SOC 201: Course Overview
Security Operations (SOC) 201 is an intermediate security operations course designed to enhance your skills in detecting, investigating, and responding to complex cyber threats at scale. After establishing fundamental security operations knowledge and practical skills in SOC 101, the next logical step is to progress your career by applying advanced investigation methodologies and grasping the responsibilities of an Incident Responder and Threat Hunter.
The SOC 201 curriculum teaches analysts how to identify, hunt, and respond to real-world adversary tactics and techniques. With a practical, hands-on focus, the curriculum provides realistic scenarios where students investigate sophisticated threats across multiple systems, learning to detect and respond effectively in enterprise-scale environments. The course also integrates proactive threat hunting as part of a continuous detection and response cycle, giving analysts the mental models to identify active threats, uncover gaps, and feed insights back into investigative processes to improve future detection and response efforts.
Key Topics
- Developing an investigator's methodology
- Incident Response
- Threat Hunting
- Data transformation techniques
- Understanding and identifying anomalies
- Evidence collection and handling at scale
- Using PowerShell for Incident Response
- Hunting and responding to advanced threats following MITRE ATT&CK TTPs
- Incident investigation and root cause analysis
Prerequisites
This course relies heavily on working with IR investigations and forensic artifacts, but does not cover learning basic analysis tools. It is strongly recommended to have taken or be familiar with the Security Operations (SOC) 101 material and its prerequisites, which includes experience with:
- Networking & Operating System Fundamentals:
- Practical Help Desk (PHD) or equivalent
- Security Operations Fundamentals
- Network Traffic Analysis
- Endpoint Security Monitoring
- Log Analysis and Management
- Security Information and Event Management (SIEM)
- Familiarity with common Windows-based digital forensic artifacts
System Requirements
To get the most out of this course and follow along with the labs, there will be times where you need to run multiple (2-3) virtual machines (VMs) simultaneously.
Your BIOS must have virtualization technology enabled, such as Intel-VTx or AMD-V.
Processor: 64-bit Intel i5 or i7, 2.0 GHz or higher.
RAM: 16GB of RAM or more is required to efficiently run multiple VMs.
Disk Space: 250 GB of free storage. SSDs are recommended for better performance.
Note: Apple Silicon devices cannot perform the necessary virtualization natively. Hardware with native x86 support is highly recommended.
Course Objectives
- Develop a robust and reliable investigator's mindset to approach incidents methodically
- Learn industry-standard methodologies and tools for detecting, hunting, and responding to cyber threats across enterprise environments
- Gain experience performing incident response and threat hunting at scale
- Learn to investigate and identify advanced adversary tactics following the MITRE ATT&CK framework, including execution artifacts, lateral movement, credential theft, living off the land techniques, persistence, defense evasion, command and control, and many more
- Investigate the root cause of security incidents by uncovering the entry points, scoping compromised systems, and initial attack vectors
Who Should Take SOC 201?
SOC 201 is designed for individuals seeking to advance their defensive security skills beyond foundational knowledge. Ideal candidates include those already familiar with core SOC concepts who are ready to develop expertise in investigating and responding to sophisticated cyber threats.
This course is well-suited for:
Tier 2 Security/SOC Analysts
Tier 3 Security/SOC Analysts
Incident Responders
Threat Hunters
Digital Forensic Examiners
Security Operations (SOC 201) Curriculum - 25+ Hours
- Introduction to Incident Response (5:59)
- The Incident Response Process (14:04)
- Incident Response: Preparation (14:44)
- Incident Response: Identification (5:39)
- Incident Response: Containment (10:45)
- Incident Response: Eradication (6:05)
- Incident Response: Recovery (7:43)
- Incident Response: Lessons Learned (5:15)
- The OODA Loop (18:32)
- Incident Response vs. Threat Hunting (11:39)
- ✏️ Quiz - Introduction to Incident Response
- Introduction to Threat Hunting (8:58)
- The Argument for Threat Hunting (13:14)
- Threat Hunting Teams (16:55)
- Threat Hunting Data Sources (19:30)
- The Hunting Maturity Model (HMM) (20:00)
- Cyber Threat Intelligence (6:22)
- The Cyber Kill Chain (16:52)
- The MITRE ATT&CK Framework (15:05)
- Exploring MITRE ATT&CK (12:37)
- Structured Threat Hunting (16:01)
- Unstructured Threat Hunting (9:21)
- MITRE ATT&CK Navigator (21:48)
- MITRE ATT&CK Navigator: Gap Analysis and Threat Hunting (19:02)
- Data Transformation (5:36)
- Data Transformation: Searching (14:16)
- Searching in the Command-Line (19:19)
- Searching in PowerShell (27:29)
- Searching in Splunk (21:54)
- Data Transformation: Aggregations (9:24)
- Aggregations in the Command-Line (25:36)
- Aggregations in PowerShell (10:24)
- Aggregations in Splunk (34:43)
- Data Transformation: Statistics (9:38)
- Statistics in the Command-Line (22:04)
- Statistics in PowerShell (13:24)
- Statistics in Splunk (15:23)
- Data Transformation: Visualizations (5:00)
- Visualizations in Splunk (25:31)
- ✏️ Quiz - Introduction to Threat Hunting
- Understanding Anomalies (20:33)
- Categorizing Anomalies (1:11)
- Masquerading (10:39)
- Ambiguous Identifiers (11:13)
- Frequency & Volume Anomalies (16:14)
- Temporal Anomalies (14:53)
- Location & Environment Anomalies (14:25)
- Structure & Format Anomalies (16:16)
- Obfuscated PowerShell Analysis (6:34)
- Entropy Analysis (4:56)
- Alternate Data Stream (ADS) Analysis (19:26)
- Absence & Suppression Anomalies (7:57)
- ✏️ Quiz - Understanding Anomalies
- Tracing an Attack Chain (27:04)
- Hunting Execution Artifacts (9:46)
- Hunting PowerShell Execution (36:09)
- Hunting Cmd Execution (20:20)
- Hunting Process Trees (9:26)
- Hunting Persistence Artifacts (7:33)
- Hunting Persistence: Registry Run Keys (17:20)
- Hunting Persistence: Lookup Tables (27:30)
- Hunting Defense Evasion Artifacts (16:39)
- Hunting Command and Control (C2) Artifacts (7:40)
- Hunting C2: Ingress Tool Transfer (LOLBAS) (7:35)
- Hunting C2: Ingress Tool Transfer (File System Events) (12:57)
- Hunting C2: Ingress Tool Transfer (Network Connection Events) (4:21)
- Hunting Lateral Movement Artifacts (8:27)
- Hunting Lateral Movement: PsExec (Service Creation) (9:38)
- Hunting Lateral Movement: PsExec (Reversing Regex) (14:25)
- Hunting Lateral Movement: PsExec (Named Pipes) (4:12)
- Module Recap (5:46)
- Introduction to PowerShell (4:58)
- PowerShell 101 (1:55)
- PowerShell 101: Cmdlets (6:09)
- PowerShell 101: Aliases (6:45)
- PowerShell 101: Objects and the Pipeline (9:08)
- PowerShell 101: Selecting, Sorting, and Formatting (17:35)
- PowerShell 101: Providers (14:56)
- PowerShell 101: Variables and Data Types (19:49)
- PowerShell 101: Control Flow (22:35)
- Working with WMI and CIM (8:46)
- ✏️ Quiz - PowerShell 101
- Live Incident Response Using PowerShell (22:15)
- PowerShell Incident Response Cheat Sheet
- PowerShell Remoting (7:27)
- PS Remoting: One-to-One Remoting (11:32)
- PS Remoting: One-to-Many Remoting (16:56)
- PS Remoting: Script Execution at Scale (6:38)
- PowerShell Authentication (9:39)
- Malicious PowerShell Usage (9:26)
- Introduction to the Kansa IR Framework (10:38)
- Kansa: Modules (17:54)
- Kansa: Remote Collection (Part 1) (13:21)
- Kansa: Remote Collection (Part 2) (13:48)
- Kansa: Collection Analysis (26:15)
- Collection and Analysis Challenge (8:14)
- Collection Analysis Challenge Walkthrough (106:41)
About the Instructor: Andrew Prince
Andrew is a seasoned and passionate security professional who brings a wealth of experience in areas such as security operations, incident response, threat hunting, vulnerability management, and cloud infrastructure security.
With a professional background in development and system administration, Andrew offers a well-rounded perspective on his security strategy. Andrew also navigates both offensive and defensive operations to provide a holistic approach to keeping people, processes, and technology secure. He is also active in developing various Capture the Flag challenges, creating security training, and sharing knowledge through content creation.
Social Media Links:
https://malwarecube.com/
https://www.linkedin.com/in/andrewjoeprince/
This course is included in our All-Access Membership starting at $29.99/month
Get full access to the Security Operations (SOC) 201 course and our full course catalog when you enroll in our All-Access Membership.
