Cyber Threat Hunting Training Course

Threat Hunting Training Course

If you would like to take this course live and receive a certificate for the next session of this training:


Welcome to our Threat Hunting Training Course!

Here you will find everything you need to complete this training. The information for the course is broken down into different sections:

  • Course Slides
  • Course Video Recordings
  • Hands-on Labs Info
  • Lab Downloads
  • Frequently Asked Questions
  • Notes for the Lab Download


Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We hope you enjoyed this Threat Hunting Training and plan to join us for future webcasts!

Interested in taking an Advanced Threat Hunting class? Chris Brenton holds one quarterly with Antisyphon InfoSec Training.

Happy Hunting!

Course Slides


Last Updated 10/12/21

Course Video Recording

Basic Timeline:

Training Begins – 00:33:51

Hands-on Labs – 03:18:20

Hands-on Labs Info

Our labs are designed to run on Ubuntu 18.04 LTS and CentOS 7.

We’ve updated these instructions as of August 25th, 2021 so please read this section carefully!

The end of the class is all hands-on labs. You will be working with traces of real Command and Control (C2) traffic in order to reinforce what you have learned. The labs are optional, but they are the best way to really learn the threat hunting process.

You have three options for performing the labs (links for each are in the next section below):

  1. Download the install script and run it on a Ubuntu 18.04 LTS or CentOS 7 system of your choosing. This can be bare metal, a local VM or a cloud instance. Make sure you have a minimum of 3 GB of free space (5 GB preferred).
  2. Download the class virtual machine. There are two versions, one for VirtualBox and one for VMWare. Each download is about 2.5 GB in size.
  3. Launch the class VM through DigitalOcean and receive enough credits to run the lab VM free for 60 days.


All of the labs will be performed from the command line, so if you can login and see the “lab1”, “lab2” and “lab3” directories, you are set to go!

If you run into trouble, please see the FAQ:


If that does not answer your question, please reach out to us on our Threat Hunter Community Discord Server in the “#acm-general” channel.

Lab Downloads

Option 1 – Download the Install Script

Login to the Linux system on which you will be performing the labs via SSH. Your account needs to have “sudo” access so that you can run commands as root. From your home directory, run the following command:


This will download the install script. You now need to make the script executable by running the following command (note; the “ii” in huntiing is not a typo):

chmod +x

You can now run the install script:


You will be prompted for your password so that sudo commands can be run. Answer “yes” to all prompts during the install. Once the install script finishes you will need to logout and log back into the system. You should see three new directories in your home directory named “lab1”, “lab2” and “lab3”.

Option 2 – Download the Virtual Machine for This Course

Download the appropriate virtual machine depending on which VM software you are running.

Download VM for VirtualBox
Download VM for VMWare

Open the ZIP file with your favorite compression utility. Launch the VM with your VM software. At the login prompt, use the following credentials:

Login: thunt
Password: aybab2u

Option 3 – Launch the Class VM in DigitalOcean

Follow the instructions detailed in the Create Your Own Lab VM in DigitalOcean document:


If you run into trouble, please see the FAQ:


If that does not answer your question, please reach out to us on our Threat Hunter Community Discord Server in the “#acm-general” channel.

Notes for the Lab Download

– File Data –
Size: 10958 bytes (10 KiB)
CRC32: C8DC8F18
SHA1: 8A1978D32E7E05756F0EE91CA5388B029032924D
SHA256: 7926BA51500D7EDB1BC3451F397B56D4CE558E72D0D7248E6CB9AE70E46E0FA1

– File Data –
Size: 2551355632 bytes (2433 MiB)
CRC32: 1BADA356
CRC64: 8BE02D1A6874C80C
SHA1: A85937BA27B743B71F0C4E01C9085A961A606230
SHA256: CF3072EF905C7F3A3BF036A228B4598A19E845668713B04AB40469C47D12E6CD

– File Data –
Size: 2545104167 bytes (2427 MiB)
CRC32: 22DC703D
CRC64: F1518AC0B37DE654
SHA1: 9A1476084F1C778904E0FA7525584904D99DF0D7
SHA256: DB2287FACE7DD9C2EE2417C5151EA60F9FC9CEB61A246D81170607CF6BB57B34

Active Countermeasures Posts Related to Threat Hunting: