Regularly over the years I’ve had opportunities to give advice and direction on new or growing cybersecurity folks. I like to point out books, certifications, courses, resources, and most importantly other practical activities to grow knowledge and confidence as we all forge career paths. I’ve recently discovered and been playing on the Blue Team Labs (BTLO) platform which has, as the name suggests, blue team-themed exercises, challenges, and labs. There are nearly 200 labs and standalone challenges on the site, some of which are very difficult while others are relatively simple to solve.
Rather than discuss the platform itself at length, Dimitry Bennett wrote an article about his experience on the BTLO platform that basically says all that needs said on the topic.
But, there is still one thing I thought was daunting about the platform: Where to start when one is pretty new to cybersecurity? And this is the challenge any time I talk to someone else about where they’ve come from and where they want to go. All of us bring to the table different levels of experience, knowledge, and comfort with various technical and even non-technical topics. Some of us are very inexperienced with Linux, or have never written a program or script before, or maybe have done very little Windows system administration, but know Linux like no one’s business. What I wanted was a quick cheat sheet on what to suggest to students who wanted to quickly get their hands into the BTLO labs without immediately hitting walls.
This page is meant to help me prescribe labs and challenges to security analysts I encounter that are looking to build particular skills or experience what common SOC tier expectations exist.
I do want to make clear that the SOC tier expectations and levels of knowledge is just my take on the subject. I’m not going to be correct on all of these, nor will I be correct for how every organization/environment defines the job duties and expectations of each tier. I’ve just given this a best effort in the context of the whole of the labs, since I’ve gone through every single one, and my own experiences over years in the IT and security industry.
I also want to make clear that BTLO does allow students a chance to see what they’re getting into. Every lab has a difficulty level set to it, the date it was released, the general tools expected to be present, and even the number of solves that have been recorded since the lab was released. All of these can also help guide students to maybe avoid things they may find frustrating.
Here is a quick key to some of the columns in my table.
- Diff(iculty): Difficulty 1-10, 10 being hardest. My personal subjective value of how difficult this exercise is. Usually this is influenced by how much effort and knowledge may be needed to complete.
- SOC: My gut feel on what SOC analyst tier level I would expect to complete these exercises. Some tasks are pretty normal for tier 1 SOC analysts, whereas some of the more involved analysis may be reserved for higher tiers. I add a “+” if this task kinda overlaps into a higher tier. As an example, analyzing an image of live system memory or a PE executable file is typically reserved for more experienced analysts.
- Skills: My summary of the tools needed. If you don’t know Wireshark and want to learn more, then look at the easier Wireshark exercises. Of particular note, I make sure to list an OS if knowledge of or comfort using that OS is a huge help in solving the exercise. Adding “administration” to the OS is my way of saying that experience being an administrator of this server would be very helpful.
- Notes: My very quick reminder about what the main point of this is.
INVESTIGATIONS (by difficulty & SOC level)
NAME | DIFF | SOC | SKILLS | NOTES |
Deep Blue | 1 | 1 | Windows, Event Logs, PowerShell | Focused, easy, good lesson (use the tool provided!) |
Indicators | 2 | 1 | Windows, OSINT, PowerShell, exiftool, notepad | Basic analysis of a strange file that is likely malicious |
PhishyV1 | 2 | 1 | Linux, web, email | Mostly entry level, and good foundational skills |
Bits | 2 | 1 | Windows, Bits, Event Logs | Good lesson, specific Windows tool (bits) |
Exposed | 2 | 1+ | Git | Focused on git, a bit offense-like |
SOC Alpha 1 | 2 | 1+ | ELK, Windows administration/attack | ELK, logs of common attacker actions on Windows |
Miner | 2 | 1+ | Wireshark, Network Miner, networking, pcaps | Some not-beginner concepts using pcaps |
Replaced | 2 | 1+ | Text editor, OSINT, Visual Basic, code | Very straight-forward Visual Basic code analysis |
Fingerprint | 2 | 1 | Wireshark, ja3, Linux (to use ja3) | Pcap that requires filter use, external ja3 tool |
Eradication | 2 | 1+ | Yara, Linux, joesandbox | Running yara rules on linux |
Mon | 2 | 1 | Windows, sysmon, IR | Sysmon and malware IR on Windows |
2 | 1+ | Wireshark, Windows, sysmon, printers | Focus on Windows and printer tricks | |
RDP | 2 | 1 | Windows RDP | Focus on RDP tricks |
Defaced | 3 | 1+ | ELK, web logs, web attacks | ELK, but another way to look at web attack |
Doctor | 3 | 1+ | Linux, web logs, web attacks | Web compromise on Linux system |
SOC Alpha 2 | 3 | 1+ | ELK, Windows administration/attack | ELK, Windows logs of a network attack/malware actions |
Exxtensity | 3 | 1+ | Windows, browser extensions/settings | Good focus on browser extensions |
Joppers | 3 | 1+ | Javascript, Windows | No frills Javascript parsing |
Browser Bruises | 3 | 1+ | Linux, dumpzilla (python), browser history | Using dumpzilla to analyze local firefox artifacts |
Defender | 3 | 1 | Windows Defender | All about Windows defender logs |
Awwdit | 3 | 1+ | Windows Admin, Audit Policies, Basic PE | Focused on audit policies in Windows, basic PE dynamic analysis |
Lintro | 3 | 1+ | Linux compromise | Basic Linux compromise and PE analysis |
Xhell | 3 | 1+ | Maldoc, olevba, Linux | Old Excel maldoc analysis on Linux, oddball |
Venom | 3 | 1+ | Linux logs | Analyzing linux logs for intrusion |
Heaven | 3 | 2 | Windows, PE static/dynamic analysis | Good into to basic and dynamic PE analysis |
Stealer | 3 | 2 | DnSpy, basic dynamic analysis | Pretty much all dnSpy and basic dynamic analysis |
Trash | 3 | 1+ | Windows terminal | Windows and recycle bin tricks |
Shortcut | 3 | 1+ | Windows shortcuts | Windows and shortcut tricks |
Link | 3 | 1+ | Windows admin | Fun with Windows and lnk files |
Maldroid | 3 | 1+ | APK, Java, Linux | Introductory analysis of an Android APK on Linux |
Ducker | 3 | 1+ | Linux, Docker | Introduction to Docker on Linux |
Pie | 3 | 1+ | Linux, web attacks | Analyzing Linux logs in Linux for web compromise |
Backstage | 4 | 1+ | Linux, Linux logs, wireshark | Linux IR looking at logs and pcap |
Crypto | 4 | 1+ | Linux, Windows admin, wireshark, volatility | Good intro to volatility and IR with various artifacts |
SharpAttack | 4 | 2 | Pdf maldoc, javascript, Linux | Purely a pdf maldoc analysis |
Kill | 4 | 2 | Volatility, Sysinternals, PE basic dynamic | Good intro to memory analysis and exe dynamic analysis |
First Day | 4 | 2 | IDA, OSINT, Procmon, pestudio | Starting point for PE-based statis analysis, no debugging, OSINT |
Logger | 4 | 2 | Windows, basic dynamic analysis, Sysinternals | A few more steps into dynamic analysis |
Honey | 4 | 1+ | Windows admin, Redline | A good first romp into Redline, gotta know Windows, though |
Total Recall (R) | 4 | 1+ | Windows admin, Redline | Using Redline to investigation a Windows compromise |
Ben | 4 | 2 | Windows admin, filesys image, dynamic analysis | Some Windows dynamic analysis tricks for malware |
Sam | 4 | 2 | Linux, Windows memory w/ volatility, wireshark | Good romp into volatility and a Windows compromise |
Obfuscated | 5 | 2 | Linux, Python | Requires some Python work, Lite Linux IR |
Peak 2 | 5 | 2 | Linux, wireshark, sysmon (linux) | Analyze logs in Linux of a Linux compromise |
Bot | 5 | 2 | Linux, OSINT, CTF-like | Linux and some CTF-like challenges |
Pandemic | 5 | 2 | Windows admin, PE dynamic analysis | Straight-forward Windows PE dynamic analysis |
Dot | 5 | 2 | Windows admin, wireshark, ProcDOT | Tricky ProcDOT tool to track an advanced process compromise |
anDRE | 5 | 1+ | APK, Java, Linux | Deeper analysis into an Android APK (static still) |
PE | 5 | 1+ | Linux, ELK, Windows admin | More ELK, a bit tricky with osquery logs |
Pretium | 5 | 1+ | Wireshark | Tricky wireshark tricks |
Invoice (R) | 5 | 1+ | Linux, ELK, Wireshark, Windows admin | Kinda easy Windows IR investigation with plenty of artifacts |
Sticky Situation | 5 | 2 | Windows admin, Autopsy | Analyzing artifacts to answer questions about USB usage |
Countdown (R) | 5 | 2 | Windows, Autopsy, IR | Windows IR investigation with some tricks |
SOC Alpha 3 | 5 | 1+ | ELK, Windows administration/attack | ELK, Windows logs of malware activities, just deeper |
Hashish | 5 | 2 | Windows IR, Offense | IR on a local Windows compromise, requires some red knowledge |
Too Late | 5 | 2 | Windows admin/attack, Wireshark | Tricky look at Windows malware compromise and artifacts |
Test | 5 | 2 | Linux, Linux filesys image | Intermediate Linux IR and filesystem image handling |
Rigged | 5 | 2 | Windows admin, Wireshark, IR | Intermediate IR into a Windows compromise |
Peak (R) | 6 | 2 | Linux, ELK, Linux compromise, linux logs | Linux knowledge and using ELK, Linux logs |
The Last Jedi | 6 | 2+ | Wireshark, CFF (PE basic static), Redline | Windows malware infection, lite PE analysis, Redline heavy |
Baby | 6 | 2 | Linux, Linux filesys image | Little harder than Test, but Linux IR and image handling |
Exceltium | 6 | 2+ | Linux, pdf maldoc, shellcode analysis | More advanced pdf maldoc analysis on Linux, involves shellcode |
Gotham | 6 | 2 | Windows basic PE static analysis, IDA, OSINT | Basic static analysis of a malicious executable |
LOL (R) | 6 | 2 | Windows, IDA, Python uncompyle, OSINT | More RE static analysis |
Recovery | 6 | 2 | Linux | Linux IR investigation with linux logs and knowledge |
Rekcod | 6 | 2 | Linux, Docker | Tricky investigation into Docker again |
PhishyV2 | 6 | 2+ | Linux, HTML, Phishing, PHP, tiny bit CTF | Phish kit analysis, web site analysis, coding |
Multi Stages | 6 | 3 | Linux, wireshark, Windows admin, grepping memory | Using Linux to investigate Windows pcap, memory of attack |
Poor Joe | 6 | 2 | Windows admin, Volatility, logs | Windows compromise investigation, kinda tricky, logs and live memory |
Triage | 6 | 2 | Windows admin, Volatility, logs | Windows compromise investigation, kinda tricky, logs and live memory |
Hooked | 6 | 2 | Linux logs | Analyzing Linux logs/host that has been compromised |
Eric | 6 | 2+ | Linux, volatility on Linux memory | A twist on memory analysis with a Linux image |
Signal | 6 | 2 | Windows admin, redline timeline, pcap, basic PE | A mix of involved pcap and file timeline analysis, basic PE |
Irritate | 7 | 2+ | Windows admin, dynamic analysis | Logs of fighting with dynamic analysis and CTF-like hunt |
Pretium v2 | 7 | 2 | Wireshark, Packet Whisper, lite CTF | Answering questions based on a pcap |
Covert | 7 | 2+ | Wireshark, PowerShell coding | Dive into a C2 pcap, powershell coding required |
Wargames | 7 | 2+ | Linux, volatility | Memory analysis of a Windows compromise |
Ghosted | 7 | 2+ | Linux, Wireshark (pcap), suricata | Investigating a web recon and attack mostly with suricata |
Evil Maid | 8 | 2+ | Linux, filesys image, SIFT, Windows attack | Windows file system investigation on Linux (SIFT) |
The Key | 8 | 2+ | Windows, file system image | Windows file system forensics (and some offense) |
Bad Logic (R) | 8 | 2+ | Linux, Windows admin, wireshark | Large artifacts in a Windows attack investigation |
Stuck | 8 | 3 | Windows attack, memory analysis | Windows compromise with lots of tricky pieces |
Divorce Court | 9 | 3 | Windows attack, filesys image, IDA | Analyzing Windows compromise, light debugging |
Supreme Court | 9 | 3 | Windows attack, filesys image, IDA, C#/PoSH | Analyzing Windows compromise, debugging |
Counter | 9 | 3 | IDA, debugging/reversing | Pure debugging/reversing, intermediate dynamic analysis |
Multi Stages 2 | 10 | 3 | Linux, volatility, Windows admin, MFT/Timeline | Heavy memory analysis and file timelines; very difficult questions |
CHALLENGES (by difficulty & SOC level)
NAME | DIFF | SOC | SKILLS | NOTES |
D3FEND | 1 | 1 | Google (D3FEND Framework) | Looking up things in the D3FEND material online |
ATT&CK | 1 | 1 | Google (MITRE ATT&CK Framework) | Looking up things in the ATT&CK material online |
The Report | 1 | 1 | PDF reader | Looking up things in MITRE report (pdf) |
Phishing Analysis 2 | 2 | 1 | Text editor, Thunderbird | Analyzing a phishing email |
Phishing Analysis | 2 | 1 | Text editor, Thunderbird | Basic phishing email analysis |
Meta | 2 | 1 | Exiftool, OSINT | Analyzing some basic info from image files |
Brute Force | 3 | 1 | Linux, text editor, grep | Analyzing logs of an RDP brute force attack |
The Planet’s Prestige | 3 | 1+ | Email client, text editor | Analyzing malicious email plus office type attachments |
Suspicious USB Stick | 3 | 1+ | Linux, peepdf, strings, VirusTotal, hex editor | Basic analysis of a malicious PDF |
Powershell Analysis – Keylogger | 3 | 2 | Powershell, Text editor | Analysis of a malicious PowerShell script |
Log Analysis – Privilege Escalation | 3 | 2 | Linux, bash | Identifying malicious commands in a bash log |
Network Analysis – Malware Compromise | 4 | 2 | Wireshark | Answering some basic questions based on a pcap |
Log Analysis – Sysmon | 4 | 1+ | Sysmon, Windows, Powershell | Using sysmon logs to answer incident questions |
Malware Analysis – Ransomware Script | 4 | 2 | Text editor, Linux | Analyzing bash script for ransomware |
Log Analysis – compromised WordPress | 4 | 2 | Linux, Apache logs | Analyzing a web attack from Apache logs on Linux |
ILOVEYOU | 4 | 2+ | Windows, text editor, sysinternal, regshot | Dynamic non-PE malware analysis |
Follina | 4 | 2 | Windows, OSINT, text editor | Analysis of multi-stage maldoc 0-day |
Melissa | 5 | 2+ | Oledump, text editor | Non-PE malware analysis |
Shiba Insider | 5 | 2 | Wireshark, Steghide, Exiftool, Linux | Unwrapping layers of hidden data and common artifacts |
Network Analysis – Web Shell | 5 | 2 | Wireshark, Linux and attacker knowledge | Analyzing a Linux attack using a pcap |
Malicious Powershell Analysis | 5 | 2 | Powershell | Parsing a Powershell script and basic obfuscation |
Spectrum | 6 | 2 | Fcrackzip, Photorec, Audacity, efitool, steghide | Unwrapping layers of hidden data in less common artifacts |
Employee of the Year | 6 | 2 | Photorec, scalpel, CyberChef, Linux, strings | Recovering and unwrapping various file types |
Network Analysis – Ransomware | 6 | 2 | Wireshark, OSINT | Analyzing and even recovering files using a pcap artifact |
Memory Analysis – Ransomware | 7 | 2+ | Volatility, Windows, OSINT | Mostly entry level volatility analysis of memory image |
Paranoid | 7 | 2 | Linux | Analysis of linux logs to answer incident questions |
Secure Shell | 7 | 2 | Linux, text editor, OSINT | Analysis of an SSH log |
The Package | 7 | CTF | OSINT, CTF, Math/Python | Don’t recommend. Clever CTF-Like math riddle. |
Reverse Engineering – Another Injection | 7 | 3 | IDA (Disassembler), Sysinternals, API Monitor | PE analysis and debugging, not entry level, but close to it for malware analysis anyway |
Barcode World | 8 | CTF | Linux, Python | Decode flag from 9000+ image files; don’t recommend |
Browser Forensics – Cryptominer | 8 | 2+ | Linux, FTK Imager, Javascript, Windows | Analyzing image file for browser artifacts |
Reverse Engineering – A Classic Injection | 8 | 3 | IDA, Sysinternals, Windows | Static and dynamic analysis of a PE file |
Injection Series – Part 3 | 8 | 3 | IDA, Sysinternals, Windows | Static and dynamic analysis of a PE file |
Squid Game | 8 | CTF | Steghide, image editor | CTF-like image stego; don’t recommend |
Injection Series Part 4 | 8 | 3 | IDA, Ghidra | PE analysis using debugger |
Secrets | 8 | Red | Python, JWT, Linux probably | Red team web app attack against weak jwt |
Veriarty | 8 | CTF | Hashcat, Veracrypt, Linux, Thunderbird, gpg | Recovery and decoding of files; don’t recommend |
D-Crypt | 9 | CTF | Browserlings | Decoding a string several times with minimal guidance |
P2SEC – Minigame | 9 | Red | Web App attacking, OSINT, exiftool, PE analysis | Unguided multi-stage mostly red team basics; long |
Classical City | 10 | CTF | Sanity | Decoding ciphers – don’t recommend |