Threat Hunting


Table of Contents


In today’s cybersecurity landscape, it isn’t possible to prevent every attack. Threat hunting is the proactive technique that focuses on pursuing attacks and the evidence that attackers leave behind when they patrol an attack using malware or expose sensitive data.

The process is important and is based on thinking that the attacker has already managed to infiltrate and test everything possible to detect intrusion earlier to stop them before intruders can carry out their attacks and exploit them illegally.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories,
  • Self-work at home between lessons,
  • Repetition of materials, self-learning, performing tasks, etc …

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium system

Target audience

This course targets people with networking knowledge who want to acquire the threat hunting capabilities to protect their organization better. Primarily:

  • Security Testers
  • Cybersecurity consultants
  • Red Team specialists
  • White hat hackers (Ethical Hackers)


  • Identify and create intelligence requirements through practices
  • Generate threat intelligence to detect and respond

  • Learn the different sources to collect adversary data

  • Create Indicators of Compromise (IOCs)


  • Linux
  • Networking



In this module, students will learn about techniques and procedures necessary to effectively hunt, detect, and contain various adversaries and minimize incidents.

Technical content

  • Intrusion Analysis
    Phases of Threat Intelligence
    Phases of the Intrusion Kill Chain
    Understanding MITRE ATT&CK
    Identifying Intrusions in Logs
    Creating Automation for Notification of Malicious Activity
    Analyzing Network-Based Tools Logs
    Analyzing Host-Based Tools Logs
    Linking Intrusions
  • Memory Forensics
    Process Injection
    Thread Injection
    Malware Analysis
    Malicious Document Analysis


Students will use practical tools to collect data throughout this module. Students will deepen their understanding of various information sources.

Technical content

  • Hunting
    Parsing Relevant Data Techniques
    Dynamic Indicators
    Tracking Network Traffic
    Passive DNS
    Ransomware Traffic
  • Sources
    Malware Analysis Data Bases
    Intrusion Key Indicators
    Domain Data Collection
    Open-Source Intelligence Tools
    C2 Samples


During this module, students will be creating tool automation to take threat intelligence to a higher level. Students will understand how to use their knowledge and maximize the use of different filtering and customization options for searching.

Technical content

  • Automation
    YARA Examples
    Working with YARA
    Automating Malware Analysis
    Configuring Honeypots
    Extracting and Analysing Honeypots Logs
  • Domain Automation
    Running Campaigns
    Checking Key Indicators Inside Domains
    Creating Your Indicators
    Tactical Intelligence Tools
    Operational Intelligence Tools
  • Darknet
    Relevant Leaks
    Hacking Forums


The following labs are part of the actual BT208 course:
  • Lab 1 Security Procedures
  • Lab 2 Setting your Domain
  • Lab 3 Identifying Attacks
  • Lab 4 Analyzing C&C Communications
  • Lab 5 Reversing Malware Network Behavior
  • Lab 6 Analyzing Network Attacks
  • Lab 7 Working with CVE
  • Lab 8 Working with Firewalls
  • Lab 9 IPv6 Security
  • Lab 10 IDS Configurations
  • Lab 11 Honeypots
  • Lab 12 Securing Linux
  • Lab 13 Securing Windows

Real Cases Studies

Case Study #1 (NS001)
Just before last Christmas and year-end holidays, Citrix announced that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable. The vulnerability allows the attacker to execute arbitrary code on the servers. As the Network security expert, your company put you in charge of this case. Use your Network abilities to find the vulnerability and mitigate it
Case Study #2 (NS002)
Kaspersky Lab reports that A massive DNS cache poisoning attack attempting to infect users trying to access websites is currently underway in Brazil. Several large ISPs in the highly connected country have been affected by the attack. You have been tasked to identify details related to the attack to remediate any damage discovered in the identification phase.
Previous slide
Next slide
BT223 - Threat Hunting

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberarena
  • In situe classroom with proctored labs and scenarios executed in our Cyberarena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group:


 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.

1 %
Case Studies


This course prepares the participant to the following certification:

  • CySA+ (CompTIA)
  • Security+ (CompTIA)

Required EqUIPMENT

Network connection

As this course extensively uses  a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details