Cyber Threat Hunting Training Course

Threat Hunting Training Course

If you would like to take this training live and receive a certificate, Register Here for the next session of this training!

Welcome to our Threat Hunt Training Course!

Here you will find everything you need to complete this training. The information for the course is broken down into different sections…

  • Course slides
  • Course video recordings (with timeline breakdowns)
  • Hands-on Lab info
  • Lab downloads
  • FAQ document
  • Download notes


Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We hope you enjoyed this Threat Hunt Training and plan to join us for future webcasts!

Interested in taking an “Advanced Threat Hunting” Class? Chris Brenton does one quarterly with WWHF! Check it out Here!

Happy Hunting!

Slide Deck

Download PDF

Threat Hunt Training Course Recording

Timeline Breakdown

Training Begins – 00:29:20

 Start of Labs – 03:35:40


We’ve updated the options for performing the labs, so if you are returning to the class as a refresher please read this section carefully!

The end of the class is all hands-on labs. You will be working with traces of real command and control (C2) traffic in order to reinforce what you have learned. The labs are optional, but they are the best way to really learn the threat hunting process.

You have two options for performing the labs…
1) Download a copy of the VMWare virtual machine
2) Start your own Linux system and run the class install script

With option #1 you get a self-contained virtual machine that is all configured and ready to go. It’s 2 GB in size and requires VMWare Player compatible software to run it, but this is usually the easiest option to get running.

With option #2, you avoid downloading a single large file and it gives you the option of performing the labs within a public cloud environment. This option can be useful if you have very slow Internet access speeds or don’t have the resources on your local system to run the VM. However, this option is more likely to be buggy, as we’ve only tested it on Ubuntu 18 and CentOS 7 (we still consider the install to be beta).

All of the labs will be performed from the command line, so if you can see the files you are set to go! If you run into trouble, please reach out to us on our Threat Hunter Community Discord Server in the #acm-general channel.

or, email us: [email protected] 

Lab Download Options

Option 1 – Downloading the VM

Open the ZIP file with your favorite compression utility and open the virtual machine with your VM software which is compatible with VMWare Player. When the login screen appears, use the following credentials:
Login: thunt
Pass: aybab2u
Download Lab VM

Option 2 – Downloading the Install Script

Login to the Linux system on which you will be performing the labs via SSH. Your account needs to have “sudo” access so that you can run commands as root. From your home directory, run the following command:


This will download the install script. You now need to make the script executable by running the following command:

chmod +x

You can now run the install script:


You will be prompted for your password so that sudo commands can be run. Answer “yes” to all prompts during the install. Once the install script finishes you will need to logout and log back into the system. You should see three new directories in your home directory named “lab1”, “lab2” and “lab3”.

Frequently Asked Questions 


Notes for the Lab Download 

Size: 2193726370 bytes (2092 MiB)
CRC32: C8E75210
SHA1: EB38C2CC4E5074A11DE231945A2447A8179E108B
SHA256: 50A1A2CFC431777B7EDF25553072BE15D9E7359861A2D3C8EBB071C9CA553DC4

Size: 7943 bytes (7 KiB)
CRC32: 40246E46
CRC64: 9ED640DA78F8681A
SHA1: 8EBFC7573B42AD793E84116F35C0575BA5F16098
SHA256: 00A1CC67013E0ABD4DC116E2AB5389061701796CDA93AD81F8DCF0D1D1FEB0C9

Active Countermeasures Posts Related to Threat Hunting:

Sign up for email notifications of our new blog posts, threat hunting training, webcasts and other relevant information.

We are not spammy and you can unsubscribe at any time :)

* indicates required