Please read this entire document carefully before beginning your exam!
This guide explains the objectives of the OffSec Defense Analyst (OSDA) certification exam.
You have 23 hours and 45 minutes to complete the exam.
This means that if your exam begins at 09:00 GMT, your exam will end at 08:45 GMT the next day.
Once the exam is finished, you will have another 24 hours to send your documentation to the OffSec Challenges Department. Details on how to submit your files are provided below.
All OSDA exams are proctored.
Please make sure to read the proctoring tool learner manual and the proctoring FAQ at the following URL: https://help.offensive-security.com/hc/en-us/sections/360008126631-Proctored-Exams
SECTION 1: EXAM REQUIREMENTS
The exam network consists of a simulated corporate environment, including a SIEM with endpoint integration. The exam is divided into 10 phases, and each phase contains a number of attacker actions that must be detected, understood, and documented.
As an example, an attacker's action can be an enumeration attempt, a brute force attempt, lateral movement, privilege escalation, or persistence.
You are required to write a professional report including any evidence you collected, conclusions on attacker techniques, and compromises for each phase. You must document all of your findings, including all screenshots from the SIEM and any queries you used to determine an attacker's action. Additionally, you must describe the type of access the attacker has obtained in the network for each phase. Your documentation should be thorough enough that your analysis can be replicated step-by-step by a technically competent reader.
The documentation requirements are very strict and failure to provide sufficient documentation will result in reduced or zero points being awarded. Please note that once your exam and lab report is submitted, your submission is final. If any screenshots or other information is missing, you will not be allowed to send them and we will not request them.
You cannot log into or exploit any of the machines in the simulated corporate network. The only intended access is through the provided ELK SIEM and its provided logs and events, together with OSQuery.
You may create or import any detection rules in ELK.
Downloading any applications, files, or source code from the exam environment to your local machine is strictly forbidden. For more information, please refer to the https://www.offsec.com/legal-docs/
SECTION 2: EXAM INFORMATION
Your connection to the exam is to be done with Kali Linux using OpenVPN. We are unable to provide any VPN connectivity support if you choose to use another setup. Your exam connection pack and details will be sent by email at the exact start time of your exam and not in advance.
1) Download the exam-connection.tar.bz2 file from the link provided in the exam email to your Kali machine.
2) Extract the file:
└─$ tar xvfj exam-connection.tar.bz2
3) Initiate a connection to the exam lab with OpenVPN:
└─$ sudo openvpn OS-XXXXXX-OSDA.ovpn
4) Enter the username and password provided in the exam email to authenticate to the VPN:
└─$ sudo openvpn OS-XXXXXX-OSDA.ovpn 1 ⨯
[sudo] password for kali:
2022-01-11 04:15:50 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
2022-01-11 04:15:50 OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2020
2022-01-11 04:15:50 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
🔐 Enter Auth Username: OS-XXXXXX
🔐 Enter Auth Password: ***********
2022-01-11 04:16:01 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
2022-01-11 04:16:01 UDP link local (bound): [AF_INET][undef]:1194
2022-01-11 04:16:01 UDP link remote: [AF_INET]x.x.x.x:1194
2022-01-11 04:16:01 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-01-11 04:16:02 [offensive-security.com] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
2022-01-11 04:16:03 TUN/TAP device tun0 opened
2022-01-11 04:16:03 net_iface_mtu_set: mtu 1500 for tun0
2022-01-11 04:16:03 net_iface_up: set tun0 up
2022-01-11 04:16:03 net_addr_v4_add: 192.168.xx.xx/24 dev tun0
2022-01-11 04:16:03 Initialization Sequence Completed
Exam Control Panel
The exam control panel is available via a link provided in your exam email. Through the exam control panel you will be able to:
- Revert target machines
- Start and change phases
You have a limit of 24 reverts. This limit can be reset once during the exam. All of the machines have been freshly reverted at the start of your exam so you will not be required to revert the machines when you begin. Please wait patiently for the machine to revert and only click the button once per attempt. Note that reverting a target machine will cause it to return to its original state and any changes you have made to the machine will be lost.
Points will be awarded for partial and full completion of the exam objectives. The exam is split into 10 phases. Each phase awards up to 10 points for a total maximum possible of 100 points. Each phase can award partial or full points depending on the level of completion.
You must achieve a minimum score of 75 points to pass the exam. There is a maximum of 100 points available on the exam.
Suggested Documentation Templates
Ideally, one of the following templates should be used for the exam report:
You may use your own template as long as the information is presented in a structured, professional manner and follows all other requirements outlined above.
Guidelines for Handling Unforeseen Factors during the Exam
This subsection of the exam guide documents what you should do in case you are unable to complete your exam due to severe external factors. Please make sure to read and understand it carefully.
The exam lab is a dedicated environment with no learners connected other than yourself. The total allotted time of 23:45 hours does take life and its situations into consideration:
- You are expected to take rest breaks, eat, drink and sleep
- You are also expected to have a contingency plan in the event that there is an issue outside your control. (e.g. ensure you have access to a backup Internet connection, Kali Virtual Machine, power etc)
If you have a legitimate issue, please send an email with your OSID to "challenges AT offsec DOT com" immediately. Make sure to include all the necessary details and supporting information such as a letter from your power company, ISP or any other relevant documentation.
Please note we are only able to extend the lab time if the issues were present on our side and only when the exam subnet is not immediately in use by another learner following your exam. In the event of an issue on our side and the exam subnet is scheduled immediately following your exam we will provide a free exam retake attempt. We work very hard to ensure our environments are highly available and issues are very rare.
If you encounter any connectivity problems with the VPN or target machines, inform us immediately, directly in the proctoring chat. Should you not be able to access the proctoring tool, please contact us via the live chat available at https://chat.offensive-security.com or via email to "help AT offsec DOT com".
Please note that we will not be able to assist with, or give hints on, any exam objectives and will only be available for technical problems during the exam.
SECTION 3: SUBMISSION INSTRUCTIONS
- Your exam report is in PDF format
- You have used the following format for the PDF file name "OSDA-OS-XXXXX-Exam-Report.pdf", where "OS-XXXXX" is your OSID
- Your PDF has been archived into a .7z file (Please do NOT archive it with a password)
- You have used the following format for the .7z file name "OSDA-OS-XXXXX-Exam-Report.7z", where "OS-XXXXX" is your OSID
- You have made sure that your archive is not more than 200MB
- You have uploaded your .7z file to https://upload.offsec.com
Note that the filename is case sensitive. Learners must submit their exam file following the exact filename format structure above. If your file does not follow the exact filename format and structure, the application will not accept it.
The following subsections provide details on each of these requirements.
Submission Format and Name
Your exam report must be submitted in PDF format archived into a .7z file. Please make sure to include all your queries as text inside the exam report PDF file itself. No other file formats will be accepted within the .7z file other than PDF file format.
If you submit your report in any other file format, we will not request or remind you to send a PDF report archived into a .7z file and your exam report will not be scored.
Before submitting your exam report, please review the PDF document to ensure the format and content appear as it did in your original edition document and that there are no formatting errors.
After uploading your exam file to upload.offsec.com, the site will provide you with the MD5 hash of your uploaded file.
Please make sure to verify that you have uploaded your report correctly by checking and comparing the MD5 hashes of your uploaded exam file and the file you have locally.
If the values do not match, that means your file did not upload successfully. Click on "Select a new file" and upload your archive again.
└─$ sudo md5sum OSDA-OS-XXXXX-Exam-Report.7z
Please do not archive your .7z and PDF(s) files with a password. Our system will not accept should you upload a password-protected files.
You must submit your documentation in a .7z file. Please use your Kali machine to create your .7z file.
└─$ sudo 7z a OSDA-OS-XXXXX-Exam-Report.7z OSDA-OS-XXXXX-Exam-Report.pdf
7-Zip 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
Updating archive OSDA-OS-XXXXX-Exam-Report.7z
Everything is Ok
Please submit your .7z file via https://upload.offsec.com within 24 hours of completion of the exam and follow the provided instructions in order to upload your archived exam report.
The maximum allowable size for uploading your archive file is 200MB. If the size constraints are not met, you would not be able to upload your archive. If you are unable to meet the size constraints, we suggest looking at ways to reduce your file size using techniques such as image compression.
After the file has been uploaded, you will be presented with a "Submit File" button where a MD5 hash of your exam report will be displayed. Make sure to click the "Submit File" button after verifying your MD5 hash to submit your files successfully.
If you do not upload your exam-report via https://upload.offsec.com , it will not be graded.
Acknowledgement of Receipt
Once the report is uploaded successfully, a confirmation email will be sent immediately acknowledging the receipt. If you have not received the email, please ensure that you uploaded your report and clicked the Submit File button on the final page of https://upload.offsec.com after verifying your MD5 hash. We also recommend you to check your email spam and junk folders in case the confirmation email has been flagged as spam.
Additional Required Information
In the unlikely event that we require additional clarification on your exam report, we will get in contact with you via email. You must submit the requested information within 24 hours from the time we have requested it.
You will receive an email with your certification exam results (pass/fail) within ten (10) business days after submitting your documentation. Please note that we do not provide the exam score or solutions to the exam targets.