ELearnSecurity Certified Threat Hunting Professional (eCTHPv2) review

Jul 10, 2022 in CERTIFICATIONS • HACKING
elearnsecurity threat hunting
6 min read

Context

Since I took the eLearnSecurity Certified Incident Responder (eCIR) a good while ago and that according to eLearn, the Certified Threat Hunting Professional (eCTHPv2) is the next stepping stone, I decided to give it a go. The person that made the course’s material also being one of my former colleagues, Slavi Parpulev, and the fact we joked internally about me getting certified by him gave me one more good reason to study for it.

Keep that in mind as you may find my opinion biaised in the article as though I am trying to keep an objective mind.

As for all eLearnSecurity content, the price of the certification is $400. To that you have to add an unlimited yearly access to all elearnSecurity (INE) courses subscription that costs $749 a year. They also have a more expensive $899 plan with access to Pentester Academy content too as they bought that company but it is unnecessary. As I said in previous articles, the more certifications you get from them the more amortization of that cost you have.

Course

First thing first, I do not think it is the next level compared to eCIR, nor that it is easier, there is overlap between both but that they do not teach the same skills. As an example, there is redundancy on how to read data from SIEMs such as ELK or Splunk, Microsoft event IDs' etc.

The course is a mix between slides, videos and practical labs. This is the classic scheme of INE. Practical labs can be either accessed with a VPN connection and some of these can even be done totally offline as they do not require active connections, e.g. memory dumps analysis.

It is divided in three parts:

Introduction to Threat Hunting
Threat Hunting: Hunting the Network & Network Analysis
Threat Hunting: Hunting the Endpoint & Endpoint Analysis

Introduction to Threat Hunting

The first one talks about general presentation of the Threat Hunting activity, defines notions such as Indicator Of Compromise (IOC) and get you familiar with tools such as Yara and Redline. I found that part quite interesting, it gives a good overview of how to perform the activity and why and present two relevant tools to help you organize your hunts. I had a few issues with the first Redline lab, mostly because of long response time on the RDP connection.

I used the following template for my Yara rules:

rule signature_name {
    meta:
        description = ""
        md5 = ""
        sha1 = ""
        filename = ""
        author = ""

	Block = true
	Log = true
	Quarantine = false

    strings:
        $x1 = ""

    condition:
        1 of ($x*)
}

Where I replaced $x* variables to make it match what I want.

Hunting the Network & Network Analysis

The second part talks about subjects such as:

network capture (tcpdump)
network capture analysis (Wireshark, Tshark, Netminer)
Zeek (formerly Bro) and Rita
hunting webshells

I found it good but too short, indeed the third and last part about endpoints is much more furnished and that is a bit of a downpoint to me. The network capture analysis features section on several protocols such as ARP, DHCP, DNS, HTTP etc. There are good examples on how these protocols are being used by attackers to circumvent detection or evade data. I feel there is a lot missing there on hunting on custom protocols and detecting anomalies on the network but this is no reverse-engineering course either. I did not know about Netminer tool before and found it to be handy, giving out information on a more synthetic view than Wireshark. Rita is also a very good tool to have to analyze Zeek’s output and was a good surprise in that part of the course.

Here are some cheatsheets I found for this part:

The last section about hunting webshells is a bit of an UFO, focusing on one type of attack in hunting the network. I feel this could have been replaced with more in-depth network subjects.

Hunting the Endpoint & Endpoint Analysis

This is the biggest and the best part of this course. There is something like twenty practical labs, all relevant. The course features notions such as:

Memory analysis with Redline and Volatility
Microsoft logs analysis (event viewer etc.)
Log analysis in SIEM with both ELK and Splunk (I am counting at least ten labs for practice with these in the course)
AD threat hunting
Detection of specific tools such as PsExec, Empire etc.

It is organized in a way that you are learning how to hunt for the different steps of an attack: initial compromission, post-exploitation, lateralization etc.

That part has definitely been updated recently as it features malware techniques I have seen on incidents:

AMSI bypass
Cobalt Strike .NET loads via execute-assembly
Reflective DLL loading

It also features a hunting with powershell section, useful if you cannot install specific hunting tools.

Definitely the part of the course that I liked the most, you can feel the author has deep knowledge on endpoints, especially on Microsoft Windows ones.

Here are some cheatsheets and resources I found for this part:

Now some cons I found while going through the course:

RDP was lagging on some labs
Splunk labs were awfully slow
Some labs were simply not available (maintenance) and that is a recurring thing with eLearnSecurity these days

Exam

The exam consist in several hunts testing multiple skills from the course. Each hunt is given a number of points and you need 75/100 points to pass.

The access to the exam lab lasts 48 hours and once elapsed, there are 48 more hours to redact and hand in a report of your findings.

I think the exam time is reasonable, you need not to wander too much though, 48 hours does feel like ten minutes sometimes. I definitely recommend to switch tasks if you are stuck and come back later to the one you were blocked on.

I also recommend to report as-you-go. That is, to write down every finding with a timestamp next to it while hunting, that will ease the report writing process.

The course covers almost all of what is needed to pass the exam, I recommend going through all links in the references of the course to be well prepared.

It is a very realistic exam and, in my opinion, preparing you for threat hunting or incident response much better than theory MCQ exams.

Conclusion

I think this course is great if you are new to threat hunting; I would recommend it. It features quality content but some sections (e.g. network) are to be deepened in my opinion. There are not so many courses on this particular subject available on the market either which makes this one quite interesting to learn on and put on your CV. There is overlap between this course and eCIR so, be warned.

Overall, a good learning experience.

Kudos to Slavi Parpulev!