eCTHP - Certified Threat Hunting Professional

Overview

This repository contains our complete walkthrough and solutions for the eCTHP (Certified Threat Hunting Professional) certification exam. We recently achieved this certification and are sharing our methodology, commands, and analysis techniques used to successfully complete all three phases of the exam.

The eCTHP certification validates advanced skills in proactive threat hunting, including:

• Network traffic analysis (PCAP)
• Log analysis and correlation (SPLUNK)
• TTP (Tactics, Techniques, and Procedures) identification (ELK Stack)
• Threat intelligence integration
• Incident response and forensics

Authors

• Qays Sarayra
• Osama Ismailll

Official Documentation

• Letter of Engagement: eCTHP-LoE.pdf
• Certification: View Certificate

Exam Structure

The eCTHP certification consists of three distinct phases:

Phase 1: PCAP Analysis (Wireshark)

Analysis of network packet captures to identify malicious traffic patterns, C2 communications, and extract IOCs. Key focus on:

• XOR-encoded traffic decryption
• C2 beacon identification
• Network protocol analysis
• Traffic pattern recognition

Phase 2: Threat Hunting (Splunk)

Log analysis using Splunk to correlate events and identify attacker TTPs based on threat intelligence. Includes:

• SPL query crafting
• Temporal analysis
• Behavioral analytics
• IOC correlation

Phase 3: TTP Identification (ELK Stack)

Mapping observed activities to MITRE ATT&CK framework using Elastic Stack. Covers:

• MITRE ATT&CK technique identification
• Query construction in Kibana
• Timeline reconstruction
• Attack chain analysis

Repository Structure

eCTHP-Writeup/
│
├── Phase 1 - Network/
│   └── README.md
│
├── Phase 2 - Splunk/
│   └── README.md
│
├── Phase 3 - ELK/
│   └── README.md
│
├── ELK.md
└── README.md

What You'll Find

Each phase folder contains detailed walkthrough with step-by-step methodology, complete list of commands with explanations, key observations and pivot points, answers to exam questions with supporting evidence, and custom tools and automation scripts developed during the exam.

Tools and Technologies

• Wireshark/tshark for network protocol analysis
• Splunk for log analysis and SIEM
• ELK Stack (Elasticsearch, Logstash, Kibana) for search and analytics
• Python for custom scripting and automation
• CyberChef for data encoding/decoding
• MITRE ATT&CK for threat modeling framework

Key Learnings

Throughout this certification, we gained deep expertise in XOR encoding analysis for identifying and decoding obfuscated C2 traffic, threat intelligence integration by leveraging IOCs and TTPs for proactive hunting, cross-platform correlation connecting events across PCAP, logs, and endpoint data, MITRE ATT&CK mapping to translate observed behaviors to standardized techniques, advanced query techniques for crafting efficient searches in SPL and KQL, and incident timeline reconstruction for building comprehensive attack narratives.

Attack Kill Chain Identified

During the exam, we successfully identified and documented a complete attack chain including initial access through phishing/exploitation, execution via PowerShell-based malware, persistence using Golden Ticket attack, privilege escalation through LSASS credential dumping, defense evasion with XOR encoding, credential access using Mimikatz and DCSync, discovery through domain enumeration, lateral movement via Pass-the-Hash and Kerberos attacks, collection of credentials, command and control using custom HTTP C2 on port 8000, and final impact through domain compromise and backdoor creation.

How to Use This Repository

Study the methodology by reviewing each phase's README for approach and techniques. Practice commands by running them in your own lab environment. Understand the logic and focus on the reasoning behind each step. Adapt and apply these techniques in your own threat hunting activities.

This is a learning resource based on our exam experience. Actual exam scenarios may vary.

Disclaimer

This repository is created for educational purposes only. The techniques and tools described should only be used in authorized environments (labs, CTFs, authorized penetration tests). We are not responsible for any misuse of this information.

Contributing

Found an error or have a suggestion? Feel free to:

• Open an issue
• Submit a pull request
• Reach out to us directly

Additional Resources

• INE eCTHP Course
• MITRE ATT&CK Framework
• Splunk Documentation
• Elastic Documentation
• Wireshark User Guide

Contact

Qays Sarayra Website
Osama Ismailll LinkedIn

Acknowledgments

Special thanks to INE Security for creating this challenging and practical certification, the cybersecurity community for sharing knowledge and tools, and everyone who supported us during our certification journey.

If you found this helpful, please give it a star!

Made with dedication by Qays Sarayra and Osama Ismailll