#soc-level-1-path

Somebody will reach out to you asap , please be patient 🙂

No. Unfortunately I'm still stuck. I've tried to input the information in many different variations and it doesn't really give me an answer except - "this rule has been enabled" or "this rule has already been enabled". But, nothing really happens after that. I am using the IP address from the sample, and Im using the receiving IP addresses given in the sample as well to create a Firewall Rule. However, I'm not achieving anything by doing that.

Alright, in that case, when I get back home, you think we can hop on VC together?

Yeah sure.

Alright.

Think I'll just keep trying to figure this out. I kinda feel like Im getting closer to an answer, but I'll be in touch if I need anymore help. Thanks.

Gave +1 Rep to @lost olive (current: #686 - 8)

I can definitely tell you that it wants you to deny the outgoing traffic.

I'm back home now, we can hop on vc if you're able to

I'm enjoying the content and training material in the SOC lvl 1 path. The only thing that's consistently frustrating is forcing the Split View for learning.

Is there a reason why it's done this way vs letting us use rdp or ssh into the machine?

Also, I've only worked through the Network Security Section, so maybe this is not the case in later sections.

Do you have two monitors by chance, they have an option to make the attack box/machine ip full screen which will open another browser that you can drag n drop.

Usually there is an option to use rdp. Which room are you in ?

Mostly Network Courses right now, Zeek and Brim

Sorta yes, I'm running Linux VM so it's only on one monitor, but could to two if I use windows

@quasi bough

He will be removed , thanks 🙂

Gave +1 Rep to @dapper flame (current: #967 - 5)

Thanks to you

I have this issue in kape room where by i can't search targets and modules in gui kape application i am using browser vm any who can help me pass this obstacles

Evening all - anyone studying for SAL1

Try to ask somebody in #cyber-and-careers channel 🙂

anyone can support with SOC Level1 > Network Security and Traffic Analysis > Snort Challenge - The basics ?

anyone on? trynna get top3 in my league xD

task 6 what's the problem here. Don't seem to see it

Youre on the Rigth Track. The Hash and the Report you opend matches

Ofc if you still have the Problem)

Is there anybody else in the snort room?

I am stuck at threat intell tool room Task 7 where i dont see the downloadable file to check on virus tool

What is the exact question you're stuck on ?

Hi KGB, somehow managed to get the answer... actually in task 8 it says you need to download the file outside VM but no option to do the same so i was looking out for that . But i managed with SHA value

Yeah , that is equivalent of uploading a file if you're referring to VirusTotal search 🙂

anyone in this path?

I'm at snort rn

Here

snort is hell

i'm building my own SIEM stack with Wazuh, suricata, sigma, maybe zeek and something more proactive for immediate response later on top.

snort was just too filthy for me. i can always sniff with something more humane.

so yeah - best way to learn is to build a stack at your home lab. taught me a lot.

Makes sense. I have the same review for snort but got my hands on that later on

you can simplify so many things in cybersec. so much stuff is unnecessarily complicated.

"In software development, the rule of least power argues the correct programming language to use is the one that is simplest while also solving the targeted software problem."

https://en.wikipedia.org/wiki/Occam's_razor

100% true

I'm stuck on Sample5 in the https://tryhackme.com/module/cyber-defence-frameworks, Step for the Summit. Any guidance is much appreciated!

Have a look at the Time Frames in the log. And then go From there and Remember that the Threat has evolved

lmk if you need further help afterwards

Hi there! I have an issue in Yara room, more specifically working with Valhalla. This question: "Do the same for file 2. What is the name of the first Yara rule to detect file 2?"

When I copy SHA-256 to Valhalla I can see that the first YARA rule name is: "WebshellRepo_convert". Am I missing something or is there a bug? When typing the answer in, I am getting autofilled some extra underscores.

Oh, now I got it...However, I think the question is a bit missleading or maybe it is bcs of my English? 😅

What's the hash that you're using ?

Oh, let me see if I still can get it somehow

You need to verify first , follow instructions from the link below to learn how to do so 🙂

That's the hash: 53fe44b4753874f079a936325d1fdc9b1691956a29c3aaf8643cdbd49f5984bf

It think, what I got confused is, that the question is asking for the first YARA rule, which in this case is WebshellRepo_convert, but then I found out that it is actually asking for the rule1, if that makes sense.

Should be verified now

Can you provide a screenshot from YARA run please 🙂 ?

Look at the dates 🙂

ahh, right

Last two have the same date so try both

It makes sense now, haven't noticed the date there

thanks for the help

Anytime 🙂

hello guys, anyone on this SOC path?

pre security > cyber security 101 > SOC LVL1 > SOC LVL 2 ???

Hi there! In the OpenCTI room in the Investigation Scenario, where I should investigate CaddyWiper malware. I should find answer to this question: How many malware relations are linked to this Attack technique?

Am I missing something here? (see screenshot)

Is the question asked for CaddyWiper or for Native API? The input should be 3 digit, so maybe the Native API, but 149 nor 135 works

Oh, got it...it is asking for the malware relations for Native API...which is a different number

Correct. Focus on Arsenal, then Attack patterns instead of 'Attack technique' in OPENCTI.

Quick question. I need to find out the number of attack pattern techniques associated with the APT. The group is called Tropic Trooper (https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fgroups%2FG0081%2FG0081-enterprise-layer.json) I know that used techniques are highlighted, but is there a way to quickly get a number of used techniques or do I need to count them just by eye? 😮

I am almost done with cybersecurity 101 and on this path

ohh thats nice, might slide into your dms, lets connect

👍

Completed investigating with Splunk, which room should i do next?

Follow along with that path 🙂
https://tryhackme.com/path/outline/soclevel1

Hi everyone! 👋

I’m Shashank, based in the UK 🇬🇧 and currently starting my journey into cybersecurity, with a strong interest in becoming a SOC Analyst (blue team side 🔵).

I’m here to connect, learn, share progress, and get advice from others further along the path. If you’ve got tips for getting into a SOC role or want to study together, feel free to reach out!

Looking forward to learning with you all!

I am a little confused by 'Windows Event Logs' Room, Task 4 'Get-WinEvent'.(https://tryhackme.com/room/windowseventlogs) Question 3 states: "Execute the command from Example 8. Instead of the string Policy search for PowerShell. What is the name of the 3rd log provider?" I don't see any "Example 8". What is this in reference to? In only see Examples 1 - 3 in the Task Room. Where or What is "Example 8" Also Question 4 references an "Example 9". Again have no idea what this is referencing since I only see three examples on the task page

Oh nevermind... I think this is coming from the examples in the https://learn.microsoft.com/ docs, not the examples in the THM task room itself..

Welcome Shashank 🙂 👋

Everything ok now ?

Yup. I figured it out. Thanks!

Gave +1 Rep to @quasi bough (current: #1 - 5272)

Hi..

Hello everyone..I started in this sector until recently..I need a study partner..more like learning partner..i am doing THM Soc path and also doing ISC2 CC so it would help if anyone is starting like me..and would love to study together..

soc-lavel-1-path have any lab practise

It has a few

Hey, i have also completed my basic foundation, now i have started SOC l1 path, i am up for a partner dude.

I'm going over soc1 also these days 🙂

you are god for me rn bro. you are the best helper here.

i saw your linkedin post btw it was dope. the THM profile one.

Well thanks for those words 🙂

Gave +1 Rep to @hexed nexus (current: #1927 - 2)

Hey guys, I'm in the SysMon room in the SOC Level 1 > Endpoint Security Monitoring Pathway. For Task 4, Q2...

This command in powershell

Get-WinEvent -Path C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx -FilterXPath '*/System/EventID=3' | Measure-Object

Returns 73,591, the correct answer for the question.
But going through event viewer and filtering for event id 3 returns 74,970.
Anyone know why this is?
Also I'm not sure if I should've sent this to Room-Help.

hey, i just started doing soc path 1, i would like to have someone with me who i can study along with.

hey everyone, i have a question from the first part. why did the malicious person left a message when i blocked his ip address on the firewall, i dont know if this is something which usually happens or is it just for us to complete the lab and give answer for the question like a Capture the flag

That's just for example purposes for this lab 🙂

thank you, i thought when we block an IP address in firewall. we usually get message from the blocked person like that😅

hey anyone know the correct order for the last task in the cyber kill chain

What do you think it is ?

yeah i figured it out, thank you.

hey guys, does everyone have tryhackme premium with them.

i personally don't yet am new to the site so i rather see before spending money to learn more why do you ask?? am curious

i was doing SOC-level 1 and after the cyber kill chain, it asks to get premium for getting access to rest of the modules in the path.

i am also new to tryhackme, so i don't know how this works, am i supposed to get premium before continuing or is there any way to access the rest of the modules without getting premium

You need to be a premium user to access that room

Hi guys! Quick question. I am working on the "Writing IDS Rules (Torrent Metafile)" room. Question: "What is the name of the torrent application?". When I read snort.log, I can see in the log the application name is "x-bittorrent". However, it gave me a wrong answer, when I am submitting it. Am I missing something?

Ahh, ok. Found out what the answer should be. A bit missleading, but whatever :/

That is a part of Content Type header , look under Host header instead

What do you mean? I thought application/x-bittorent should be enough? I just didn't know I should exclude something out of it

That's a content type , it's not a name of the torrent client

Right, but question is asking for a torrent application, so why not looking at application/x-....?

Because that's a content type not an acutal name of that application . Good place to look for name can be Host header, POST body , Referer header ,...

ok, thanks! :))

Gave +1 Rep to @quasi bough (current: #1 - 5422)

This should be specify in the local.rules file, right? Depending on what I want to look for i.e. host header, post body, etc.?

Hey in Pyramid Of Pain modulus what should I do in the Domian Names section ?
Cuz I faced this issue but did not understand the question tbh ):

Ah I think I got it maybe using virus total to see the directed website okay

yep it worked xd (:

I guess I'm a type of person who ask in dis to know what is this HAHHAH

Add + at the of url to see the real one 🙂

Well, was doing well and really enjoying the SOC1 path...untill i done Friday overtime.... I found that so difficult. I feel like it is way above my current capabilities. Is there anything else i should be looking into for more practice on these types of rooms? It hit me out of the blue this one!

First time i guess i felt way out of my current depth!

Know there is plenty more of those moments to come ...

Hi there, anyone here can help me with this error message?
I am trying to run the zeek with given pcap file and run with the signature file

I've tried to restart the VM too, but no difference

Copy the URL to your web browser, paste it there and load it. Copy the link it opened and paste in the answer section

Don't give up man, we keep pushing regardless. Anyways, let's get used to doing difficult things as these are the things that will build us to become better defenders

Hi everyone,

I’m currently working through the Splunk 201 section in the TryHackMe SOC Level 1 room, and I’ve hit a bit of a challenge. The jump in difficulty from the previous Splunk material feels pretty steep — the queries are more complex, and there’s a lot of new information to take in.

I’ve been taking handwritten notes, which worked fine up to this point, but now it’s getting harder to keep everything organized and retain what I’m learning. I’m starting to feel a bit overwhelmed and not as confident moving forward.

I currently have a SOC job, and I find alot of these tasks difficult. You are not alone, but dont give up.

Thanks @somber chasm . By no means giving up

Gave +1 Rep to @somber chasm (current: #2995 - 1)

Hello everyone just joined the platform and l need study partners for my SOC1 path. Currently on the Network Security and Traffic analysis module(Snort room)

Ah nevermind, I did not edit the sig file...all good now 🙂

Hey, I'd love to have a study partner as well 🙂 I am currently a bit ahead of you doing Zeek. However, I can help you with snort if needed? 🙂

Anyone here can guide me here with this question: "Investigate the dns.log file. Filter all unique DNS queries. What is the number of unique domain queries?" In the Anomalous DNS exervise in the Zeek Exercises
I know I need to zeek-cut the query parameter from the log, I am also piping sort -nr and uniq, but I am getting a huge number as result...the answer should be 1 digit only

Here's my command: cat dns.log | zeek-cut query | sort -nr | uniq | wc -l

Thank you for your response. l am so glad to have someone to help me. l am currently on Snort Challenge - The Basics and it seems like every answer l type in there is wrong. l am a bit lost, please help.

Gave +1 Rep to @humble tendon (current: #3000 - 1)

what is it you don't know?

What is the destination address of packet 63?

when i use the destination ip in the log file it says the answer is wrong

are you using -n parameter in your snort command?

yes please

It's the IDS rules (http) room, right?

yes

Let me have a look 🙂

hmm, ok it worked for me. How does your local.rules file look like?

alert TCP any 80 <> any any (msg: “Task 2”; sid: 1000001; rev: 1;) and alert TCP any any <> any 80 (msg: “Task 2”; sid: 1000002; rev: 1;)

try using one liner: alert tcp any 80 <> any 80 ...

also what is the output you're getting when you are trying to display the 63rd alert from the log file?

bsaically, I thin the local rule you have is fine, but there might be a issue having it as 2 lines/2 different rules, so I'd try doing them in one line as I proposed and see if that changes anything

did it help?

Can anyone help me with the same issue as this one above?

I get the destination IP but the answer is incorrect

Can you show me the output of the log file you're getting?

That is also the problem is that I do not see the logfile being created

what is the command you're using to run read the file with local rules?

If I just do "sudo snort -c local.rules -r mx-3.pcap -n 63" I see the 63rd packet but the ip is not what the answer is accepting

I have tried appending "-l ." but it does not create a log file

try doing: sudo snort -c local.rules -A full -l . -r mx-3.pcap

I have run that as well but a log file does not get created

what do you see when you ls?

to read the 63rd log, you don't need to run sudo snort -c local.rules again, u just need to do sudo snort -r <log_file> as you just want to read the log file and of course use -n 63

This is after I run the command

try cat-ing 63 log from alert

It is a 0 bytes file

I have tried

are you sure your local.rules is correct?

looks good to me

The first issue i am trying to figure out why the log file is not being created

what happens when you run this command: sudo snort -c local.rules -A full -l . -r mx-3.pcap

don't you get a output with how many things it created?

you should get 164 alerts, right? From the previous question

you're missing . in the command, no?

I was able to get that answer from here

before -r, I think that's why you didn't get log file generated

Hello everyone!

I got stuck at Snort Task 5. tcpreplay failed for some reason. What am i missing?

That is a terminal window sizing issue. i have the "." after -l with a space

hm, then I have no idea why you're not getting log file created :/ maybe someone more experience could answer this eventually

I appreciate your help!!

so please try using this rule instead alert TCP any any <> any 80 (msg: “Task 2”; sid: 1000002; rev: 1;) and run snort using this command sudo snort -c local.rules -A full -l . -r mx-3.pcap. When it is done do ls to see if you will find any logfile created.

l followed you advice using the one liner alert and it worked just that my was a bit different alert TCP any any <> any 80 (msg: “Task 2”; sid: 1000002; rev: 1;). Thank you for all your help

Glad, I could help a bit and also glad you were able to get it working yourself as well! 🙂

Still dont see the log file

After a few restarts of the machine I was able to see the log file. Thank you @marble laurel @humble tendon !!

Gave +1 Rep to @marble laurel (current: #3002 - 1)

Have you solve this? I got stuck here too.

I need help on this please 🙏

Any tips on getting into cybersecurity? I’m currently thinking of either taking the google cybersecurity or IBM cybersecurity analyst courses and after finishing one of them I want to try to get my CompTIA sec+ certification. Any tips on what course would help more?

Maybe you can get a better answer to your question in #cyber-and-careers as this is more focused on a specific path 🙂

Is this a bug?

I k ow I entered more info than this, and it’s also telling me it’s incorrect and correct at the same time

Hi, I would like to at least get a job as a soc analyst level 1. But I don't know which tools to learn or certs to focus on. Really would appreciate anyone to enlighten me on this. Much love from Vietnam 😘

For a career / certification advice ask guys in #cyber-and-careers channel 🙂 . This channel isn't active as much 🙂

Thanks. Will do so

are you guys like beginners

How do you do to not give up on Task 2 'Snort Challenge - The Basics https://tryhackme.com/room/snortchallenges1 ? It is annoying now. It is supposed to be the "Basics". Please, @fast prairie and @quasi bough what do you know about this task that you can share with us without revealing the actual answer?

I got correct the first two items 1. Rule to detect all TCP packets from or to port 80, and 2. Destination address of packet 63.

Can you provide some screenshots ? What is your rule ?

Hi. This is my rule ' alert tcp any 80 <> any 80 (msg: "TCP packets to or from port 80 detected"; sid: 100001; rev:1;) ' I do not have the screenshots because I terminated the machine. I am ready to go to bed. It is already midnight here. Thanks for reaching out.

Gave +1 Rep to @quasi bough (current: #1 - 5641)

Shoutout to the people behind the Wireshark Traffic Analysis room, the documentation is put together so well

can i have the link of that room? i wanna try it

Here you go 🙂
https://tryhackme.com/room/wiresharktrafficanalysis

Can you provide some shots please of what happens when you run Snort ?

Still working on it too.

With tcpreplay just reset the VM I waited 24 hours and worked.

But still can't reproduce as the task does in examples.

how do i post image in this chat

literally no options/ cant even drag/drop

You need to verify first , follow instructions from the link below to learn how to do so 🙂

thank you

Gave +1 Rep to @quasi bough (current: #1 - 5653)

This is the 4th time im restarting the machine...no VM window opens...its just stuck counting down timer...What do i click to open my VM Window to complete this assignment??

It shouldn't open in split view , click on the link provided in the task to access the machine

Hello @quasi bough
Been a while. Can see you are a Mod now. Well deserved🙂

Thanks 🙂

Gave +1 Rep to @weary dew (current: #3036 - 1)

Visit MITRE page for technique from question 2
https://attack.mitre.org/techniques/T1078/004/

Gave +1 Rep to @quasi bough (current: #1 - 5659)

Hi @quasi bough . Thanks for reaching out. I managed to solve item 3 of Task 2 for 'Snort Challenge - The Basics' by using the Hexadecimal number. It gave me a hint that can be useful for others, the ACK number is the same for both packet 63 and packet 64. I hope it is not a spoiler.

Gave +1 Rep to @quasi bough (current: #1 - 5663)

I can't press the start machine button?

Does anyone have a solution?

It was an issue on thm side should be working fine now

Thank you

Gave +1 Rep to @quasi bough (current: #1 - 5685)

Hi everybody. I am still stuck in room 'Snort Challenge - The Basics', this time with Task 3. None of the two digits number I get match the answer for the question about 'failed FTP login attempts'. I am not giving up yet. I do not know if any of the commands in the snapshot is not suitable for this task. Anybody knows anything about it?

Hi ProbaN you can try this to see if it would work
alert tcp any 21 -> any any (content:"530 "; msg:"FTP Login Failed"; sid:1004;)

Can you provide a shot of what happens when you try running the Snort command ?

Hi, I would like some help with the sysmon room. When I try to start sysmon using the command provided "Sysmon.exe -accepteula -i ..\Configurations\swift.xml" IT says failed to start the service even though I am trying from PowerShell as Admin

Hi,
Thanks for your help. I will be busy with other matters for approximately the next 30 days.
I will retake the rooms here in THM on 25 August. I will post any updates here by then.

Gave +1 Rep to @marble laurel (current: #2002 - 2)

Hi,
Thanks for reaching out. I will be busy with other matters for approximately the next 30 days.
I will retake the rooms here in THM on 25 August. I will post any updates here by then.

Ok , feel free to reach out whenever needed 🙂

hello

hello does anyone know why thunder bird wont work i try to sign up it wont work i am refferring to tht threat intelligence tool room

You don't need to sign-up , just close that window 🙂

Hello

Can anyone help with wazuh??

hello. for the first question in Task 2 of "Snort Challenge - The Basics" room, i got the right answer by writing a rule to match any source and destination ip address and port, but how come that's the case if they asked "to detect all TCP packets from or to port 80" ?

Hello, I need your help on the arrangement of these items in the kill-chain:

1. exploit public-facing application
2. data from local system
3. powershell
4. dynamic linker hijacking
5. spearphishing attachment
6. fallback channels

What's your idea ?

1. exploit public-facing application- exploitation
2. data from local system- actions on objective
3. powershell- installation
4. dynamic linker hijacking- weaponisation
5. spearphishing attachment- delivery
6. fallback channels- command and control

You're close but dll linker hijacking is a common privesc technique we use it for exploitation of the system . Also we will use powershell for weaponization since it is a tool with which we create our initial payload 🙂

Switch those two

Okay, thanks. But where does "exploit public-facing application" belong, installation?

Gave +1 Rep to @quasi bough (current: #1 - 5742)

hey, this is happening to me too

Hmm

Looks like initial access technique 🙂

it is just saying to detect all packets from port 80 from source and destination, just use port 80 in source and destination. while making a rule.You will get your answer.

How do i share a screenshot on here?

You need to verify first , follow instructions from the link below 🙂

Hey, does anyone know if it's normal to feel a little bit lost with the Intro to Cyber Threat Intelligence room? I've been following the path in order (and did the Cybersecurity 101 path before this) but I feel like I missed something somewhere because I'm kinda lost once task 3 got to the scenario 😵‍💫

Yeaaah, I'm extremely lost now. This room was making plenty of sense but once it brought up the scenario in task 3, I feel like I missed a room or two somehow... might just call it for the night, honestly

Decided to try watching a video walkthrough on "Intro to Cyber Threat Intel" in hopes that it'd help me focus a bit more on the scenario but it looks like the room has been changed since this video came out ~1 year ago? The text in the tasks is completely different from what's there now 🤨

Maybe this is why I was so confused, the room had to have changed in the last week or so because I only took a few days off from learning and the earlier tasks have completely unfamiliar text in them. It's like a Mandela effect or something... going crazy

Mate it’s totally normal to feel lost doing anything

On thm

If your not lost at some point your not learning

I have a friend on here who I will bring in to this community he is really good and can help us

I just realised this group is massive with loads of resources and people like 0day he is really cool that guy is an inspiration

hey is the site not working my machine having issues loading

Hey guys I'm mew to this server

Can anyone teach me hacking

You can start learning here
https://tryhackme.com/resources/blog/free_path

Thanks

I'm really interested in learning ethical hacking

Quick question, with STIX (Structured Threat Information Expression), the current room says it's a JSON format for describing threat context. Does that mean I'm going to want to learn JSON? I know what it is and I know very basic web development tools/formats/languages/etc but JSON is beyond what I know at the moment

And man, I've tried on four separate days to get through the Intro to Cyber Threat Intel room and every time, I get to task 3 and start zoning out. As I mentioned elsewhere, I'm understanding the concepts but this practical scenario makes me feel like I've missed something, somewhere 😵‍💫

Hello guys! Hope you doing well 😊
I stuck on ItsyBitsy room, Kibana just not loading. I try multiple times using VPN and Attackbox, but getting same message "Kibana server is not ready yet"

I've also recently got into the SOC level 1 path and am also finding it hard to stay focused.

It just seems very verbose and a lot of technical words which I'm unfamiliar with I guess. I got through the frameworks and just completed the Intro to Cyber Threat Intel, but yh a lot of re-reading due to zoning out and most of it just not entirely going in. Just hoping the important content sticks when I actually start having to use it

Exactly my issue. It could be because I learn best by doing, and second-best by watching other people do it (a la videos) but yeah, the sheer verbosity of it all definitely is challenging to follow. I'm hoping that doesn't bode negatively toward my future with blue teaming 😬

I usually take notes it helps. I also use the pomodoro method to stay focused. I block out 30 minutes to work ( I usually have brainwave music on) and then I take a break for 15 minutes. I hope this helps. I am almost done with SOC 1, currently at the summit.

Appreciate the tips! I take notes in Obsidian but generally copy-paste sections of interest or else it'd take me forever to get through a single room 😅 As for Pomodoro, I've heard some about that but haven't looked into it, I'll definitely be checking that during my studies for the ISC2 CC and other certs! Music-wise, I go for ambient stuff like instrumental post-rock, as it tends to help me focus. Hadn't considered doing the blocks of time, though! Thanks again, will definitely try some of these!

Gave +1 Rep to @snow belfry (current: #3078 - 1)

Hello everyone!
Guys, can I 100% complete SOC path if some modules, like capstone challenge, contains SOC Simulator rooms?

You will get the certificate even if you don't do go through those simulations , those are optional 🙂

Thank you 😊

Gave +1 Rep to @quasi bough (current: #1 - 5825)

Hello, I'm having issues with a stable connection to the server in the network miner room. The room crashes on me and goes slow at other times.

In the Yara room, did anyone else notice how the room says "you're not expected to use this tool in this room" when talking about Loki, yet you're definitely required to use it on several occasions? 🤨

hello, Can you help me about Practice Analysis of Cyber Kill Chain?

hello im doing tryhackme windonws event log task 5 can someone tell me whast wrong wiht this

get-winevent -logname security -filterxpath '*system/provider[@name="wlms"]' and '*system/timecreated[*2020-12-15T01:09:08.940277500Z"]'

it seems right to me but won fit in anser

Can you please verify and provide a shot of your issue 🙂 ?

I am starting SOC lv1 path of someone want to join my the journey they can dm me

Having problems verifying account

which problems ?

the issue has solved

Hey everyone! 😁
Hope you’re all doing great!
I’ve recently started studying for SOC Level 1 and right now I’m exploring the Unified Kill Chain module, super interesting stuff so far!
I’d love to connect with others who are also getting into cybersecurity or already on this journey. Let’s learn together, share insights, and support each other along the way.
Feel free to reach out, let’s grow in this field together!

Room/Azure ||should be free|| why when clicked it directed me to ||pay for premium||

Didn’t see anyone post about it in August but the CTF in cyber threat intelligence Friday Overtime appears to be broken. VM returns a 502 bad gateway upon opening

That means that the service isn't up yet . Please allow it at least 10-15min to fully bootup . Press F5 from time to time to refresh the page and see if it's resolved 🙂

Thank you comrade

Gave +1 Rep to @quasi bough (current: #1 - 5866)

Can you explain how to do the test " Summit" of Cyber defence frameworks

in the "Sysmon room" im supposed to copy that into the answers but its impossible to copy anything is it normal ? is there any way to copy

Use clipboard 🙂
https://cdn.discordapp.com/attachments/522158539129618453/1336120736753913977/clipboard.gif?ex=68b23be7&is=68b0ea67&hm=29d5baa39e6a0ffd776da56b49b387b506116898d1751a1826af473ef0bf5ea9&

Hey guys i started this path a week ago and i finished the intro to SOC and pyramid of pain is anyone on the cyber kill chain if so how is it going?

:/ unfortunately there is not on this machine

Try with Ctrl+Shift+Alt

How does it go for you 🙂 ?

Ohhhhh, thank you sooo much !! 🙂 ye it works with ctrl + shift + alt

Gave +1 Rep to @quasi bough (current: #1 - 5892)

Hi guys

can someone help me. Why is my snort not generating alerts and log

I can;t attach an image

sudo snort -c /etc/snort/snort.conf -v -A full -l /var/log/snort

the above command run the snort but it will not generate a alert and log file with data inside

"sudo snort -v -A full -l /var/log/snort -c /etc/snort/snort.conf" another command that I run to capture the traffic, unfortunately alert file and snort log is not generating. Pls help

I can't upload photo

all goods now. I need to create a custom rule first before an alert will be generated

hi community! i have an issue with the last question in this room tryhackme.com/room/fridayovertime. even though i found it, it says it's the wrong answer. what i have to do?

Damn, Redline is killing me with the Attackbox/RDP

hey yall I'm decoding a base64 pdf but it seems like I have the wrong format, can someone help?

What room are you working on?

Nvm I worked it out, it was phishing emails and I just need to convert from base64 to pdf

https://tryhackme.com/room/summit

Hello everyone, I hope you’re doing well.
I’m working on this room, but I’ve run into some issues with question 2.

is there someone who can help please?

The malware file u can see when scanning it is trying to make a connection to its own server to control the system at the ip u can find in the scan so to stop it u have to put in a firewall rule that blocks the outgoing traffic (egress) to that ip so that the malware cant connect to the attackers ip

I see I see , thank you so much 😊

Gave +1 Rep to @teal vector (current: #3157 - 1)

No problem!

🙏

Anyone had issues with SOC Simulator please do give tips on how you resolved the white screen error when selecting alert queue tab
https://tryhackme.com/soc-sim/alert-queue

Good day everyone, I was doing this exercise and after filling all the answers. The response is saying " At least one of them is incorrect".

And I got them right. Pls help

This exercise is under Cyber kill chain and it the last exercise to done there

https://tryhackme.com/room/cyberkillchainzmt

hi did you succesed?

Can you provide a screenshot of your list please ?

Same

Hi!
I tried to run it later at the same day and it started

hi everyone, iam having troubles with the vm's on a firefox web browser. I load up the vm (windows vms exclusively for some reason) and it keeps right clicking without me right clicking, leading to me being unable to use the vm properly.

Im not sure why this happens, and if it's even on my end i would be happy to get some help from anybody

Thanks guyssssssssss goodluckkk

It is the tryhackme ui rightclick, not the firefox normal right click if that makes sense. The glitched right click only shows "paste" whilst the firefox right click allows me to copy, search with google gemini etc...

I feel like maybe i should submit a ticket 💀

From what I've read a few people have had the same issue, you either need to switch browser, use full screen or interact with the machine another way like ssh/rdp

exactly! I usually ssh into the machine whenever I have issues

hey everyone, currently working on the benign room in the SIEM section, was wondering if anyone who is experienced and has done the room already could possibly meet up and go through the room with me. After doing the investigating with splunk room, i had to google a lot for help, because i was unaware of how to really search for things and didn't know what each eventid classified as.

Trying to build up the skills and knowledge to know how to navigate and what to look for when trying to answer these questions instead of just searching for the answers on google.

.

Hi everyone,
I’ve just started the SOC Level 1 path on TryHackMe, but I feel a bit lost. I’m not sure if this is the best place to start, or if there’s a better path for beginners. Could anyone guide me on the right starting point? Any advice would be really appreciated! 🙏

Also, I’d love to hear how you started your own journey on this path. Any advice would mean a lot!

maybe check THM roadmap: https://tryhackme.com/hacktivities?tab=roadmap

helo i am solving SOC level 1
Osquery: The Basics
i am stuck in task 5 question 5 its correct answer is Wireshark 3.6.8 64-bit but there is no space to type bit i also tried x64 it doesnot work
and also in task 6 question 4 its answer is 214 but it is not accepting
can any one help me plaese

Hi, the answers dont get accepted cause theyre wrong. This vid from John Hammond should help 🙂 https://youtu.be/YpmGZseJbJY

I have the same problem and the vid did not help me on this problem i think its a probleme from THM

I just did the Summit Room's Challenge and all I can say is WOW!! Is that what real life SOC looks like? Daunting but absolutely interesting!!

Hey Guys,

Last question in the sysmon room "What C2 is the adversary utilizing in Investigation 4?" I got the answer correct it was the name of something that couldn't really be avoided when working with another question "Trying not to spoil anything". I don't know if I arrived at the write answer correctly though as I just saw the name. Is there a way to identify C2s in event viewer with sysmon?

Hi is anyone familiar with the Monday Monitor room? Is there supose to be a split view VM? Because when I start the machine no split view shows checkout the attached pic. Thanks

I think in cases like this you are meant to navigate to a certain url where you carry out the assign tasks just Like the Summit room under Cyber Defence Framework

Is anyone facing the same problem in OpenCTI where the target machine isn't producing any ip address

are you using THM AttackBox or THM VPN?
screenshot shows my experience with starting the target VM for that room, using THM AttackBox

I use firefox and have the same issue. For the Windows machines RDP into them, it’s so much better and honestly pretty easy once you have setup thm vpn

https://github.com/anthonychl/THM-SOC-1/blob/main/04-endpoint-security-monitoring/06-osquery-basics.md

No you're supposed to click on a link from Task 1

Hi, the velociraptor app (SOC1 Path) isnt' starting. Does anyone have the same problem? I have started the velociraptor server in the terminal, opened chrome and clicked the velociraptor link. Then I added the creds and it's loading, but no login possible. Please help

it took a while for me, but all the steps from Task 2 ended up as per screenshot
however, there was no shortcut for Velociraptor after opening Chrome, hence I used the history of Chrome

Thanks for retesting. The server startet but the App was loading round about for 10mins and then there was a chrome error message, e.g. no responding, site can't be loaded. I am gonna try it again later...

Gave +1 Rep to @hushed wedge (current: #9 - 987)

Testing the velociraptor vm again:

16:30 MESZ

1. start: abortion!
2. start: abortion!
3. Start: starting - ok! Then: Instance termination
   Unfortunately, your instance has been automatically terminated. Please re-start a new one. To learn more about why this happens, please refer to.
4. Followed the instructions the the info page for Instance Termination. Deactivated all Firefox Plugins!
   New Start: Yep running! 16:56, 17:11 Instance Termination

It's impossible for me to use this vm.
I followed the rules from the info page for Instance Termination and deactivated all my firefox plugins - no success.

please fix all the SOC1 VMs

what is your Server Region under Profile > Manage Account > Account Details?
do not confuse with Access via OpenVPN though

EU-Regular-2

that is about VPN, not your Server Region (either Europe-Ireland of US-East (Virginia) )

yes, europe/ireland

thanks, Europe is just like for me
sometimes I have the impression there are more problems with VMs dying in US-East than in Europe
all I can see right now is that sometimes Velociraptor works and sometimes it does not, and I do not know what to do about that
maybe you want to take up the offer from Blackout (THM Staff) here: #site-support message
otherwise, you have the option of turning to THM Support which works by email

Gave +1 Rep to @random osprey (current: #2105 - 2)

ok. thanks for the help and the infos so far

Gave +1 Rep to @hushed wedge (current: #9 - 992)

Hello, I'm unable to run the traffic-generator file in the Snort room. When I run the file and select an action, the terminal gives the error:

Error constructing proxy for org.gnome.Terminal:/org/gnome/Terminal/Factory0: Error calling StartServiceByName for org.gnome.Terminal: Timeout was reached

Yo, for info, i had the same problems with Velociraptor VM, shuting down after few minutes, even after desiabling addons with Fox or Brave.. Then i changed location setting from EU to US, since then, working so far.

To the admins please update this room (threatinteltools) as the domain for that IP has changed. I had to look at someone's previous work to get past that point.

I apologize if this has been covered already I do not get on this discord frequently anymore

How is it possible to get a certificate of completion for the course if THM charges 1200 to use the three SOC simulator labs

You can do phishing unfolding but hooks, upload and black cat all require an advanced sub

Am I doing something wrong guys?

the answer format is a single digit but the word count for strings says 627

Is it asking for the count of all strings or the number of strings that was flagged?

By "advanced", like a business plan or something similar?

You need to find all the matched strings

It asked how many strings used to flag the file not which string was used

hi everyone ,im stuck on pyramid of pain task 4, last answer ......Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u

nvm, i found it

Yes the $1200 plan

Hmm.. haven't done the path myself so I can't say for sure. However, there is a plan to make the SOC simulator available to regular subscribers

Thanks I got it sorted

Gave +1 Rep to @native viper (current: #2118 - 2)

i don't think this rooms is working properly Threat Intelligence Tools

Thunderbird Mail app is not working it all

this room should be look up ,task 6 need to be updated

Hye

hey

I'm on SOC level 1, but unable to solve the last part of the Cyber kill chain

Can anyone help out

Add each item on the list in the correct Kill Chain entry-form on the Static Site Lab:

exploit public-facing application
data from local system
powershell
dynamic linker hijacking
spearphishing attachment
fallback channels

Also in the MISP room, im unable to open the VM

There appears to be an error there .

hey, I have that difficulty also, so there is nothing wrong with what I did??

anyone else facing issue while accessing vms?

looool

that room is not update you will have to goggle for the correct ansewer bcs that ip its already on another domain .. that just happens to me

Can you confirm if this is working for you or not? https://mitre-engenuity.org/

How are you, I would like someone to help me know how to answer the questions, I always have error messages that I am not respecting the rules

Hei. I just got the error 'The connection for this site is not secure'.

do any one have problem whit this room Snort Challenge - The Basics???

task 2

Hey everyone ! Happy to be part of this group!

I just got to the Snort Room. I'll let you know if I encounter any challenge and the steps I took t fix them if I can

Hello everyone, I was in the Windows Event Log room and got stuck on the first question. The question is: What is the Event ID for the earliest recorded event? I sorted the events, but I still got 4104, which seems to be wrong. Has anyone else faced a similar issue?

Anyone ?

Hey there, I just concluded the task 2 and the instruction was to run a shell script at a given directory. I did not encounter any errors in the process but if you can be specific about the issues you faced, I may be able to help

Holy shit i cant do this no more I need Some help.

In the MITRE Room Task 4 last question:

"Which Detection ID would you implement to monitor suspicious cloud logon activity in your organization's environment?"

What is the answer?

Because...

AN1503
AN1504
AN1505
AN1506

DET0546

T1078
T1078.004

these are all wrong.

I may be stupid.

But its the only question left im stuck on this for like almost 1 hour now.

Same situation im in... the answer should be det0546, but its not accepting. Possibly a bug with thm platform?

Yes I am stuck in it for the last hour

Have u found any solution to it

No.
Even tried Asking ChatGPT.
I aswell looked at some Walktroughs from other people but they just didnt have the question.

AN-1206— Suspicious Cloud Login
OR
AN-1207: Suspicious Cloud Logon (Valid Accounts: Cloud Accounts — T1078.004)
based on chatGPT but not accepting neither one of them

Update:
also could be : "Behavioral Detection of Remote Cloud Logins via Valid Accounts " based on the enterprise level
AN0017, AN0018, AN0019, AN0020 but not accepting these also

I have the same problem. Last open question.

Now ive tried every groups activitie that contains anything with "cloud" no Detection IDs worked

Yea I have tried everything too gemini and all but i think it's some bug

Cuz it's asking for an answer in english

@vagrant ledge @astral cedar @normal kettle anyone from the original creators of the room can give us a hint?!

Yea and also this question is new too cuz it's not in old walkthroughs also

Its fixed guys

easy to find now, idk if im allowed to post the answer here

2+ hours of trying and then it was actually a bug damn

Apologies for the confusion. The room was updated today, and it seems MITRE recently (in the last couple of days) deprecated the previous DS series of Data Sources, which the previous question and answer were based on. It has been updated to reflect the new Detection Strategies DT. Thanks for the info 🙂

Thanks it's fixed now

Gave +1 Rep to @astral cedar (current: #149 - 64)

Hello guys have you guys completed windows event logs room?

Anyone ?

Thanks for the update, Ryla. And how about those bugs in the Windows Event Logs and the Sysmon room? Are they fixed as well?

Gave +1 Rep to @astral cedar (current: #146 - 65)

Hello everyone, I am taking the soc level 1 course. I have a question: in the soc level 1 classroom, when I complete all 9 rooms in soc1, will I be provided with a certificate of completion of the soc level 1 classroom, or do I have to register for the final certificate exam in that classroom to complete the room?

You gonna get your certificate of completion after you finish those rooms. Then you can buy the SAL1 certificate if you want.

So I will receive a certificate of completion of SOC Level 1, because I saw that when I studied, at the end there was an additional part to take the salt1 certificate exam, I was afraid that if I didn't take that exam, they wouldn't issue the certificate of completion of SOC Level 1.

Yes, you can get it after you complete.

The SAL1 is just there. When you finish up the rooms you get an email saying you can continue with the SAL1.

Hi! I'm into Snort Challenge - Live Attacks now, i'm kinda burnout and slow progress, maybe we can be study buddy if you don't mind

im stuck here guys

Windows Event Logs task 5

i already respond all question except the first 2

this was what i put on the power shell vm for find the answer to the anothers question

and its saying the its wrong

Get-WinEvent -LogName Application -FilterXPath ‘*/System/Provider[@Name=”WLMS”] and */System/TimeCreated[@SystemTime=”2020–12–15T01:09:08.940277500Z”]’

do im missing something or there is a error on that room ?

and for the question #2 i put this Get-WinEvent -LogName Security -FilterXPath ‘*/EventData/Data[@Name=”TargetUserName”]=”Sam” and */System/EventID=4720’

Has to soc1 program just been changed/updated?

I was almost complete with the program yesterday at 72%. Now today I'm only at 31%,

Hey, Sorry. There will be some disruption today, we are doing a MAJOR upgrade on the path. Don't worry, you'll have the choice to continue origional path or switch to the upgraded path. Some announcements are due to come out shortly.

oh

interesting

@proper meteor

@proper meteor Thanks

Gave +1 Rep to @proper meteor (current: #324 - 26)

i wake up this morning and i was like what its going on

for be honest the original was pretty good but i think that one have some content for soc level 2

like more advance resource , just my opinion maybe wrong , but still thinking the it was good content

Yeah Literally me this morning too, it just changed completely 😅. I was on the third section it was network traffic

Hey everyone!
To help you stay ahead in the fast-changing world of cybersecurity, we're thrilled to announce that the updated SOC Level 1 Analyst Path is now live! 🚀

The updated path includes:

• ✨ 9 new modules and 38 new rooms
• 🧩 Lots of content improvements
• 🏅 9 new collectible badges

This major update fully modernizes the path to focus on the core skills required for today's SOC Level 1 analysts, explaining how a SOC is organized, how the analyst role aligns with emerging threats, and how to apply these skills across real-world scenarios. We have also adjusted overly complex forensic content and expanded coverage across all SOC domains, check out the blogpost for more details. We can't wait for you to explore everything we have built!

Migration notice:
You might have experienced some temporary issues when accessing or progressing through the SOC Level 1 path while we roll out the update. Please refer to the updated URLs below:

• 🌟 New path: https://tryhackme.com/path/outline/soclevel1
• ⌛ Legacy path: https://tryhackme.com/path/outline/soclevel1legacy

Both the current and new SOC Level 1 paths will have a certificate of completion and remain available in Paths until the end of the year, but if you've just started your journey - we recommend jumping straight into the new path for the best experience!

Thanks for being with us as we continue to grow and improve, we can't wait for you to dive in and see what's new! 🎉

Yeah, the original SOC Level 1 path was great, really taught some fantastic skills. The feedback from the rooms and the modules was great. However, when reviewing the path and talking with our business customers on the expectations they have for an L1 in their teams we saw the need to improve. Some topics did not get enough coverage and some topics were relevant more for a senior role than an level 1.

We talked to lots of our customers, got feedback from them in terms of what they expect someone coming into an L1 position to have, and really focused on that to perform this major rebuild of the path. Really think this is a huge upgrade to the path, and I hope when you look at it and even talk to people currently in SOC roles, you see how great an upgrade this is.

Even though I'm happy for adding new relevant rooms but still I feel that this New path looks so brief, like similar to intro rooms, the topics and its explanations that were in the new rooms looks so short compared to the old ones, i feel it doesnt take much time to complete the rooms in new path compared to old ones, does this New path carries the same depth like Old ones?

I agree, looking at the new rooms, I don't feel that it goes in-depth on certain topics.

We're really focusing on skills required for the SOC L1 role. We think we've covered it at the level for this role, but if you think we missed the mark on some topics let me know and we can look at improving it. If anything, when I look at the old path, there are 8 modules, the upgraded path has 14 modules! We had worried we covered too much, but we really wanted to try and teach everything required. Also, in the old path, if you look at the Digital Forensics and Incident Response module for example, although I absolutely love that module, I think if you ask a SOC analyst if lots of that module was relevant they would say no (at least the ones we talked to agreed). We're now moving up and into the SOC L2 path, looking at that, and refreshing. There are some topics that got moved from the L1 into the L2.

What topics do you think should be added?

idk, but it feels a bit off. I think this is just because its new and I need more time exploring the new rooms a bit. At first I noticed the new module for windows security monitoring, it tackled event logs but they removed the windows event logs room that was in the old DFIR module. So looking at a beginner standpoint I would be a bit lost.

but hey, can't really say not until I've completed all of them. Thanks to the team who worked hard to make this happen. Lowkey excited to learn this stuff

i think the overall path makes more sense now with it being SOC level 1, but i do agree it feels as though there isn’t enough depth. the original path went in to way more detail with a lot of df tools, a lot of which aren’t even covered at all now. doesn’t seem a bad change, just looks a bit too simple.

I'm very open to feedback so if you think something should be covered just ping me. I can't remember the reasons we didn't include that specific room, I think it was that it was an older room which some outdated info but I may be wrong.

Yeah, we did work hard, and we hope we hit the mark. The intention is that this path will give people a better chance of getting a job in a SOC or improving their skills for those currently in the role. We really tried hard to make it relevant to the role of working in a SOC.

Thanks for updating. The rooms actually look good ngl. Looking past a few missing pieces the new content is good esp that this is for SOC 1 path. I also liked the added capstones so personally I think you guys hit the mark. 😁

Gave +1 Rep to @proper meteor (current: #317 - 27)

Yeah, there are definitely rooms in terms of forensics e.g. Volatility, Autospy, KAPE that are fun (I love them), are just not relevant for an L1 position.

There'll be one more module to come, and although we've not announced it, so a little confidential, ahem 🙂 but we hope to build a SOC L1 focused CTF and then put that as a final module as somewhat of a test your skills.

Can't wait 🔥

Actually i have no complaints, this new path looks perfect and more than anything else the new rooms looks very very relevant for what a SOC1 does, but since u asked me what needs to be added, I would say Threat intel & Incident response basics..

Removing whole DFIR is a sensible decision, but removing sysinternals, sysmon, osquery, wazuh , zeek a bit disappointing

Did you yank a badge with this? I had 51 badges yesterday, today I only have 50.... Trying to figur out what happened

We only added new badges, we haven't removed anything unless someone pulled the wrong plug... Any idea or way you can see what might be missing?

That's what I'm trying to do, figured i'd ask cause that would make it much easier to figure out if there was a retraction.

in case it’s related 🤷🏻‍♂️ the only modification we made was one badge previously called “Phishing” is now “Phish Hunter”, and “wireshark” badge was attached to an extra room.

That's it, I no longer have the phishing badge.

Ah, I’ll go talk with the devs.

Can you check now, they made a change?

Now I have Phish Hunter

You took my Checkmark (I understand why), but did not put the Progress % back? @proper meteor

So the view on that page, which is our roadmap page now shows the updated path. If you go into the paths view, you should be able to see the older path now called 'legacy', and your completions and check marks should be the same on that.

yes I'm referring to the updated path there's no % listed

I should obviously be seeing some progress

Ah, now I understand. That's strange. You had previously completed the SOC L1 path. It did previously show a tick, but now on the updated path, it's not showing anything even though you have lots of room complete. I'll go checking, thanks for reporting it. I wonder if it's something that it doesn't see you registered on that path anymore, so it thinks you've never joined it?

Gave +1 Rep to @tropic flower (current: #2131 - 2)

I've never joined Web Fundamentals, Web Aplication Pentesting, Red Teaming, SOC Level 2, or Advanced Endpoint... yet they have %'s

I imagine I don't have a % next to AWS is becuase even the free ourses are locked behind an additional paywall so I've not completed any rooms that would count towards it

Makes sense. It will probably be tomorrow before we get to look at what is happening.

Thank you, haven't noticed anything else wonky yet.

I was wondering what happened. 88% finished with the old path I guess I'll finish it up and then finish the new one right after

I might do that as well, re-earn my old certificate, then burn the new version. I noted a number of the newer courses reflect in both legacy and new, so you should be making progress in both doing either. It also looks like a number of legacy courses that are in the new path, had slight adjustments as I had completed all these rooms before but now show as 97% or 99% done. May not take long or much effort to re-knock it out anyway.

lol in the image above one such lists as 78% done that's almost a quarter....

just hopped into this revamped path, you guys doing great job! already 20% progress and i feel like this is more into soc level 1 job. i like it! will put more feedback after finish this path

I think I prefer the old one because I'm looking to get into DF & IR and the legacy path covered it to some extent. I believe this modification was done with our best interests in mind nevertheless

What are some of the rooms you will suggest from legacy path which can be a valuable add on after completing the new path as a jr analyst or soc 1

For me there's a disadvantage because @proper meteor mentioned that it will be out next year so you may not have access to those rooms anymore

Actually you can , i just tried out and we can access the old path and rooms

I meant by next year, It's just about 2 months away

I wouldn't expect rooms to disappear, they in fact appear to have added content to several of the older rooms, moved some content around, and even modified text in at least one older room where you could only provide the "No answer needed" click after turning on the VM, then reset said button. You just aren't going to have the legacy path to use a guide to hunt those rooms down after then.

Looks to be working for me at the moment, not sure if it's because I toggled between it and the legacy version several times or not, but I can confirm that enrolling in the path the first three times did not make that pop up.

The dropped rooms and modules will still be accessible after the old path is retired, so you can still find them on the platform. Over time, we will keep the DFIR content while also creating new materials or reorganizing the existing rooms into more focused paths, similar to what was done for Advanced Endpoint Investigations.

Ah, good, let me let the dev team know. They might also have been making changes, but I didn't hear.

hi having issue with SOC L1 Alert Reporting task 4

THM{nice_attempt_faking_microsoft_support} should be answer but in the box it looks like this THM{nice_att_empt_fakin_g_mi_croso_ft_su}

not sure if Im stupid or the input box is setup wrong

I am also having trouble in SOC L1 reporting task 4. I tried escalating to L2 for the flag and it’s not working

im skipping this ill come back later

I'm enjoying the updated learning path so far.

@floral current when you escalate the status should be in progress and not closed

Hi im having an issue with one of the task from the new path it never happen before and even the Echo IA agree with my answer idk where to escalte this issue. Also idk why i cant paste an image of it so the room is "SOC Metrics and Objectives" on task 3 "triage Metrics" the second question Imagine a scenario where an employee was lured into running data stealer malware.

1. The SOC team received the "Connection to Redline Stealer C2" alert after 12 minutes.
2. One of the L1 analysts on shift moved the alert to In Progress 10 minutes later.
3. After 6 minutes, the alert was escalated to L2, who spent 35 minutes cleaning the malware.
   Provide the MTTD, MTTA, and MTTR via comma as your answer (e.g. 10,20,30).
   My answer was 12,22,63 and idk if im wrong or not cause even the Echo bot agrees with my aswers. Hope someone can help with it 😄

@silver oxide yes your answer is wrong. What helped me get the right answer was looking at the picture that had the time lines for MTTD , MTTA, MTTR drawn out

Me too! It's goes deeper into the weeds of what I imagine is day-to-day work, which i love

i'm stuck on this question as well. the authenticity score would not update (stayed at 0%) no matter how much i submitted to the ticket. can't get the flag.

I'm stuck on this too, if "THM{nice_attempt_faking_microsoft_support}" is the answer on task 4, then i confused with task 3 which is completed with last answer is "THM{nice_attempt_faking_microsoft_support}" too!

To paste an image, you need to verify your account.
Go to Your profile -> Manage Account -> Scroll down to see your discord token.
Copy your token then come back her to use the /verifycommand to authenticate

Ty guys for the replys 😄

do some one know why i cant luch the phising simulatyor ?

and im in us east

change your region under Manage Account

I think that was and platform issue and fixed now. Can you test?

Yep. Seems spot on so farfor what I deal with.

yay! glad to hear that.

Fill out the verdict and status properly

Not inputing the right wording I discovered that when I wrote the names of the failed tests it jumped up the authenticity

Do you think there is some tuning or changes needed to help future learners?

Guys do you feel that some of the rooms in the soc 1 (old) have missing logs ?

?

soc simulator Phishing Unfolding. work fine, then saved progress, next day resume all pages work but the alert page show the above error.

Which one? Can you point to the rooms for us to check?

Am I allowed to post a screenshot of said SOC1 scenario and ask to explain why the numbers 12,10,51 and how do you actually calculate the given time from triage metrics in the example given?

check the Rooms : "windows event logs " and "wazuh " they have missing logs i cant paste screenshot for the page but try wazuh task 4 question 4 there are no logs for that
FYI i have change the dates from 15 minutes (default) to last 15 years

ohh cant share the screenshot lol

Okay I'm feeling kinda dumb. I'm doing the Intro to Phishing Soc Simulator but the AI says my reports aren't detailed enough. Is there like a list of everything we are suppose to include to make it more detailed. I don't know if I missed something or what.

In snapped phishing line room, I can't get the url for Zoe Duncan correctly for some reason. I copy paste the url into cyber chef and it is not correct?

it need to be on defanged format

I found out that I need to open the html file and take that url and defang it

turns out for some reason the link worked when I restart the machine

at first it was giving me an error and I took that initial link and defang it

but I restart the machine and the link worked and yeah

I had that same issue, AI keep saying incomplete, I think AI look for full report including for example "credential theft or malware compromise" I am not sure from the logs we can have this info, we can check on Firewall if user clicked the link or not (which need to be included on the report)

I think if you verify your account in discord you can share screenshot

which room is this?

I know this room, look at the graph again and you see there are 3 metrics: MTTD, MTTA, MTTR.
The MTTR is sum of the time for SOC team to clean everything up after the alert came. Look at the graph here, MTTR = MTTA (L1 to work on the alert and escalate if needed) + time for L2 to clean up (internal processes).

Its verified 😭😭

@vague cave I hope this makes sense

I also struggled a bit but I read it again and it makes sense

And please someone can check and let me know if you are facing the same issue 😭😭

Thank you

Gave +1 Rep to @rugged seal (current: #3252 - 1)

Hello everyone, let me ask you, are there many jobs in soc in your country currently recruiting, and which companies will prioritize soc? I am currently in Vietnam and soc jobs in Vietnam are quite diverse but they will not prioritize interns much.

.

Is it me or the Splunk:Exploring SPL room is a bit wonky atm? None of the searches for Task 4 are working.

I have been asking same stuff from the past 1 week it happened with me on 2 different rooms and now it the splunk 😭😭

Sometimes, they fix the bug without noticing us, so it's worth going back to those rooms that you have issues with to check if it's fixed. It happened to me in the MITRE and Phishing tool room. I still have the Windows log events and Sysmon room to go back to. If they haven't fixed whatever is wrong with it, I'll just move to different rooms. I still have so many unfinished/ not started rooms to go through.

I also want to know about this

I agree, things have been a bit wonky recently

Hey guys, i'm actually at 50% of the Soc L1 path, feel free to text me to study/train together or stay in touch for help, working sessions or whatever !

hey there so am I 🙂

Lets go i texted you

@vale saffron hey i am new in the this field and want to learn .
Want help for where to start

start from the pre-security path

Not sure whether I'm being an idiot, but the firewall logs in sentinel for the Soc simulator don't seem to... contain any useful info? All I'm being provided is the time it was generated and the datasource, there's no way to tell what the log is

I had the same problem too. I just restarted it and tried again, it worked after that

@rugged seal the answer to the question in the SOC Triage Metrics room still doesn't make any sense to me. Why would it be 51 instead of 63?

Let's say the incident happened at 10 am but SOC received the alert 12 mins after the incident happened which will be 10.12 am.

Remember, SOC L1 received the alert at 10.12 am (and from here MTTR counting starts).
After 10 mins, i.e. at 10.22 am SOC L1 analyst moved the alert to 'In progress'.
After 6 mins, i.e. at 10.28 am alert is escalated to SOC L2 analyst.
After 35 mins, i.e. at 11.03 am, SOC L2 finished his work.

So, MTTR is from 10.12 am to 11.03 am which is 51mins.

Thank you so much for explaining

Gave +1 Rep to @latent nebula (current: #3252 - 1)

is this talking about mean time to repair?

Yeah sounds like it. but I have to argue that it is wrong because the MTTD, MTTA and MTTR is actually 63 minutes, not 51. I just spoke to an experienced SOC friend who has been in the field for 8 / 9 years now and he has explained to me it should be from the start to the end - fire started to fire extinguished as an example used by him.

Lol he just corrected himself and said if THM is going on the NIST scale, it's correct

so 51 is correct?

Yes

and what's the NIST scale?

let me find it for you

thx

Thanks so much

this helps a lot

You're welcome

@digital pier I love your bio, it's funny

Thanks inspired by my friend

That's my room - I will look into this and get back to you.

Noted - will look into this as well.

Thanks Dex!!!

Gave +1 Rep to @vagrant ledge (current: #101 - 88)

Anyone? Doing a take 10 of the table there are no columns with any information beyond when the log was generated and the source (i.e. firewall) for the firewall logs in sentinel

Seemingly everyone else is doing it in Splunk so maybe I'm better off just switching over

you better off try splunk or elastics, I did also tried Sentinel, did not work for me, logs, permission etc. I gave up on it

Yeah that figures, at least I know it's not just me being thick. Cheers!

should i post every room that i completed in thm on linkedin or would that be too much?

Hi. Quick question, I'm trying to complete the updated SOC Analyst L1 path. Done everything except the File and Hash Threat Intel room. Managed todo everything but the only thing holding me back is the question "When was the first time the file was recorded in the wild? (Answer Format: YYYY-MM-DD HH:MM:SS UTC)" whenever I input the the right answer, it keeps saying "Uh-oh! The answer you provided may not be in English. Please review it and try again". Any ideas?

You do you, whatever you want, your situation may be different as well, as in if THM is your only IT experience at all, that would make sense to advertise your experience, where as others have 10+ years expe, degrees, and certifications (not competion certificates), then they very likely won't casue they don't need to.

Any suggestions?

Hi. Quick question, I'm trying to complete the updated SOC Analyst L1 path. Done everything except the File and Hash Threat Intel room. Managed todo everything but the only thing holding me back is the question "When was the first time the file was recorded in the wild? (Answer Format: YYYY-MM-DD HH:MM:SS UTC)" whenever I input the the right answer, it keeps saying "Uh-oh! The answer you provided may not be in English. Please review it and try again". Any ideas?

I'd say you don't have the right answer and need to keep working it. I haven't done the "updated" path yet, I just refinished the "Legacy" version updates, gonna have to ask someone that's looked/done it. Not sure when I'm logging in to work on the path yet.

Thanks.

Gave +1 Rep to @tropic flower (current: #1607 - 3)

Has anyone done the updated SOC Analyst L1 path?

I did not have an issue with that one but the question for the threat label used to identify the malicious file seems to be outdated. Virus total gives a different answer than what it is actually looking for

So essentially the answer I thought was wrong.

Hi, I did tested the room again, virus total show the correct answer > Details > First Seen In The Wild

Thanks. I'll give it a try. Also I've been watching your videos on some of the other tasks. They're really informative.

Gave +1 Rep to @fallow ferry (current: #113 - 83)

got it thanks

Gave +1 Rep to @tropic flower (current: #1289 - 4)

Hello blue team, starting my day with the Network Security Chapter ! Good luck to everyone

Has Yara been removed from the new updated soc level 1 pathway?

Yeah. I’m glad I did it in the old path though

is yara outdated then? as in not really in use much. I also completed it in the old path

Do you mean first submission?

you said you have issue with First seen in the wild?

Yes. Whenever I input the timestamp it comes up as an error. I thought you meant the First submission.

I've done everything else in that room barring that error.

what exactly the question you having issue with? can you copy and paste the question here

When was the first time the file was recorded in the wild? (Answer Format: YYYY-MM-DD HH:MM:SS UTC).

Whenever I input the timestamp it keeps coming up as an error.

Error: Uh-oh! The answer you provided may not be in English. Please review it and try again.

which task number the question is?

Task 5, Q3

which one these you are using

First Submission. There was no First Seen In the Wild when I went onto VirusTotal.

above is from VirusTotal under Details tab

I'm on there, but I don't see "First Seen In The Wild". There's 4 instead of 5.

Found it now. I was using the wrong hash.

Done it.

I'm doing the Data Exfiltration Monitoring, such a great room

Happy to know you liked it. ❤️

Thank you for your work @vagrant ledge
Very hands-on and immersive, but I'll have to review it and take notes so I don't forget anything !

Gave +1 Rep to @vagrant ledge (current: #100 - 89)

2 little questions if you don't mind

In Task 6 (Data Exfil via HTTP), you mention the beaconing method, why "followed by large uploads" ? if sending by small request to be low and slow why changing and suddently sending large chunks ?

And second question how can i see/export the data text ASCII out of that view ? hard to read + can't copy from here but i didn't find any other place where it's displayed

Wait, the legendary @fallow ferry is on here??? Your videos have gotten me unstuck from countless binds. Thank you for doing what you do!

Gave +1 Rep to @fallow ferry (current: #111 - 84)

Guys did anyone used sentinel in introduction to phishing ?

seems like its completly useless

Is it not working? 👀

Try the "...as C String" option in that right-click menu. I think that's what I did.

seems like u can only see the UI without any logs only after selecting one of the other two (splunk/ELK) u can view anything useful

Thank you i will try that

Gave +1 Rep to @swift bay (current: #622 - 11)

Somebody says "es-oh-see" instead of "sock", lol

is SOC simulator only for business?

I have a problem here that needs clarification. Will post screenshots with spoiler tag. Why does it ask for 2 IP's defanged but it's the same IP repeated and I found a 3rd, why was this not counted in the Phishing Analysis Tools room? Really gave me a hard time copying and pasting which meant that I needed to manually add everything instead.

Spoilered screenshots.

Which room / task ?

I wrote it in there

I don't understand your question tbh

You went on the text report right ?

In Network activities you see all the connections done by the malware, with a reputation tag for each

in the list there is 2 with "Malicious" tags (the second one apears two times because he's call by 2 differents PID but the IP/domain is the same)

Use cyberchef to defange them and let's go ? or i'm missing smthng

Hello everybody

It looks like the file names in picture and i the explainations about line 2 and 3 are not matching no ? Room Living Off The Land Attack Task4

Uh i took a break and now i am back i see soc level 1 legacy path i have done it 70% and new one 31% so should i complete the legacy or switch to new one?

Why the Skills Matrix is now empty? It does not show progress in any of the six areas of the Entry Foundational level.

Same, i get stopped at 98% ahah

Hey, the platform team is aware of the issue, should be addressed this or next week.

Thanks! Should be fixed now

Gave +1 Rep to @vale saffron (current: #3262 - 1)

nice thanks

File And Hash Threat Intel room, Task 4:
Which other process was spawned according to the process tree?

I found the answer on a walkthrough, I still don't get in on hybrid-analysis.com

(https://hybrid-analysis.com/sample/2672b6688d7b32a90f9153d2ff607d6801e6cbde61f509ed36d0450745998d58/690730dafbc9f27cfb0c2277)

Yeah, I noticed that the other day too. Answers that are from external resources like that or Virus Total tend to change.

after losing streaks multiple times I finally hit this milestone

Nice congrats !

Thx!

can anyone help me with this? i'm doing Elastic ELK room, it gives me 502 Bad gateway when i try to visit the ELK Instance...

ELK room after splunk room ?

Are you using the thm vpn?

yah

of course, im using it

and the configuration file is the newest

I suggest you terminate the machine, refresh the thm page, and restart the attached machine

this ELK room ?

here, it's true

i mean exactly

it's not working after upddate

When I was trying to do it few days ago it didn't have any logs

It does, i completed it yesterday

really ?

ok so I have to go back to it

oh wait, it's working now, but not a few minutes ago

thanks all

Hello,

IP And Domain Threat Intel (Task 4)
Using search.censys.io, identify the TLS certificate fingerprint for the IP address.

Need an update I guess, answer changed on censys.

gj I am going for that one myself, only 6 days off and I have 5 streak freezes so I will get it for sure

Curious to know what you guys ended up doing. The new version seems to focus a lot more on methodology instead of specific tooling like the legacy one. Debating on just finishing the legacy one since I was at 78% and shot down to 40% on the new one.

I'm in the snort room and I made rule in the local.config files

why did this happen?

Can you show the rule you added to the local.conf file?

Im looking at my notes from that room, on my end I have a semi colon at the end of the sid, as well as a "rev:1;" that follows the SID. That seemed to have got me by

It also looks like I was running Snort with sudo privileges which might help

If I had to pick anything I listed above, it would be that you are missing the ";" that is supposed to follow the SID. I dont think the rev or sudo privs are a necessity.

I rewrite the rules again

Same error?

yep

Oh you are also missing a ":" in front of the first SID

You have sid100001 is should be sid:1000001

ayyyyy

it ran

thank you :DDD

my dumbass forgot the ":"

Niceeeee

I have been struggling with this for so long

Yeah I remember I kept forgetting colons and semi colons during the Snort rooms. It can be a pain but its pretty rewarding once you get through all of the tasks.

75% through this learning path. And on day 73 on THM! It’s exciting to see these concepts becoming clearer and sharper in my mind.

What's snort room??? 🤧

Hello Brozer, i figured out that the legacy path was still available so i finished it and now i'm finishing the new one, I love the actual one, seems more accurate with actual job needings instead of the old ones with precises tools ike you said

Does anybody know the answer to this and how to find out spl query for this question. How many log events are captured by the user Maleena? @lost kernel

The one in the SOC L1 path

Ahhh okay makes sense, I'll probably end up doing the same

can I see a screenshot?

does anyone struggle to run splunk in the attack box?

The task has been updated. hopefully it will allow you to complete the room

You can verify with the current report in the task

One message removed from a suspended account.

can u give link to the room

One message removed from a suspended account.

THM{nice_attempt_faking_microsoft_support}

One message removed from a suspended account.

One message removed from a suspended account.

this is flag from the next task

I mean 4

One message removed from a suspended account.

are u in good task for sure ?

One message removed from a suspended account.

this one

One message removed from a suspended account.

np

Do you guys do practice labs outside of the learning tracks? If so, how do you guys know which practice labs you would be able to do and what not?

Hello!
I am scoping out courses to obtain my CYSA+ certification. I've seen SOC Level1 path is useful for hands-on training. How much material does this path contain to be ready for the CYSA+ exam?

I recently took and passed the CYSA exam. This path is kinda overkill for that certification, for my exam i was mainly just choosing best case scenarios, looking at SIEM logs, and evaluating CVSS reports.

can someone help me?

i am doing https://tryhackme.com/room/summit

can't connect to the server

i am using vpn and doing exactly what the challenge guides me

server not found is the reponse i got

have you tried different vpn servers?

how can i try different, i only have 1 config file for premium account

Hello TryHackMe team / moderators,
I am having an issue with the "IP and Domain Threat Intel" room, Task 4.
The SHA256 TLS certificate fingerprint for the IP 85.188.1.133, taken from Censys, is:
5ea8e6046bdabaa8e23a1a012c01d1be5ccd42c66ef2577a59f3b3f0f056d12e
However, TryHackMe keeps rejecting it with the message:
"The answer you provided may not be in English."
I tried typing it manually, ensuring no spaces or extra characters, but it still fails.
Could you please check and fix this task?
Thank you very much!

i am having same issue

Windows Threat Detection 1 and 3 target machines are not usable...they're on a constant loop of logging in and out - gets you in for a few seconds, then reverts to the "applying settings" blue screen and so on...that's from the browser, through VPN and RDP it just kicks you out, and same thing you can connect back where you were at, only to get kicked out again...anybody else came accross something like this and figured out what the issue is? Tried them from 2 separate machines, 1 linux and 1 windows, with the same result...