Search
My eCTHPv2 Experiences
8 min read

My eCTHPv2 Experiences

Malware Guy's Picture
Malware Guy in eCTHPv2 Threat Hunting Course Reviews

I taken eCTHPv2 back in April, and eventually decided I wanted to write my personal thoughts and overall experience around the course!

https://elearnsecurity.com/product/ecthpv2-certification/

Background & Endeavours

I initially started brushing through eCTHPv2 out of pure curiosity while I was nearing the end of my level 4 apprenticeship, then fully committed to it after I passed eCPPTv2. Around that time, I already had two years of SOC experience. I knew how to use a SIEM and had a strong idea what stood out as a swollen thumb.

This course places you in the shoes of a threat hunter, setting out with or without data and the assumption (and near paranoia) that you had already been breached. While that could sound a little dramatic, all you had to do is then gain the evidence to support the theory that the organisation you’re ferociously hunting through has a very stealthy threat actor on the loose!

I decided to take the course for this exact reason - to build my hunting capabilities, and be able to act at a time an embedded or sophisticated cyber attack was missed by the SOC and existing security infrastructure. Not all attacks involved deploying malware or running exploits as threat actors and red teamers tended to mimic legitimate admin activity inside an environment to evade detection, so gaining the knowledge and skills from eCTHPv2 was crucial to my growth.

In my case, it was my first exposure to the Windows API, featuring code injection techniques (which helped me to identify process hollowing, see my hunt on Redline Stealer!) and other evasion methods used by threat actors. The course presented tools such as Captain, Sysmon and SilkETW which were supposed to nearly emulate the functionality of simplified EDRs and other detection tools and grant an understanding of what to search for when triaging a suspicious endpoint. What I also learned from this section was, the same defensive tools use code injections and hooking techniques themselves.

It also allowed me to work more intimately with the MITRE ATT&CK framework. ELK Stack and Splunk were both core topics within eCTHPv2, and I remembered doing at least 15 labs based on them. Because I already understood how to use a SIEM (particularly Splunk), they were able to easily fit on my hand like a glove, and it was only a matter of understanding TTPs then using the MITRE ATT&CK framework as a guidance and adapt whenever I ran into trouble. Because of this, it also made it much easier to understand red teams a lot better especially in adversary simulation scenarios where both sides needed to speak a global language.

Some of the modules additionally expected you to perform network traffic analysis on PCAPs using Wireshark and Network Miner. WIthin corporate environments, every device within the network generates a high amount of traffic, so security teams generally preferred using NetFlows or logs from IDS and AVs/EDRs to investigate suspicious network activity as they lacked a budget for storing any long-term PCAP data. After gaining exposure through investigating PCAPs in the exercises, it bridged the gap in my knowledge and I had a better idea of how to carve out forensic data from network captures, which can be super helpful for real-life hunting or incident response engagements where an endpoint or several of them exhibit anomalous activity.

One of the other key highlights was learning memory forensics with Volatility and Mandiant Redline. Around the time I was taking the course, I found memory forensics with Volatility to be slightly challenging in some of the labs as I did not know how to read Assembly language. However, with some labs from TryHackMe and MemLabs and the Assembly Crash Course from the Practical Malware Analysis book, I was able to build a methodology for times I needed to hunt for malware and misused legitimate Windows processes inside memory captures.

My first interactions with assembly and debuggers (especially WinDBG) was pretty much summed up:

Featuring Dante from the Devil May Cry series™

Last but not least, the course taught the fundamentals of YARA rule writing and using tools such as Loki which I found interesting. While I would find that the usage of YARA for threat hunters may not be as common as in security research and malware analysis (and real threat hunters are free to tell me I’m wrong about this), detection engineering does rely on writing and tuning effective rules to eliminate false positives, so this was a great exercise. Just like the law, YARA rules (and any other for that matter) can only be good as the people that written them.

The learning experience helped a lot with nailing down the core concepts of hunting and several areas of blue team operations. It exaggerated several common attacks by threat actors to spot, and provided fundamental knowledge on research tools. In the next section, I will talk about my approach to the exam.

Exam

The exam lasted 48 hours - during that time, I was expected to hunt through multiple scenarios, with and without TTPs and IOCs from threat intelligence, to gather every evidence possible and meet the objectives. For each threat that was discovered, you gained points whenever they were documented with provided steps to reproduce them.

To make effective use of my time, I used the pomodoro technique (50 minutes of work and a 10 minute break) and took extra care to stay hydrated and eat meals. Every time I gotten stuck, I took a 5-10 minute break away from the screen, which resulted in several eureka moments and running back to the keyboard to test out the ideas! Having a normal sleep schedule was also paramount to keeping my mind in order and staying focused. While 48 hours may have seemed short to me on my first impression, I was able to complete it with time to spare and double-check all my findings were correct.

Follow what the frog says!

I would recommend this approach to anyone else taking the exam. As long as you’ve completed most of the course modules and had some time to practise alone, you would be more than ready to ace it and know what to do when situations do not go according to plan. Despite the challenges, 2 days is more than enough to defeat the challenges brought by the eCTHPv2 exam.

Possible Improvements

My overall experience from the delivery of eCTHPv2 was satisfying. If there were any improvements I would’ve suggested to make the lives of learners easier during their experience within the course though, it would be based on the following issues I faced:

  • Some of the labs did not work due to a bug - in this case, some labs needed VNC credentials to open a remote desktop session, and for some reason they did not work. This partially slowed down my studies and increased my preparation time for the exam.
  • There was also a catastrophic outage at some point which massively delayed my ability to take the exam. From what I can understand, INE (who had acquired eLearnSecurity back in 2020) was moving across their infrastructure to provide browser-based labs and retire VPNs. Their plans may have changed by now, as many people who used their platform heavily disapproved of their decision!
  • Long results wait times - I waited 35 days (24 business days) - while I understand that the reports were manually marked, waiting that long for my results somewhat dampened my hype! I heard people receiving results within hours after submitting their reports for other exams, so it wasn’t great at all feeling my efforts were not rewarded the same way!

Despite those mildly frustrating experiences, I look back now and remember how helpful the support team was (as usual), and the original course instructor was very friendly too! eCTHPv2 truly complemented other courses and interests I had, such as malware analysis, and ZeroPoint and Sektor7’s red team operations suites. The course may or may not have potential updates during the future depending on INE, but for someone taking it in the future I would recommend it. I would like to thank Slavi Parpulev for providing this awesome course!

Thank you for reading my post, and I hope it was helpful for anyone who is taking is soon. If you have any questions about the course, feel free to reach out to me on any of my handles. During November I will be attempting the eCMAP exam as well, so keep an eye out for any study streams or new posts!

You may also like

Latest Posts

Zero2Automated - January 2023 Challenge
8 min read

Zero2Automated - January 2023 Challenge

Malware Guy's Picture
Malware Guy
Pointers (&memes explained)
7 min read

Pointers (&memes explained)

Malware Guy's Picture
Malware Guy

Explore Tags

Jekyll::Drops::SiteDrop