Threat Hunting Training Course
This training course was recorded live on 10/24/2020
Welcome to our Threat Hunt Training Course!
Here you will find everything you need to complete this training. The information for the course is broken down into different sections…
- Course slides
- Course video recordings (with timeline breakdowns)
- Hands-on Lab (info)
- Lab downloads
- Download notes
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We hope you enjoyed this Threat Hunt Training and plan to join us for future webcasts!
Interested in taking an “Advanced Threat Hunting” Class? Chris Brenton does one quarterly with WWHF! Check it out Here!
Threat Hunt Training Course Recording
- 0:00:00 – PreShow Banter™ — Tales of Great Ambitions
- 0:16:47 – Chris Crowley Plugs His UpComing SOC Class (https://soc-class.com/)
- 0:21:32 – Meet the ACM Teams
- 0:26:45 – This is the Way : The Path to Threat Hunting Carriers
- 0:29:34 – FEATURE PRESENTATION: Network Cyber Threat Hunter Training
- 0:34:43 – How We Try To Catch Bad Guys
- 0:38:12 – Limitations of Logging
- 0:50:52 – Threat Intel Feeds?
- 0:55:50 – What Should Threat Hunting Be?
- 1:01:04 – Starting With the Network
- 1:14:40 – What to Look For
- 1:18:51 – Keeping Score
- 1:21:57 – Blind Spots to C2 Targeting
- 1:24:13 – C2 Detection
- 1:28:36 – Bad Guys V Red Teams
- 1:31:00 – Long Connections
- 1:39:53 – Bro V Zeek?
- 1:43:31 – Zeek Has a Timeout Problem
- 1:49:49 – Anyway, Here’s Firewalls
- 1:50:45 – Beacons!
- 1:59:06 – False Positives? Unexpected Results?
- 2:17:15 – Destination IP Address
- 2:19:55 – Internal Systems
- 2:21:27 – Event ID Type 3
- 2:23:07 – Passer
- 2:25:44 – C2 Detection Tools
- 2:43:31 – C2 Labs
- 2:46:17 – LAB: Find Long Connections
- 3:02:50 – LAB: Investigate Long-Talkers
- 3:10:36 – LAB: Beacons By Session Size
- 3:31:25 – LAB: C2 Over DNS
- 3:39:11 – LABS Again, But With RITA
- 3:49:46 – AI Hunter
- 3:53:55 – That’s All, Folks
The end of the class includes hands-on labs. The labs are designed to help reinforce the content we have learned. We’ve all sat through instructions that seem easy until we try to apply them in practice. So by going hands on during the class, you can verify the processes and ask questions if anything unexpected comes up. With that said, the labs are totally optional. You can still get a lot of useful nuggets out of the class by simply listening in on the lecture.
The virtual machine file needed to perform the labs can be downloaded below. You only need to download one of them! They are the same virtual machine except that one is for VMWare and the other is for VirtualBox. Each is about 7 GB in size.
The VM includes all of the files needed to complete each of the labs. Simply open the zip file and execute them with your VM manager of choice. You can login to the VM using the following credentials:
and verify that you can see the lab files:
[email protected]:~$ pwd /home/thunt [email protected]:~$ ls lab1/ conn.log files.log pe.log thunt-lab.pcapng dns.log http.log reporter.log weird.log dpd.log packet_filter.log ssl.log x509.log [email protected]:~$
All of the labs will be performed from the command line, so if you can see the files you are set to go! If you run into trouble, please reach out to us on our Threat Hunter Community Discord Server in the #acm-general channel.
or, email us: [email protected]
- To verify that the download finished successfully, run:
which should return the correct MD5 hash for the file.
- On Mac OS, the zip file cannot be opened by unzip supplied with Mac OS. To open, create a lab directory and use “ditto” (included with Mac OS) to open:
mkdir thuntclass cd thuntclass ditto -x -k /path/to/filename.zip ./