eCIR - Certified Incident Responder

Overview

This repository contains our complete walkthrough and solutions for the eCIR (Certified Incident Responder) certification exam. We recently achieved this certification and are sharing our methodology, analysis techniques, and investigation approaches used to successfully complete the incident response scenario.

The eCIR certification validates advanced skills in enterprise incident response, including:

• SIEM-based threat detection and log analysis (Wazuh)
• Windows digital forensics and artifact analysis
• Network forensics and PCAP analysis
• Endpoint telemetry investigation
• Threat intelligence and MITRE ATT&CK mapping
• Incident timeline reconstruction
• IOC extraction and documentation

Authors

• Qays Sarayra
• Osama Ismailll

Official Documentation

• Letter of Engagement: eCIR-LoE.pdf
• Lab Guidelines: eCIR-Lab-Guidelines.pdf
• Certification: View Certificate

Exam Structure

The eCIR certification is a question-based practical exam investigating a targeted intrusion at AetherGen Biotech. The incident spans a 7-hour window from July 13, 2025 20:00 UTC to July 14, 2025 03:00 UTC.

Investigation Areas

Initial Access

• Brute force analysis
• Web exploitation
• Phishing compromise

Execution

• PowerShell analysis
• Malicious document investigation
• Process creation tracking

Persistence

• Registry artifact analysis
• Scheduled task examination
• Service creation detection

Privilege Escalation

• Credential dumping
• Token manipulation
• UAC bypass techniques

Credential Access

• LSASS memory access
• SAM database extraction
• Credential theft tools

Lateral Movement

• Network authentication analysis
• Remote execution tracking
• Pass-the-Hash detection

Exfiltration

• Data collection evidence
• Network transfer analysis
• C2 communications

Systems in Scope

AetherGen Biotech Environment:
├── WEB-APP01 - Public web server (Initial Access)
├── WKS-RSCH01 - Research workstation (Phishing)
├── FILE-SRV01 - Internal file server (Lateral Movement)
└── DC01 - Domain controller (Privilege Escalation)

Repository Structure

eCIR-Writeup/
│
├── 01_Initial_Access/
│   └── README.md
│
├── 02_Execution/
│   └── README.md
│
├── 03_Persistence/
│   └── README.md
│
├── 04_Privilege_Escalation/
│   └── README.md
│
├── 05_Credential_Access/
│   └── README.md
│
├── 06_Lateral_Movement/
│   └── README.md
│
├── 07_Exfiltration/
│   └── README.md
│
├── 08_Network_Analysis/
│   └── README.md
│
├── 09_IOCs/
│   └── README.md
│
├── 10_Timeline/
│   └── README.md
│
└── README.md

What You'll Find

Each investigation area contains detailed walkthrough with step-by-step methodology, Wazuh SIEM queries with explanations, forensic artifact analysis techniques, PCAP investigation findings, answers to exam questions with supporting evidence, and timeline reconstruction with timestamps.

Tools and Technologies

• Wazuh SIEM for centralized log analysis and correlation
• Wireshark for network protocol and PCAP analysis
• Registry Explorer for Windows registry artifact examination
• Timeline Explorer for forensic timeline analysis
• Event Viewer for Windows event log investigation
• OLEVBA for malicious macro analysis
• CyberChef for data encoding/decoding
• PEStudio for portable executable analysis
• KAPE for forensic artifact collection
• MITRE ATT&CK for threat modeling and TTP mapping

Key Learnings

Throughout this certification, we gained deep expertise in Wazuh SIEM operations for enterprise-scale log correlation, Windows forensic artifact analysis including registry, prefetch, and scheduled tasks, PCAP analysis for detecting lateral movement and C2 communications, phishing investigation and malicious document analysis, credential dumping detection through LSASS and SAM access patterns, MITRE ATT&CK mapping for standardizing observed adversary behaviors, and incident timeline reconstruction across multiple data sources.

Attack Chain Identified

During the exam, we successfully identified and documented a complete attack chain including initial access through web brute force and phishing compromise, execution via PowerShell and malicious documents, persistence using registry modifications and scheduled tasks, privilege escalation through credential dumping and token manipulation, credential access using LSASS memory scraping, lateral movement via SMB and authentication abuse, collection of sensitive research data, command and control using custom C2 infrastructure, and exfiltration of intellectual property.

How to Use This Repository

Study the methodology by reviewing each phase's README for investigative approaches. Practice queries by adapting Wazuh and forensic searches to your lab. Understand the logic behind artifact analysis and evidence correlation. Adapt these techniques in your incident response activities.

This is a learning resource based on our exam experience. Actual exam scenarios may vary.

Disclaimer

This repository is created for educational purposes only. The techniques and tools described should only be used in authorized environments. We are not responsible for any misuse of this information.

Contributing

Found an error or have a suggestion? Feel free to:

• Open an issue
• Submit a pull request
• Reach out to us directly

Additional Resources

• INE eCIR Course
• MITRE ATT&CK Framework
• Wazuh Documentation
• SANS Digital Forensics
• Wireshark User Guide

Contact

Qays Sarayra Website
Osama Ismailll LinkedIn

Acknowledgments

Special thanks to INE Security for creating this practical and challenging certification, the incident response community for sharing knowledge and methodologies, and everyone who supported us during our certification journey.

Made with dedication by Qays Sarayra and Osama Ismailll