Cyber Threat Hunting Training Course

Threat Hunting Training Course

This training course was recorded live on 10/24/2020

If you would like to take this training live and receive a certificate, Register Here for the next session of this training!

Welcome to our Threat Hunt Training Course!

Here you will find everything you need to complete this training. The information for the course is broken down into different sections…

  • Course slides
  • Course video recordings (with timeline breakdowns)
  • Hands-on Lab (info)
  • Lab downloads
  • Download notes

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We hope you enjoyed this Threat Hunt Training and plan to join us for future webcasts!

Interested in taking an “Advanced Threat Hunting” Class? Chris Brenton does one quarterly with WWHF! Check it out Here!

Happy Hunting!

Slide Deck

Download PDF

Threat Hunt Training Course Recording

Timeline Breakdown

  • 0:00:00 – PreShow Banter™ — Tales of Great Ambitions
  • 0:16:47 – Chris Crowley Plugs His UpComing SOC Class (
  • 0:21:32 – Meet the ACM Teams
  • 0:26:45 – This is the Way : The Path to Threat Hunting Carriers
  • 0:29:34 – FEATURE PRESENTATION: Network Cyber Threat Hunter Training
  • 0:34:43 – How We Try To Catch Bad Guys
  • 0:38:12 – Limitations of Logging
  • 0:50:52 – Threat Intel Feeds?
  • 0:55:50 – What Should Threat Hunting Be?
  • 1:01:04 – Starting With the Network
  • 1:14:40 – What to Look For
  • 1:18:51 – Keeping Score
  • 1:21:57 – Blind Spots to C2 Targeting
  • 1:24:13C2 Detection
  • 1:28:36 – Bad Guys V Red Teams
  • 1:31:00 – Long Connections
  • 1:39:53 – Bro V Zeek?
  • 1:43:31 – Zeek Has a Timeout Problem
  • 1:49:49 – Anyway, Here’s Firewalls
  • 1:50:45Beacons!
  • 1:59:06 – False Positives? Unexpected Results?
  • 2:17:15 – Destination IP Address
  • 2:19:55 – Internal Systems
  • 2:21:27 – Event ID Type 3
  • 2:23:07 – Passer
  • 2:25:44C2 Detection Tools
  • 2:43:31C2 Labs
  • 2:46:17 – LAB: Find Long Connections
  • 3:02:50 – LAB: Investigate Long-Talkers
  • 3:10:36 – LAB: Beacons By Session Size
  • 3:31:25 – LAB: C2 Over DNS
  • 3:39:11 – LABS Again, But With RITA
  • 3:49:46 – AI Hunter
  • 3:53:55 – That’s All, Folks


The end of the class includes hands-on labs. The labs are designed to help reinforce the content we have learned. We’ve all sat through instructions that seem easy until we try to apply them in practice. So by going hands on during the class, you can verify the processes and ask questions if anything unexpected comes up. With that said, the labs are totally optional. You can still get a lot of useful nuggets out of the class by simply listening in on the lecture.

The virtual machine file needed to perform the labs can be downloaded below. You only need to download one of them!  They are the same virtual machine except that one is for VMWare and the other is for VirtualBox. Each is about 7 GB in size.

The VM includes all of the files needed to complete each of the labs. Simply open the zip file and execute them with your VM manager of choice. You can login to the VM using the following credentials:
Login: thunt
Pass: aybab2u

and verify that you can see the lab files:

[email protected]:~$ pwd
[email protected]:~$ ls lab1/
conn.log files.log pe.log thunt-lab.pcapng
dns.log http.log reporter.log weird.log
dpd.log packet_filter.log ssl.log x509.log
[email protected]:~$

All of the labs will be performed from the command line, so if you can see the files you are set to go! If you run into trouble, please reach out to us on our Threat Hunter Community Discord Server in the #acm-general channel.

or, email us: [email protected] 

Lab Downloads

Lab VM for VMWare

MD5 Checksum: 1a0581d0d1f72d8f8b67d0495c53d4f6

Lab VM for VirtualBox-V2

MD5 Checksum: 5d4bad8c04806036a160af0c54e5ee35

Download Notes

  • To verify that the download finished successfully, run:

which should return the correct MD5 hash for the file.


  • On Mac OS, the zip file cannot be opened by unzip supplied with Mac OS. To open, create a lab directory and use “ditto” (included with Mac OS) to open:
mkdir thuntclass
cd thuntclass
ditto -x -k /path/to/ ./
Active Countermeasures Posts Related to Threat Hunting:

Sign up for email notifications of our new blog posts, threat hunting training, webcasts and other relevant information.

We are not spammy and you can unsubscribe at any time :)

* indicates required