Skip to content

README.md

Latest commit

 

History

History
276 lines (218 loc) · 17.7 KB

README.md

File metadata and controls

276 lines (218 loc) · 17.7 KB
layout default
title Sherlocks
nav_order 5
description 70+ HTB Sherlock DFIR investigation writeups
permalink /sherlocks/

HackTheBox Sherlocks - Comprehensive Index

Complete index of all known HackTheBox Sherlock DFIR investigation labs with writeup links, difficulty ratings, categories, and key techniques.

Sherlocks are defensive security labs that simulate real-world security incidents. You investigate evidence, analyze artifacts, and answer forensic questions to solve the case.

Summary

Difficulty Path Count Focus
Easy Easy 25+ Log Analysis, Basic DFIR, Simple Malware Triage
Medium Medium 30+ Memory Forensics, AD Attacks, Cloud IR, Complex Malware
Hard Hard 15+ APT Investigation, Complex IR, Multi-Source Correlation
Insane - 5+ Full-Scale Incident Response, Advanced Threat Actor Attribution

Easy Sherlocks

# Sherlock Category Key Techniques Writeup
1 Meerkat SOC Suricata alerts, PCAP, credential stuffing, CVE-2022-25237 (Bonitasoft) 0xdf
2 Brutus DFIR SSH brute force, auth.log analysis, failed login detection 0xdf
3 BFT DFIR Master File Table (MFT) analysis, Zimmerman tools, ZoneID 0xdf
4 Unit42 Malware Analysis Sysmon logs, UltraVNC backdoor, Palo Alto Unit42 campaign 0xdf
5 Noted DFIR Notepad++ artifacts, AppData analysis, data extortion 0xdf
6 Bumblebee DFIR phpBB SQLite database, access logs, web shell analysis 0xdf
7 Knock Knock Network Forensics PCAP, password spray, FTP, port knocking, SSH, GonnaCry ransomware 0xdf
8 i-like-to DFIR MOVEit Transfer compromise, CVE investigation 0xdf
9 Recollection DFIR Memory forensics, Volatility, process analysis jon-brandy GitHub
10 Logjammer Log Analysis Windows Event Logs (Security, System, Defender, Firewall, PowerShell), scheduled tasks Medium - Chicken0248
11 Pikaptcha DFIR Registry Explorer, NetworkMiner, PowerShell run dialog abuse, fake CAPTCHA 0xdf
12 Campfire-1 Active Directory Kerberoasting detection, PowerView, Rubeus, Event ID 4769 0xdf
13 Campfire-2 Active Directory AS-REP Roasting, event log analysis, compromised accounts 0xdf
14 Safecracker DFIR Malicious file forensic analysis adeadfed
15 Litter SOC Network forensics, data exfiltration indicators Medium - jniket
16 Heartbreaker-Continuum Malware Analysis PEStudio, Ghidra code analysis, VirusTotal, MITRE ATT&CK mapping Medium - Mattv0
17 Lockpick Malware Analysis Ransomware analysis, encryption key recovery Thamizhiniyan GitBook
18 Lockpick 2.0 Malware Analysis Advanced ransomware, key recovery techniques Thamizhiniyan GitBook
19 SmartyPants DFIR Windows RDP event logs, Smart Screen debug logs jon-brandy GitHub
20 JingleBell DFIR Holiday-themed forensics investigation abubakar-shahid GitHub
21 JenkreadD DFIR Jenkins CVE-2024-23897 arbitrary file read HTB Blog
22 Packet Puzzle Network Forensics PCAP analysis, Japanese crypto firm cyberattack Medium - Deven

Medium Sherlocks

# Sherlock Category Key Techniques Writeup
1 Crown Jewel-1 Active Directory NTDS.dit dump, Volume Shadow Copy Service, AD enumeration Medium - Drew
2 Crown Jewel-2 Active Directory Lateral movement detection, Pass-the-Hash SystemWeakness
3 Noxious Active Directory LLMNR poisoning, rogue device detection, AD network recon 0xdf
4 Reaper Active Directory NTLM relay attack, LLMNR response poisoning, Security Log 0xdf
5 Subatomic Malware Analysis Electron app malware, fake game installer, Discord hijacking 0xdf
6 Constellation DFIR Insider threat, URL forensics, Discord/Google timeline 0xdf
7 TickTock DFIR Spear-phishing investigation, email forensics Medium - jniket
8 Tracer Threat Hunting PsExec detection, SOC alert investigation, lateral movement Medium - Ahmad
9 Hyperfiletable DFIR MFT parsing, analyzeMFT, MFTExplorer, ZoneID, file sizes Medium - L0rd$ud0
10 Nubilum-1 Cloud Forensics AWS CloudTrail logs, compromised EC2, PoshC2 C2 server 0xdf
11 Nubilum-2 Cloud Forensics AWS cloud forensics, advanced cloud investigation Medium - Chicken0248
12 Jugglin DFIR Windows Subsystem for Linux (WSL) abuse, threat actor leveraging WSL Medium - Chicken0248
13 Ultimatum DFIR WordPress compromise, Threat Actor investigation SystemWeakness
14 Ore DFIR Grafana artifacts, XMRIG cryptominer, CatScale, UNIX log analysis jon-brandy GitHub
15 RogueOne Network Forensics C2 traffic detection, network-based threat hunting jon-brandy GitHub
16 Lockpick 3.0 Malware Analysis Advanced ransomware variant, increased threat actor skillset Roy
17 Lockpick 4.0 Malware Analysis Latest ransomware evolution, key recovery Roy
18 MisCloud Cloud Forensics GCP breach, Gitea vulnerability, cloud misconfiguration Medium - Praj
19 Heartbreaker-Denouement Cloud Forensics CloudTrail log parsing, ELK stack analysis GitHub
20 ProcNet Network Forensics Network traffic analysis, malware investigation, API data capture Medium - d3lt4labs
21 Nuts DFIR File forensics, forensic image analysis itsrad.io
22 Fragility DFIR Exfiltrated file analysis, secret message decoding HTB Forum
23 Exitiabilis DFIR HELK analysis, Cisco AnyConnect VPN compromise HTB Blog
24 Jinkies DFIR Investigation and forensics analysis warlocksmurf
25 LATUS DFIR Multi-artifact forensic investigation HTB Forum
26 Loggy Log Analysis Log aggregation and analysis, timeline construction jon-brandy GitHub

Hard Sherlocks

# Sherlock Category Key Techniques Writeup
1 OpTinselTrace-1 APT Investigation Christmas-themed APT, initial access analysis warlocksmurf
2 OpTinselTrace-2 APT Investigation Lateral movement, persistence mechanisms Miranda-Bai GitHub
3 OpTinselTrace-3 APT Investigation Volatility3, Chainsaw, memory + event log correlation Medium - Ari
4 OpTinselTrace-4 APT Investigation Data exfiltration, C2 communication analysis jon-brandy GitHub
5 OpTinselTrace-5 APT Investigation Full APT chain reconstruction, reporting warlocksmurf
6 APTNightmare APT Investigation Advanced persistent threat investigation jon-brandy GitHub
7 APTNightmare2 APT Investigation Continued APT investigation, advanced TTPs Medium - Jake
8 BOughT DFIR Complex forensic investigation warlocksmurf
9 Zenith DFIR Advanced incident response jon-brandy GitHub
10 Payload Malware Analysis Advanced malware analysis, payload extraction jon-brandy GitHub
11 CrashDump DFIR Crash dump analysis, kernel-level forensics jon-brandy GitHub
12 Lupin DFIR Advanced theft/exfiltration investigation jon-brandy GitHub
13 Secret Pictures DFIR Hidden data, steganographic forensics jon-brandy GitHub
14 Malevolent Modmaker Malware Analysis Custom malware module analysis jon-brandy GitHub
15 SalineBreeze-2 DFIR Advanced breach investigation jon-brandy GitHub

Insane Sherlocks

# Sherlock Category Key Techniques Writeup
1 Hunter Threat Hunting Full-scale threat hunting operation warlocksmurf
2 Einlansen DFIR Complex multi-vector investigation HTB Forum

Operation Series

OpTinselTrace (Christmas 2023 - 5 Parts)

Christmas-themed APT investigation following the compromise of Father Christmas's operations by The Grinch. Five interconnected Sherlocks covering the full attack lifecycle.

Part Focus Difficulty Key Tools
OpTinselTrace-1 Initial Access Hard Email analysis, URL investigation
OpTinselTrace-2 Execution & Persistence Hard Registry, scheduled tasks
OpTinselTrace-3 Lateral Movement Hard Volatility3, Chainsaw
OpTinselTrace-4 Data Collection Hard Network forensics, C2
OpTinselTrace-5 Exfiltration & Reporting Hard Full chain reconstruction

Operation Blackout 2025

Sherlock Focus Difficulty
Phantom Check Initial investigation Medium
Smoke & Mirrors Advanced deception detection Medium

Lockpick Series (Ransomware Evolution)

Version Difficulty Focus
Lockpick Easy Basic ransomware analysis
Lockpick 2.0 Easy Ransomware recovery
Lockpick 3.0 Medium Advanced ransomware variant
Lockpick 4.0 Medium Latest ransomware evolution

Crown Jewel Series (Active Directory)

Version Difficulty Focus
Crown Jewel-1 Medium NTDS.dit dump, VSS analysis
Crown Jewel-2 Medium Lateral movement detection

Campfire Series (AD Attacks)

Version Difficulty Focus
Campfire-1 Easy Kerberoasting detection
Campfire-2 Easy AS-REP Roasting detection

Heartbreaker Series

Version Difficulty Focus
Heartbreaker-Continuum Easy Malware static analysis
Heartbreaker-Denouement Medium CloudTrail log investigation

Nubilum Series (Cloud Forensics)

Version Difficulty Focus
Nubilum-1 Medium AWS CloudTrail, EC2, PoshC2
Nubilum-2 Medium Advanced AWS investigation

APTNightmare Series

Version Difficulty Focus
APTNightmare Hard APT investigation
APTNightmare2 Hard Advanced APT TTPs

By Category

DFIR (Digital Forensics & Incident Response)

Noted, BFT, Recollection, Logjammer, Pikaptcha, SmartyPants, JingleBell, Safecracker, Constellation, TickTock, Hyperfiletable, Ultimatum, Ore, Nuts, Fragility, Exitiabilis, Jinkies, LATUS, BOughT, Zenith, CrashDump, Lupin, Secret Pictures, SalineBreeze-2

Malware Analysis

Unit42, Heartbreaker-Continuum, Lockpick (1.0-4.0), Subatomic, Heartbreaker-Denouement, Payload, Malevolent Modmaker

Active Directory

Campfire-1, Campfire-2, Crown Jewel-1, Crown Jewel-2, Noxious, Reaper

Network Forensics

Meerkat, Knock Knock, Litter, RogueOne, ProcNet, Packet Puzzle

Cloud Forensics

Nubilum-1, Nubilum-2, MisCloud, Heartbreaker-Denouement

SOC / Threat Hunting

Meerkat, Litter, Tracer, Hunter

Log Analysis

Brutus, Logjammer, Loggy

APT Investigation

OpTinselTrace (1-5), APTNightmare, APTNightmare2

Key Writeup Repositories

Source URL Coverage
0xdf 0xdf.gitlab.io 15+ Sherlocks with deep analysis
jon-brandy GitHub 35+ Sherlocks across all difficulties
abubakar-shahid GitHub DFIR-focused writeups
h0ny GitHub Multi-category Sherlocks
warlocksmurf GitHub OpTinselTrace + various
Chicken0248 Medium Nubilum, Logjammer, Pikaptcha, Jugglin, Noxious, Knock Knock, Reaper, Ultimatum
CyberKatalyst GitHub Sherlock writeup collection
Miranda-Bai GitHub Nubilum, OpTinselTrace, Recollection, RogueOne, Noted
Thamizhiniyan CS GitBook DFIR, SOC, Malware Analysis
Roy Blog Lockpick 3.0, Lockpick 4.0

Investigation Methodology

Phase 1: Triage

  1. Identify the type of incident (malware, intrusion, data breach, etc.)
  2. Determine the scope (affected systems, users, timeframe)
  3. Preserve evidence integrity

Phase 2: Evidence Collection

  1. Collect logs (Windows Event, syslog, application)
  2. Collect memory dumps if available
  3. Collect disk images or filesystem artifacts
  4. Collect network captures

Phase 3: Analysis

  1. Build a timeline of events
  2. Identify IOCs (IPs, domains, hashes, filenames)
  3. Trace the attack chain (initial access -> execution -> persistence -> lateral movement -> exfiltration)
  4. Map to MITRE ATT&CK framework

Phase 4: Reporting

  1. Document findings with evidence
  2. Provide timeline
  3. Recommend containment and remediation

Essential DFIR Tools

Tool Purpose
Volatility 3 Memory forensics
Chainsaw Windows event log analysis
Hayabusa Windows event log fast forensics
KAPE Evidence collection
Eric Zimmerman Tools Windows artifact parsing (MFTECmd, Registry Explorer, etc.)
Autopsy Disk forensics
Wireshark/tshark Network capture analysis
NetworkMiner Network forensic analysis
Velociraptor Endpoint detection & forensics
YARA Pattern matching for malware
CyberChef Data transformation
PEStudio PE file static analysis
Ghidra Binary reverse engineering
analyzeMFT MFT parsing
Event Log Explorer Windows EVTX analysis