Cyber Threat Hunting Training Course

Threat Hunting Training Course

If you would like to take this course live and receive a certificate for the next session of this training:


Welcome to our Threat Hunt Training Course!

Here you will find everything you need to complete this training. The information for the course is broken down into different sections:

  • Course Slides
  • Course Video Recordings
  • Hands-on Labs Info
  • Lab Downloads
  • Frequently Asked Questions
  • Notes for the Lab Download


Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We hope you enjoyed this Threat Hunt Training and plan to join us for future webcasts!

Interested in taking an Advanced Threat Hunting class? Chris Brenton holds one quarterly with Wild West Hackin’ Fest. Check out all the WWHF training.

Happy Hunting!

Course Video Recording

Timeline Breakdown

Training Begins – 00:21:44

 Start of Labs – 03:21:45

Hands-on Labs Info

Our labs are designed to run on Ubuntu 18 and CentOS 7.

We’ve updated the options for performing the labs, so if you are returning to the class as a refresher please read this section carefully!

The end of the class is all hands-on labs. You will be working with traces of real command and control (C2) traffic in order to reinforce what you have learned. The labs are optional, but they are the best way to really learn the threat hunting process.

You have two options for performing the labs:

1) Download a copy of the VMWare virtual machine
2) Start your own Linux system and run the class install script

Option #1, you get a self-contained virtual machine that is configured and ready to go. It’s 2 GB in size and requires VMWare Player compatible software to run it, but this is usually the easiest option to get running.

Option #2, you avoid downloading a single large file and it provides you the option of performing the labs within a public cloud environment. This option can be useful if you have very slow internet access speeds or don’t have the resources on your local system to run the VM. However, this option is more likely to be buggy, as we’ve only tested it on Ubuntu 18 and CentOS 7 (we still consider the install to be beta).

All of the labs will be performed from the command line, so if you can see the files you are set to go! If you run into trouble, please reach out to us on our Threat Hunter Community Discord Server in the ‘#acm-general’ channel.

Or, email us: [email protected] 

Lab Downloads

Option 1 – Downloading the VM

Open the ZIP file with your favorite compression utility and open the virtual machine with your VM software which is compatible with VMWare Player. When the login screen appears, use the following credentials:

Login: thunt

Pass: aybab2u


Option 2 – Downloading the Install Script

Login to the Linux system on which you will be performing the labs via SSH. Your account needs to have “sudo” access so that you can run commands as root. From your home directory, run the following command:


This will download the install script. You now need to make the script executable by running the following command:

chmod +x

You can now run the install script:


You will be prompted for your password so that sudo commands can be run. Answer “yes” to all prompts during the install. Once the install script finishes you will need to logout and log back into the system. You should see three new directories in your home directory named “lab1”, “lab2” and “lab3”.

Notes for the Lab Download

  • – File Data –

Size: 2193726370 bytes (2092 MiB)
CRC32: C8E75210
SHA1: EB38C2CC4E5074A11DE231945A2447A8179E108B
SHA256: 50A1A2CFC431777B7EDF25553072BE15D9E7359861A2D3C8EBB071C9CA553DC4


  • – File Data –

Size: 7943 bytes (7 KiB)
CRC32: 40246E46
CRC64: 9ED640DA78F8681A
SHA1: 8EBFC7573B42AD793E84116F35C0575BA5F16098
SHA256: 00A1CC67013E0ABD4DC116E2AB5389061701796CDA93AD81F8DCF0D1D1FEB0C9

Active Countermeasures Posts Related to Threat Hunting: