Please read this entire document carefully before beginning your exam!
In this article, you will find relevant information on:
- OSTH Introduction
- Section 1: Exam Requirements
- Section 2: Exam Information
- Section 3: Submission and Results
OSTH Exam Introduction
This guide explains the objectives of the OffSec Threat Hunter (OSTH) exam certification. Section 1 describes the requirements for the exam, Section 2 provides important information and suggestions, and Section 3 specifies instructions for after the exam is complete.
You will have eight (8) hours to complete the exam. Once your exam has started, you will see a timer at the bottom of your screen.
Once the exam is finished, you will have another 24 hours to send your documentation to the OffSec Challenges Department. Details on how to submit your files are provided below.
All OSTH exams are proctored.
Please make sure to read the proctoring tool learner manual and the proctoring FAQ at the following URL: https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams
SECTION 1: EXAM REQUIREMENTS
Objectives
The exam simulates a real-world, eight (8) hours threat hunting sprint within an enterprise infrastructure.
You are tasked with reviewing a threat intelligence report and conducting a threat hunting sprint aimed at identifying indicators of a compromise by a threat actor. If you detect activity from this attacker within the organization’s infrastructure, you must identify potentially compromised systems and the Indicators of Compromise (IoCs) to meet the required objectives. This includes assessing the impact of the attackers' actions, such as determining whether data has been exfiltrated or encrypted.
Documentation Requirements
You are required to write a professional report that includes evidence of the threat actor’s activities. In the Hunt Narrative section, you must document your findings with all relevant screenshots from the SIEM and the queries you used to determine the attacker’s actions. This documentation should be detailed enough for a technically competent reader to replicate your analysis step-by-step. Additionally, you must include each detected attacker activity in a timeline in the Findings section.
The documentation requirements are very strict and failure to provide sufficient documentation will result in reduced or zero points being awarded. Please note that once your exam report is submitted, your submission is final. If any screenshot or other information is missing, you will not be allowed to send them and we will not request them.
Exam Restrictions
AI chatbots such as ChatGPT, YouChat, and similar are not allowed.
NOTE: While you may use Discord as a resource for searching for information during the exam, under no circumstances are you permitted to seek or receive assistance from others on the platform.
Downloading any applications, files, or source code from the exam environment to your local machine is strictly forbidden. For more information, please refer to the https://www.offsec.com/legal-docs/
SECTION 2: EXAM INFORMATION
Exam Connection
Your connection to the exam is to be done primarily via the OffSec Portal. Target machines can be accessed via a local Kali machine and VPN pack, or via the OffSec Portal by using the in-browser options: Windows in-browser (WiB) or Kali in-browser (KiB). We are unable to provide any technical connectivity support if you choose to use another setup. Your exam connection pack and details will be sent by email at the exact start time of your exam and not in advance.
1. Exam Connection using VPN
- Download the Universal VPN file from your Learning Portal exam page.
-
Initiate a connection to the exam lab with OpenVPN:
┌──(kali㉿kali)-[~]
└─$ sudo openvpn universal.ovpn
┌──(kali㉿kali)-[~]
└─$ sudo openvpn universal.ovpn 1 ⨯
[sudo] password for kali:
2024-10-11 04:15:50 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
2024-10-11 04:15:50 OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2020
2024-10-11 04:15:50 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
2024-10-11 04:16:01 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
2024-10-11 04:16:01 UDP link local (bound): [AF_INET][undef]:1194
2024-10-11 04:16:01 UDP link remote: [AF_INET]x.x.x.x:1194
2024-10-11 04:16:01 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-10-11 04:16:02 [offensive-security.com] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
2024-10-11 04:16:03 TUN/TAP device tun0 opened
2024-10-11 04:16:03 net_iface_mtu_set: mtu 1500 for tun0
2024-10-11 04:16:03 net_iface_up: set tun0 up
2024-10-11 04:16:03 net_addr_v4_add: 192.168.xx.xx/24 dev tun0
2024-10-11 04:16:03 Initialization Sequence Completed
2. Exam Connection using KiB / WiB (No VPN Required)
The Kali in Browser (KiB) / Windows in Browser (WiB) option offers an alternative, allowing you to access the exam lab machine directly through your web browser, without needing to connect to a VPN. You cannot use both, you may choose Kali or Windows operating system that runs through your web browser.
KiB can be started without connecting to the downloaded exam VPN:
WiB can be started the same way as above:
However they cannot be run at the same time:
Both options (VPN / KiB or WiB) provide the same level of lab access, so you can choose the one that best suits your current environment or technical capabilities.
Point Allocation
The exam consists of seven exercise questions that must be answered by performing a threat hunting sprint and discovering information or artifacts related to the attacker’s activities.
Each exercise question awards up to 10 points, with a total maximum score of 70 points.
You must achieve a minimum score of 50 points to pass the exam and receive the OffSec Threat Hunter (OSTH) certification. Partial or full points can be awarded for each exercise question based on submitting the correct answer and the completeness of your findings in the exam report, including adherence to the Documentation Requirements.
Suggested Documentation Templates
Ideally, one of the following templates should be used for the exam report:
You may use your own template as long as the information is presented in a structured, professional manner and follows all other requirements outlined above.
Guidelines for Handling Unforeseen Factors During the Exam
This subsection of the exam guide documents what you should do in case you are unable to complete your exam due to severe external factors.
Please make sure to read and understand it carefully.
The exam lab is a dedicated environment with no learners connected other than yourself. The total allotted time of eight (8) hours does take life and its situations into consideration:
- You are welcome to take rest breaks, eat and drink
- You are also expected to have a contingency plan in the event that there is an issue outside your control. (e.g. ensure you have access to a backup Internet connection, power etc.)
If you have a legitimate issue, please send an email with your OSID to "challenges AT offsec DOT com" immediately. Make sure to include all of the necessary details and supporting information - such as a letter from your power company, ISP, or any other relevant documentation.
Please note that we are only able to extend the exam time if the issues you experience are present on our side and only when the exam subnet is not immediately in use by another learner following your exam. In the event of an issue on our side and the exam subnet is scheduled immediately following your exam we will provide a free exam retake attempt. We work diligently to ensure that our environments are highly available and issues are very rare.
Contact Protocol
If you encounter any connectivity problems with Kali in-browser, Windows in-browser, the VPN or target machines, inform us immediately, directly in the proctoring chat.
Should you not be able to access the proctoring tool, please contact us via the live chat available at https://chat.offsec.com/ or via email to "help AT offsec DOT com"
Please note that we will not be able to assist with, or give hints on, any exam objectives and will only be available for technical problems during the exam.
SECTION 3: SUBMISSION AND RESULTS
Submission
The exam report upload menu is built directly into the learning portal, so there's no need to visit any external websites. Once you click to end the exam or when your exam time runs out, a pop-up will appear for submitting your exam report. Simply click the 'Submit Exam Files' button at the bottom right. Please note that after submission, you will not be able to make any changes to your report. This step is final, so be sure to review your exam thoroughly before submitting.
Learners must submit their report within 24 hours of completing the exam. Failure to meet this deadline will result in an automatic exam failure.
Submission Checklist:
- Your exam report is in PDF format
- You have used the following format for the PDF file name
"OSTH-OS-XXXXX-Exam-Report.pdf", where "OS-XXXXX" is your OSID - Your PDF has been archived into a .7z file (Please DO NOT archive it with a password)
- You have used the following format for the .7z file name
"OSTH-OS-XXXXX-Exam-Report.7z", where "OS-XXXXX" is your OSID - You have made sure that your archive is not more than 100MB
Submission Format and Name
Your exam report must be submitted in PDF format archived into a .7z file. Please make sure to include all your queries as text inside the exam report PDF file itself. No other file formats will be accepted within the .7z file other than PDF file format.
If you submit your report in any other file format, we will not request or remind you to send a PDF report archived into a .7z file and your exam report will not be scored.
Before submitting your exam report, please review the PDF document to ensure the format and content appear as it did in your original edition document and that there are no formatting errors.
After uploading your exam file to upload.offsec.com, the site will provide you with the MD5 hash of your uploaded file.
Please make sure to verify that you have uploaded your report correctly by checking and comparing the MD5 hashes of your uploaded exam file and the file you have locally.
If the values do not match, that means your file did not upload successfully. Click on "Select a new file" and upload your archive again.
┌──(kali㉿kali)-[~]
└─$ sudo md5sum OSTH-OS-XXXXX-Exam-Report.7z
f7feecea01ac1eca9ee522906b087d5e
OSTH-OS-XXXXX-Exam-Report.7z
Archive File
Please do not archive your .7z and PDF(s) files with a password. Our system will not accept should you upload a password-protected files.
You must submit your documentation in a .7z file. Please use your Kali machine to create your .7z file.
┌──(kali㉿kali)-[~]
└─$ sudo 7z a OSTH-OS-XXXXX-Exam-Report.7z
OSTH-OS-XXXXX-Exam-Report.pdf
7-Zip 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20
(locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
Scanning
Updating archive OSTH-OS-XXXXX-Exam-Report.7z
Everything is Ok
Additional Required Information
In the unlikely event that we require additional clarification on your exam report, we will get in contact with you via email. You must submit the requested information within 24 hours from the time we have requested it.
Results
You will receive your certification exam results (pass/fail) within ten (10) business days after submitting your documentation.
You can then access your digital credentials via the OSTH tile on your Achievements Page.
In the event of a failing result, you can schedule another attempt if you still have a valid OSTH exam attempt on your account. If you do not have a valid attempt left, you will need to purchase a new exam attempt. For further guidance or questions, please refer to the OSTH Exam FAQ page.