Hunt Training

Threat Hunting Training Course

The date of the next live Threat Hunting Training Course is not scheduled yet.

As soon as registration is open, this text will be replaced by a registration button.

Subscribe to us to get notified.

Over 20,000 students have attended our training live! 

Welcome to our Threat Hunting Training Course!

Here you will find everything you need to complete this training. The information for the course is broken down into different sections:

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We hope you enjoy this Threat Hunting Training and plan to join us for future webcasts!

Are you interested in taking an Advanced Threat Hunting class? Chris Brenton holds one quarterly with Antisyphon InfoSec Training.

Happy Hunting!

Course Slides


Updated 10/04/2022

Hands-on Labs Info

Our labs are designed to run only on Ubuntu 18.04 LTS or CentOS 7.


The latter portion of this course will be performed by you using hands-on labs with live instruction and guidance. You will be working with traces of real Command and Control (C2) traffic to reinforce what you have learned. The hands-on labs are not required, but they are the best way to learn the threat hunting process in a way you should be able to remember more efficiently – by actually doing it yourself!

All labs are included in our supplied virtual machines and will be performed using the Linux command line, so having a basic understanding of the CLI is a plus.

You have three unique options for obtaining the pre-configured lab virtual machines. Links for each are in the next section.

Lab Downloads

Labs Updated 09/29/22

Our labs are designed to run only on Ubuntu 18.04 LTS or CentOS 7.


Our supplied lab virtual machines are pre-configured on Ubuntu 18.04 and include all the tools, directories, and files you will need to perform the hands-on portions of this course.

Our virtual machine labs do not require network access. All labs will be done within the VM itself.

We provide three unique options for downloading the VM. Please choose ONE of these options that work best for you.

Option #1 – Download the Virtual Machine for This Course

1: Download the appropriate virtual machine depending on which VM software you are running:

Download VM for VirtualBox
Download VM for VMWare

2: Open the ZIP file with your preferred compression utility.

3: Launch/import the VM with your VM software.

4: At the login prompt, use the following credentials:

Login: thunt
Password: aybab2u

5: You should see three directories in your VM home directory named “lab1”, “lab2” and “lab3”.

Option #2 – Download the Install Script Using Your Own System

1: Login (via SSH) to your own Ubuntu 18.04 LTS or CentOS 7 system on which you wish to perform the labs on.

2: Make sure you have a minimum of 3 GB of free disk space (5 GB preferred).

3: Your user account must have “sudo” access so that you can run commands as root.

4: From your home directory, run the following command (note; the “ii” in huntiing is not a typo), this will download the install script:


5: You will need to make the script executable by running the following command:

chmod +x

6: You can now run the install script:


7: You will be prompted for your password so that sudo commands can be run.

8: Answer “yes” to all prompts during the install.

9: Once the install script finishes you will need to log out and log back into the system.

10: You should see three new directories in your home directory named “lab1”, “lab2” and “lab3”.

Option #3 – Launch the Class VM in DigitalOcean

Follow the instructions detailed in the Setting up a Cloud Lab VM in DigitalOcean PDF document below.

Updated 09/29/22


Threat Hunting Class FAQ

If you run into trouble, please see the FAQ:

FAQ Updated 10/04/22


If you still have questions or need help, please reach out to us on our Threat Hunter Community Discord Server in the “#acm-general” channel.

Notes for the Lab Downloads

Updated 08/28/21

File Data

Size: 10958 bytes (10 KiB)
CRC32: C8DC8F18
SHA1: 8A1978D32E7E05756F0EE91CA5388B029032924D
SHA256: 7926BA51500D7EDB1BC3451F397B56D4CE558E72D0D7248E6CB9AE70E46E0FA1

Size: 2551355632 bytes (2433 MiB)
CRC32: 1BADA356
CRC64: 8BE02D1A6874C80C
SHA1: A85937BA27B743B71F0C4E01C9085A961A606230
SHA256: CF3072EF905C7F3A3BF036A228B4598A19E845668713B04AB40469C47D12E6CD

Size: 2545104167 bytes (2427 MiB)
CRC32: 22DC703D
CRC64: F1518AC0B37DE654
SHA1: 9A1476084F1C778904E0FA7525584904D99DF0D7
SHA256: DB2287FACE7DD9C2EE2417C5151EA60F9FC9CEB61A246D81170607CF6BB57B34

Previous Course Video Recording

Recorded October 4th, 2022

Basic Timeline:

Training Begins – 0:00:00
Hands-on Labs – 2:23:50

Interested in helpful threat hunting tools?

Latest Active Countermeasures Blog Posts: