Complete index of all known HackTheBox Sherlock DFIR investigation labs with writeup links, difficulty ratings, categories, and key techniques.
Sherlocks are defensive security labs that simulate real-world security incidents. You investigate evidence, analyze artifacts, and answer forensic questions to solve the case.
Difficulty Path Count Focus Easy Easy 25+ Log Analysis, Basic DFIR, Simple Malware Triage Medium Medium 30+ Memory Forensics, AD Attacks, Cloud IR, Complex Malware Hard Hard 15+ APT Investigation, Complex IR, Multi-Source Correlation Insane - 5+ Full-Scale Incident Response, Advanced Threat Actor Attribution
# Sherlock Category Key Techniques Writeup 1 Meerkat SOC Suricata alerts, PCAP, credential stuffing, CVE-2022-25237 (Bonitasoft) 0xdf 2 Brutus DFIR SSH brute force, auth.log analysis, failed login detection 0xdf 3 BFT DFIR Master File Table (MFT) analysis, Zimmerman tools, ZoneID 0xdf 4 Unit42 Malware Analysis Sysmon logs, UltraVNC backdoor, Palo Alto Unit42 campaign 0xdf 5 Noted DFIR Notepad++ artifacts, AppData analysis, data extortion 0xdf 6 Bumblebee DFIR phpBB SQLite database, access logs, web shell analysis 0xdf 7 Knock Knock Network Forensics PCAP, password spray, FTP, port knocking, SSH, GonnaCry ransomware 0xdf 8 i-like-to DFIR MOVEit Transfer compromise, CVE investigation 0xdf 9 Recollection DFIR Memory forensics, Volatility, process analysis jon-brandy GitHub 10 Logjammer Log Analysis Windows Event Logs (Security, System, Defender, Firewall, PowerShell), scheduled tasks Medium - Chicken0248 11 Pikaptcha DFIR Registry Explorer, NetworkMiner, PowerShell run dialog abuse, fake CAPTCHA 0xdf 12 Campfire-1 Active Directory Kerberoasting detection, PowerView, Rubeus, Event ID 4769 0xdf 13 Campfire-2 Active Directory AS-REP Roasting, event log analysis, compromised accounts 0xdf 14 Safecracker DFIR Malicious file forensic analysis adeadfed 15 Litter SOC Network forensics, data exfiltration indicators Medium - jniket 16 Heartbreaker-Continuum Malware Analysis PEStudio, Ghidra code analysis, VirusTotal, MITRE ATT&CK mapping Medium - Mattv0 17 Lockpick Malware Analysis Ransomware analysis, encryption key recovery Thamizhiniyan GitBook 18 Lockpick 2.0 Malware Analysis Advanced ransomware, key recovery techniques Thamizhiniyan GitBook 19 SmartyPants DFIR Windows RDP event logs, Smart Screen debug logs jon-brandy GitHub 20 JingleBell DFIR Holiday-themed forensics investigation abubakar-shahid GitHub 21 JenkreadD DFIR Jenkins CVE-2024-23897 arbitrary file read HTB Blog 22 Packet Puzzle Network Forensics PCAP analysis, Japanese crypto firm cyberattack Medium - Deven
# Sherlock Category Key Techniques Writeup 1 Crown Jewel-1 Active Directory NTDS.dit dump, Volume Shadow Copy Service, AD enumeration Medium - Drew 2 Crown Jewel-2 Active Directory Lateral movement detection, Pass-the-Hash SystemWeakness 3 Noxious Active Directory LLMNR poisoning, rogue device detection, AD network recon 0xdf 4 Reaper Active Directory NTLM relay attack, LLMNR response poisoning, Security Log 0xdf 5 Subatomic Malware Analysis Electron app malware, fake game installer, Discord hijacking 0xdf 6 Constellation DFIR Insider threat, URL forensics, Discord/Google timeline 0xdf 7 TickTock DFIR Spear-phishing investigation, email forensics Medium - jniket 8 Tracer Threat Hunting PsExec detection, SOC alert investigation, lateral movement Medium - Ahmad 9 Hyperfiletable DFIR MFT parsing, analyzeMFT, MFTExplorer, ZoneID, file sizes Medium - L0rd$ud0 10 Nubilum-1 Cloud Forensics AWS CloudTrail logs, compromised EC2, PoshC2 C2 server 0xdf 11 Nubilum-2 Cloud Forensics AWS cloud forensics, advanced cloud investigation Medium - Chicken0248 12 Jugglin DFIR Windows Subsystem for Linux (WSL) abuse, threat actor leveraging WSL Medium - Chicken0248 13 Ultimatum DFIR WordPress compromise, Threat Actor investigation SystemWeakness 14 Ore DFIR Grafana artifacts, XMRIG cryptominer, CatScale, UNIX log analysis jon-brandy GitHub 15 RogueOne Network Forensics C2 traffic detection, network-based threat hunting jon-brandy GitHub 16 Lockpick 3.0 Malware Analysis Advanced ransomware variant, increased threat actor skillset Roy 17 Lockpick 4.0 Malware Analysis Latest ransomware evolution, key recovery Roy 18 MisCloud Cloud Forensics GCP breach, Gitea vulnerability, cloud misconfiguration Medium - Praj 19 Heartbreaker-Denouement Cloud Forensics CloudTrail log parsing, ELK stack analysis GitHub 20 ProcNet Network Forensics Network traffic analysis, malware investigation, API data capture Medium - d3lt4labs 21 Nuts DFIR File forensics, forensic image analysis itsrad.io 22 Fragility DFIR Exfiltrated file analysis, secret message decoding HTB Forum 23 Exitiabilis DFIR HELK analysis, Cisco AnyConnect VPN compromise HTB Blog 24 Jinkies DFIR Investigation and forensics analysis warlocksmurf 25 LATUS DFIR Multi-artifact forensic investigation HTB Forum 26 Loggy Log Analysis Log aggregation and analysis, timeline construction jon-brandy GitHub
# Sherlock Category Key Techniques Writeup 1 OpTinselTrace-1 APT Investigation Christmas-themed APT, initial access analysis warlocksmurf 2 OpTinselTrace-2 APT Investigation Lateral movement, persistence mechanisms Miranda-Bai GitHub 3 OpTinselTrace-3 APT Investigation Volatility3, Chainsaw, memory + event log correlation Medium - Ari 4 OpTinselTrace-4 APT Investigation Data exfiltration, C2 communication analysis jon-brandy GitHub 5 OpTinselTrace-5 APT Investigation Full APT chain reconstruction, reporting warlocksmurf 6 APTNightmare APT Investigation Advanced persistent threat investigation jon-brandy GitHub 7 APTNightmare2 APT Investigation Continued APT investigation, advanced TTPs Medium - Jake 8 BOughT DFIR Complex forensic investigation warlocksmurf 9 Zenith DFIR Advanced incident response jon-brandy GitHub 10 Payload Malware Analysis Advanced malware analysis, payload extraction jon-brandy GitHub 11 CrashDump DFIR Crash dump analysis, kernel-level forensics jon-brandy GitHub 12 Lupin DFIR Advanced theft/exfiltration investigation jon-brandy GitHub 13 Secret Pictures DFIR Hidden data, steganographic forensics jon-brandy GitHub 14 Malevolent Modmaker Malware Analysis Custom malware module analysis jon-brandy GitHub 15 SalineBreeze-2 DFIR Advanced breach investigation jon-brandy GitHub
# Sherlock Category Key Techniques Writeup 1 Hunter Threat Hunting Full-scale threat hunting operation warlocksmurf 2 Einlansen DFIR Complex multi-vector investigation HTB Forum
Christmas-themed APT investigation following the compromise of Father Christmas’s operations by The Grinch. Five interconnected Sherlocks covering the full attack lifecycle.
Part Focus Difficulty Key Tools OpTinselTrace-1 Initial Access Hard Email analysis, URL investigation OpTinselTrace-2 Execution & Persistence Hard Registry, scheduled tasks OpTinselTrace-3 Lateral Movement Hard Volatility3, Chainsaw OpTinselTrace-4 Data Collection Hard Network forensics, C2 OpTinselTrace-5 Exfiltration & Reporting Hard Full chain reconstruction
Sherlock Focus Difficulty Phantom Check Initial investigation Medium Smoke & Mirrors Advanced deception detection Medium
Version Difficulty Focus Lockpick Easy Basic ransomware analysis Lockpick 2.0 Easy Ransomware recovery Lockpick 3.0 Medium Advanced ransomware variant Lockpick 4.0 Medium Latest ransomware evolution
Version Difficulty Focus Crown Jewel-1 Medium NTDS.dit dump, VSS analysis Crown Jewel-2 Medium Lateral movement detection
Version Difficulty Focus Campfire-1 Easy Kerberoasting detection Campfire-2 Easy AS-REP Roasting detection
Version Difficulty Focus Heartbreaker-Continuum Easy Malware static analysis Heartbreaker-Denouement Medium CloudTrail log investigation
Version Difficulty Focus Nubilum-1 Medium AWS CloudTrail, EC2, PoshC2 Nubilum-2 Medium Advanced AWS investigation
Version Difficulty Focus APTNightmare Hard APT investigation APTNightmare2 Hard Advanced APT TTPs
Noted, BFT, Recollection, Logjammer, Pikaptcha, SmartyPants, JingleBell, Safecracker, Constellation, TickTock, Hyperfiletable, Ultimatum, Ore, Nuts, Fragility, Exitiabilis, Jinkies, LATUS, BOughT, Zenith, CrashDump, Lupin, Secret Pictures, SalineBreeze-2
Unit42, Heartbreaker-Continuum, Lockpick (1.0-4.0), Subatomic, Heartbreaker-Denouement, Payload, Malevolent Modmaker
Campfire-1, Campfire-2, Crown Jewel-1, Crown Jewel-2, Noxious, Reaper
Meerkat, Knock Knock, Litter, RogueOne, ProcNet, Packet Puzzle
Nubilum-1, Nubilum-2, MisCloud, Heartbreaker-Denouement
Meerkat, Litter, Tracer, Hunter
Brutus, Logjammer, Loggy
OpTinselTrace (1-5), APTNightmare, APTNightmare2
Source URL Coverage 0xdf 0xdf.gitlab.io 15+ Sherlocks with deep analysis jon-brandy GitHub 35+ Sherlocks across all difficulties abubakar-shahid GitHub DFIR-focused writeups h0ny GitHub Multi-category Sherlocks warlocksmurf GitHub OpTinselTrace + various Chicken0248 Medium Nubilum, Logjammer, Pikaptcha, Jugglin, Noxious, Knock Knock, Reaper, Ultimatum CyberKatalyst GitHub Sherlock writeup collection Miranda-Bai GitHub Nubilum, OpTinselTrace, Recollection, RogueOne, Noted Thamizhiniyan CS GitBook DFIR, SOC, Malware Analysis Roy Blog Lockpick 3.0, Lockpick 4.0
Identify the type of incident (malware, intrusion, data breach, etc.) Determine the scope (affected systems, users, timeframe) Preserve evidence integrity Collect logs (Windows Event, syslog, application) Collect memory dumps if available Collect disk images or filesystem artifacts Collect network captures Build a timeline of events Identify IOCs (IPs, domains, hashes, filenames) Trace the attack chain (initial access -> execution -> persistence -> lateral movement -> exfiltration) Map to MITRE ATT&CK framework Document findings with evidence Provide timeline Recommend containment and remediation Tool Purpose Volatility 3 Memory forensics Chainsaw Windows event log analysis Hayabusa Windows event log fast forensics KAPE Evidence collection Eric Zimmerman Tools Windows artifact parsing (MFTECmd, Registry Explorer, etc.) Autopsy Disk forensics Wireshark/tshark Network capture analysis NetworkMiner Network forensic analysis Velociraptor Endpoint detection & forensics YARA Pattern matching for malware CyberChef Data transformation PEStudio PE file static analysis Ghidra Binary reverse engineering analyzeMFT MFT parsing Event Log Explorer Windows EVTX analysis