Offensive Security Experienced Penetration Tester (OSEP) Study Notes & Guide

What is OSEP?

The Offensive Security Experienced Penetration Tester (OSEP) is an advanced penetration testing certification offered by Offensive Security (OffSec). It is part of the Offensive Security Certified Expert (OSCE) certification path and builds on the Offensive Security Certified Professional (OSCP). The OSEP focuses on advanced penetration testing techniques, evasion, and post-exploitation tactics against hardened environments.

OSEP is earned after completing the “Evasion Techniques and Breaching Defenses (PEN-300)” course and passing the 48-hour hands-on exam.

Overview of the OSEP Exam

Duration: 48 hours (plus 24 hours for reporting).Format: Hands-on penetration testing exam against a hardened network.

Goal: Compromise high-value targets while bypassing security defenses.

Passing Criteria: Points-based system; typically, one domain controller compromise is required.

Who Should Take the OSEP?

OSEP is ideal for:

• OSCP holders who want to level up their skills.
• Red teamers and penetration testers looking to improve their evasion techniques.
• Security professionals seeking expertise in bypassing security mechanisms.
• Threat hunters and blue teamers who want to understand attacker tactics.

OSEP Study Resources

Official OSEP Course: PEN-300

The PEN-300 course is the primary resource for the exam and includes:

• 14 modules covering advanced penetration testing and evasion techniques.
• Over 800 pages of course material and 70+ lab exercises.
• Exam-focused challenges to test your skills.

OSEP Study Notes & Guide

Table of Contents:

• About OSEP & The Official Course
• Preparation & Exam Tips
• Operating System and Programming Theory
• Client Side Code Execution With Office
• Client Side Code Execution With Windows Script Host
• Process Injection
• AV Evasion
• C# Injection into Trusted Processes
• Application Whitelisting & Credentials
• Advanced AppLocker and PowerShell Security Bypass Techniques
• Bypassing Network Filters
• Linux Post-Exploitation Techniques and Persistence
• Kiosk Breakouts
• Lateral Movement
• Ansible
• Artifactory
• Kerberos on Linux
• Microsoft SQL Attacks
• Active Directory Hacking

Page Count: 243

Format: PDF & Markup

OffSec Experienced Penetration Tester (OSEP) Study Notes & Guide

Other OSEP Learning Materials

📚 Books

• The Hacker Playbook 3 — Covers advanced evasion techniques.
• Red Team Development and Operations — Focuses on red teaming tactics.
• Windows Internals, Part 1 & 2 — Essential for understanding Windows security.

🎥 Video Courses

• TCM Academy Red Teaming — Covers enumeration and attack techniques.
• Pentester Academy — Offers advanced Windows security and bypass courses.
• Sektor7 Malware Development Essentials — Teaches shellcode execution, AV evasion, and process injection.

💻 Online Labs

• Hack The Box (HTB) Pro Labs (Rastalabs, APTLabs)
• TryHackMe Advanced Windows Modules
• CyberSecLabs & Pentester Academy Labs

OSEP Study Plan

To pass the OSEP, you need to master several advanced penetration testing techniques. Below is a structured study plan.

📌 Week 1–2: Offensive Development & Payload Execution

• Learn C# & PowerShell scripting for red teaming.
• Understand Payload Encoding & Packing.
• Study Process Injection (DLL injection, Thread Hijacking, APC/Suspended Injection).
• Explore Windows API for custom offensive tools.

🛠️ Practice:

• Write custom C# loaders.
• Develop obfuscated payloads to bypass security products.

📌 Week 3–4: Evasion Techniques

• Master Antivirus (AV) & EDR evasion (AMSI bypass, Sysmon evasion).
• Learn Userland & Kernel-land Evasion.
• Understand sandbox evasion & execution techniques.

🛠️ Practice:

• Modify existing malware techniques to evade detection.
• Implement hooking/unhooking for stealth execution.

📌 Week 5–6: Active Directory & Lateral Movement

• Study Active Directory enumeration (BloodHound, LDAP queries).
• Learn Kerberos attacks (Pass-the-Ticket, Kerberoasting, AS-REP Roasting).
• Explore Token Manipulation for lateral movement.
• Understand DC Shadow, DCSync, Golden & Silver Tickets.

🛠️ Practice:

• Use Mimikatz and Rubeus for credential dumping.
• Perform DC persistence & AD backdoors.

📌 Week 7–8: Persistence & Post-Exploitation

• Learn Windows persistence mechanisms (scheduled tasks, services, registry run keys).
• Study Backdoor creation & hiding techniques.
• Master C2 Frameworks (Covenant, Cobalt Strike, Sliver).

🛠️ Practice:

• Build custom persistence tools.
• Implement custom C2 channels.

📌 Week 9–10: Exam Simulation

• Set up a test Active Directory lab to simulate OSEP challenges.
• Perform full-scope penetration tests (initial access → AD exploitation).
• Write detailed reports following OffSec standards.

Tools & Scripts to Master for OSEP

✅ Cobalt Strike / Covenant / Sliver — C2 frameworks.
✅ PowerShell & C# Offensive Toolkit — For scripting payloads.
✅ Mimikatz & Rubeus — Credential dumping & Kerberos attacks.
✅ Process Hacker & API Monitor — Debugging & evasion research.
✅ Sysinternals Suite — Process Explorer, Autoruns, ProcMon.
✅ BloodHound & SharpHound — Active Directory enumeration.
✅ Metasploit, CrackMapExec, Impacket — General exploitation tools.

OSEP Exam Strategy & Tips

1. Lab Time Utilization

• Focus on hands-on exercises (don’t just read the course).
• Spend time in OSEP labs mastering evasive techniques.
• Take detailed notes (commands, scripts, techniques).

2. Exam Mindset

• Enumerate everything — firewalls, defenses, security tools.
• Try multiple evasion methods (e.g., API unhooking, AMSI bypass).
• Think like a real attacker, not just a pentester.
• Stay organized — document findings while attacking.

3. During the Exam

• Time management: First 24 hours → compromise initial foothold; Second 24 hours → privilege escalation and lateral movement.
• Check logs & defenses: Modify attacks based on security tools present.
• Take breaks: The exam is long; pace yourself.
• Report writing: Start as soon as you achieve access to critical systems.

OSEP Success Checklist

✅ Completed PEN-300 labs & exercises
✅ Built a custom AD lab for practice
✅ Mastered Windows post-exploitation & AD attacks
✅ Written custom payloads & bypasses
✅ Simulated OSEP-style scenarios & challenges

Conclusion

OSEP is one of the most challenging yet rewarding certifications in offensive security. It takes discipline, hands-on practice, and strategic thinking to pass. The best preparation strategy is to focus on real-world attack scenarios, build a personal Active Directory lab, and develop custom offensive tools.

Free Cyber Security Training

Checkout the playlist below on my YouTube channel for free cyber security training.