Security Operations (SOC) 201

Security Operations (SOC) 201 is an intermediate-level security operations course designed to enhance your skills in detecting, investigating, and responding to complex cyber threats at scale. After establishing fundamental security operations knowledge and practical skills in SOC 101, the next logical step is to progress your career by applying advanced investigation methodologies and grasping the responsibilities of an Incident Responder and Threat Hunter.

The SOC 201 curriculum teaches analysts how to identify, hunt, and respond to real-world adversary tactics and techniques. With a practical, hands-on focus, the curriculum provides realistic scenarios where students investigate sophisticated threats across multiple systems, learning to detect and respond effectively in enterprise-scale environments. The course also integrates proactive threat hunting as part of a continuous detection and response cycle, giving analysts the mental models to identify active threats, uncover gaps, and feed insights back into investigative processes to improve future detection and response efforts.

• Developing an investigator’s methodology
• Incident Response
• Threat Hunting
• Data transformation techniques
• Understanding and identifying anomalies
• Evidence collection and handling at scale
• Using PowerShell for Incident Response
• Hunting and responding to advanced threats following MITRE ATT&CK TTPs
• Incident investigation and root cause analysis

To get the most out of this course and follow along with the labs, there will be times where you need to run multiple (2-3) virtual machines (VMs) simultaneously.

Your BIOS must have virtualization technology enabled, such as Intel-VTx or AMD-V.

Processor: 64-bit Intel i5 or i7, 2.0 GHz or higher.

RAM: 16GB of RAM or more is required to efficiently run multiple VMs.

Disk Space: 250 GB of free storage. SSDs are recommended for better performance.

Note: Apple Silicon devices cannot perform the necessary virtualization natively. Hardware with native x86 support is highly recommended.

This course relies heavily on working with IR investigations and forensic artifacts, but does not cover learning basic analysis tools. It is strongly recommended to have taken or be familiar with the Security Operations (SOC) 101 material and its prerequisites, which includes experience with:

• Networking & Operating System Fundamentals:
•  Practical Help Desk (PHD) or equivalent
• Security Operations Fundamentals
• Network Traffic Analysis
• Endpoint Security Monitoring
• Log Analysis and Management
• Security Information and Event Management (SIEM)
• Familiarity with common Windows-based digital forensic artifacts

SOC 201 is designed for individuals seeking to advance their defensive security skills beyond foundational knowledge. Ideal candidates include those already familiar with core SOC concepts who are ready to develop expertise in investigating and responding to sophisticated cyber threats.

This course is well-suited for:

• Tier 2 Security/SOC Analysts
• Tier 3 Security/SOC Analysts
• Incident Responders
• Threat Hunters
• Digital Forensic Examiners

• Course Introduction
  • Course Introduction
  • About the Instructor
  • The Modern Adversary
  • The SOC 201 Methodology
  • Course Support
  • ✏️ Quiz – Course Introduction
• Lab Setup
  • Lab Setup
  • Installing a Hypervisor
  • Installing Ubuntu
  • Configuring Ubuntu
  • Installing Windows
  • Configuring Windows
  • Installing Splunk
  • Configuring the Lab Network
• Introduction to Incident Response
  • Introduction to Incident Response
  • The Incident Response Process
  • Incident Response: Preparation
  • Incident Response: Identification
  • Incident Response: Containment
  • Incident Response: Eradication
  • Incident Response: Recovery
  • Incident Response: Lessons Learned
  • The OODA Loop
  • Incident Response vs. Threat Hunting
  • ✏️ Quiz – Introduction to Incident Response
• Introduction to Threat Hunting
  • Introduction to Threat Hunting
  • The Argument for Threat Hunting
  • Threat Hunting Teams
  • Threat Hunting Data Sources
  • The Hunting Maturity Model (HMM)
  • Cyber Threat Intelligence
  • The Cyber Kill Chain
  • The MITRE ATT&CK Framework
  • Exploring MITRE ATT&CK
  • Structured Threat Hunting
  • Unstructured Threat Hunting
  • MITRE ATT&CK Navigator
  • MITRE ATT&CK Navigator: Gap Analysis and Threat Hunting
• Data Transformation
  • Data Transformation
  • Data Transformation: Searching
  • Searching in the Command-Line
  • Searching in PowerShell
  • Searching in Splunk
  • Data Transformation: Aggregations
  • Aggregations in the Command-Line
  • Aggregations in PowerShell
  • Aggregations in Splunk
  • Data Transformation: Statistics
  • Statistics in the Command-Line
  • Statistics in PowerShell
  • Statistics in Splunk
  • Data Transformation: Visualizations
  • Visualizations in Splunk
  • ✏️ Quiz – Introduction to Threat Hunting
• Understanding Anomalies
  • Understanding Anomalies
  • Categorizing Anomalies
  • Masquerading
  • Ambiguous Identifiers
  • Frequency & Volume Anomalies
  • Temporal Anomalies
  • Location & Environment Anomalies
  • Structure & Format Anomalies
  • Obfuscated PowerShell Analysis
  • Entropy Analysis
  • Alternate Data Stream (ADS) Analysis
  • Absence & Suppression Anomalies
  • ✏️ Quiz – Understanding Anomalies
• Dissecting Threat Reports
  • Dissecting Threat Reports
  • Breaking Down Attack Steps
  • Mapping Steps to Artifacts
  • Mapping Artifacts to Evidence Sources
  • Visualizing with MITRE ATT&CK Navigator
  • Intrusion Analysis Resources
• Threat Hunting Lab
  • Tracing an Attack Chain
  • Hunting Execution Artifacts
  • Hunting PowerShell Execution
  • Hunting Cmd Execution
  • Hunting Process Trees
  • Hunting Persistence Artifacts
  • Hunting Persistence: Registry Run Keys
  • Hunting Persistence: Lookup Tables
  • Hunting Defense Evasion Artifacts
  • Hunting Command and Control (C2) Artifacts
  • Hunting C2: Ingress Tool Transfer (LOLBAS)
  • Hunting C2: Ingress Tool Transfer (File System Events)
  • Hunting C2: Ingress Tool Transfer (Network Connection Events)
  • Hunting Lateral Movement Artifacts
  • Hunting Lateral Movement: PsExec (Service Creation)
  • Hunting Lateral Movement: PsExec (Reversing Regex)
  • Hunting Lateral Movement: PsExec (Named Pipes)
  • Module Recap
• Collection at Scale
  • Introduction to Collection
  • Introduction to WMI
  • Collection with WMIC
  • WMIC Collection and Filter Examples
  • Remote Collection with WMIC
  • Scripting WMI Collection
  • WMI Automated Collection Frameworks
• PowerShell 101
  • Introduction to PowerShell
  • PowerShell 101
  • PowerShell 101: Cmdlets
  • PowerShell 101: Aliases
  • PowerShell 101: Objects and the Pipeline
  • PowerShell 101: Selecting, Sorting, and Formatting
  • PowerShell 101: Providers
  • PowerShell 101: Variables and Data Types
  • PowerShell 101: Control Flow
  • Working with WMI and CIM
  • ✏️ Quiz – PowerShell 101
• PowerShell for Incident Response
  • Live Incident Response Using PowerShell
  • PowerShell Incident Response Cheat Sheet
  • PowerShell Remoting
  • PS Remoting: One-to-One Remoting
  • PS Remoting: One-to-Many Remoting
  • PS Remoting: Script Execution at Scale
  • PowerShell Authentication
  • Malicious PowerShell Usage
  • Introduction to the Kansa IR Framework
  • Kansa: Modules
  • Kansa: Remote Collection (Part 1)
  • Kansa: Remote Collection (Part 2)
  • Kansa: Collection Analysis
  • Collection and Analysis Challenge
  • Collection Analysis Challenge Walkthrough
• Conclusion
  • Course Wrap Up