensics platform used for analyzing hard drives and mobile devices, providing tools for data recovery, investigation, and evidence presentation.

– RedLine

A malware analysis and incident response tool used to gather information from infected systems, such as processes, network connections, and system artifacts, to aid in forensic investigations.

– Kape

A digital forensics tool used to collect, analyse, and process data from various sources, such as disk images, memory dumps, and log files, to support investigations and incident response.

– Volatility

An open-source framework for analysing memory dumps to investigate and extract information about running processes, network connections, and other system activities during an incident or forensic examination.

– Velociraptor

An open-source endpoint monitoring and response tool used for detecting and investigating suspicious activities and anomalies on systems. It provides a lightweight, flexible approach for querying and analysing data across endpoints.

– TheHive Project

An open-source incident response platform designed for managing and analyzing security incidents. It provides a collaborative environment for security teams to handle investigations, track incidents, and document findings.

– Intro to Malware Analysis

Fundamentals techniques of Static and Dynamic Malware Analysis and anti-analysis.

– Unattendent

Windows OS Challenge focused on Registry and Autopsy

– Disgruntled

Linux OS Challenge focused on CLI commands and Linux logs

– Critical

Linux Os Challenge focused on memory forensics with Volatility

– Secret Recipe

Windows OS Final challenge

# Section 7: Phishing

– Phishing Analysis Fundamentals

Introduction on how email works

– Phishing Emails in Action

What to look for to check if an email is legit or a phishing Attack

– Phishing Analysis Tools

Main tools to detect and analyse emails including the PhishToll

– Phishing Prevention

Preventing measure to reduce the risk of attacks (DKIM, DMARC, S/MIME)

– The Greenholt Phish

Challenge analyse emails and attachment

– Snapped Phish-ing Line

Final Challenge, analyse email and discover the attacker objective

# Section 8: SOC lv.1 Capstone Challenges

– Tempest

Windows OS Challenge focused on logs, Sysmon, Wireshark and Brim

– Boogeyman 1

Analysing the First attack attempt made by the Boogeyman organization focused on Phishing, Windows logs, Tshark and JQ

– Boogeyman 2

Analysing the Second attack on an Ubuntu machine focused on Phishing and Volatility.

– Boogeyman 3

Analysing the last attack on a Windows machine focused on Sysmon and ELK.

# Conclusion

In terms of it’s structure, nothing new thankfully, in the sense that Try Hack Me always have a good amount practice for each subject explained.
I think the challenges are more engaging, especially the Capstone section when you have an Enemy that keeps coming back…

It could be also because, with the knowledge gained you can Improve your security posture of your environment straight away such as me with Snort for example.

The Verdict therefore is very positive, there where only a couple of rooms that unfortunately where time consuming as RedLine was very slow but that was the tool not the path itself, and I’m still glad I was able to play with RedLine at the end of the day.

I’ll be honest; before I started the path I was planning, once finished, to go back to red side but since I enjoyed the blue team, I will double down with the “Security Engineer” before embarking in the “Red Teaming” path.