astronaut
Logbook
Web Security • Research • CTF
Menu
Jul 02, 2026

My 10-Week HTB Sherlocks Blue Team Roadmap

A practical 10-week HTB Sherlocks roadmap for SOC, DFIR, Blue Team, Purple Team, malware triage, cloud IR, threat intel, and interview prep.

research

Roadmap

This is my current HTB Sherlocks roadmap for building a practical SOC / Blue Team foundation.

The point is not to collect solves. The point is to get better at reading evidence, building timelines, explaining attacker actions, and writing notes that can survive an interview.

Duration
10 weeks
Target
SOC / Blue Team
Labs
40 Sherlocks
How I use each lab

For every Sherlock, I write a short case summary, initial access, affected host/user, first suspicious timestamp, evidence, attacker actions, IoCs, MITRE ATT&CK mapping, containment, one detection idea, and a 90-second interview answer.

Week 1 - Core Investigation Foundation

LabAreaLevelPractice
BrutusDFIRVery EasyLinux auth.log, wtmp, SSH brute force, successful login, persistence, sudo activity.
Unit42DFIRVery EasySysmon Event IDs, process tree, DNS queries, network connection, timestomping.
BFTDFIRVery Easy$MFT, MFTECmd, Timeline Explorer, Zone.Identifier, malicious file recovery.
TellySOCVery EasyBasic SOC alert triage and case handling.

Week 2 - PCAP, AD Intro, Malware, Threat Intel

LabAreaLevelPractice
MeerkatSOCEasyPCAP, Suricata alerts, credential stuffing, CVE exploitation, web app compromise.
Campfire-1DFIRVery EasyKerberoasting detection, Event ID 4769, Rubeus, PowerView, AD log analysis.
SubatomicMalware AnalysisMediumElectron malware, fake installer, Discord hijacking, browser data theft, static triage.
ElectricBreeze-1Threat IntelligenceVery EasyThreat intel pivoting, campaign context, external indicator enrichment.

Week 3 - Windows Logs, AD Network Attack, Web Compromise, Cloud

LabAreaLevelPractice
LogJammerDFIREasyWindows Security, System, Defender, Firewall, PowerShell logs, scheduled tasks.
NoxiousSOCVery EasyLLMNR poisoning, rogue device detection, AD network recon.
BumblebeeDFIREasyphpBB SQLite database, web logs, web shell and admin compromise analysis.
Nubilum-1CloudMediumAWS CloudTrail, compromised EC2, exposed S3, cloud IR, PoshC2.

Week 4 - AS-REP, Fake CAPTCHA, PE Triage, Insider Timeline

LabAreaLevelPractice
Campfire-2DFIRVery EasyAS-REP roasting, Event ID 4768, vulnerable AD account detection.
PikaptchaDFIREasyFake CAPTCHA, PowerShell Run dialog abuse, registry artifacts, PCAP correlation.
Heartbreaker-ContinuumMalware AnalysisEasyPEStudio, Ghidra, VirusTotal, MITRE ATT&CK mapping.
ConstellationThreat IntelligenceMediumInsider threat, URL forensics, Discord and Google timeline reconstruction.

Week 5 - NTLM Relay, Endpoint Artifacts, Malware, GCP Cloud

LabAreaLevelPractice
ReaperDFIRVery EasyNTLM relay, LLMNR response poisoning, Windows Security Log correlation.
NotedDFIREasyNotepad++ artifacts, AppData, data extortion trail.
SalineBreeze-2Malware AnalysisEasyMalware triage, IoC extraction, breach investigation.
MisCloudCloudMediumGCP breach, Gitea vulnerability, cloud misconfiguration.

Week 6 - AD Credential Theft, SOC Case, Malware Medium, Email Forensics

LabAreaLevelPractice
CrownJewel-1DFIRVery EasyNTDS.dit dump, Volume Shadow Copy, AD enumeration.
CuidadoSOCEasySOC alert investigation and correlation.
SneakyKeysMalware AnalysisMediumMedium malware triage, keylogging and persistence-style reasoning.
TickTockDFIRMediumSpear-phishing investigation, email forensics, timeline reconstruction.

Week 7 - Lateral Movement, Exfiltration, Memory, Cloud Follow-up

LabAreaLevelPractice
CrownJewel-2DFIRVery EasyLateral movement detection, Pass-the-Hash.
LitterSOCEasyNetwork forensics, data exfiltration indicators.
RecollectionDFIREasyMemory forensics, Volatility, suspicious process analysis.
Nubilum2CloudEasyCloud follow-up investigation, identity and resource reasoning.

Week 8 - Threat Hunting, Active TI, Malware Module, Cloud Campaign

LabAreaLevelPractice
TracerDFIREasyPsExec detection, SOC alert investigation, lateral movement.
KitsuneHookThreat IntelligenceEasyActive threat intel practice, newer challenge, less writeup dependency.
Malevolent ModMakerMalware AnalysisMediumCustom malware module analysis.
OpTinselTrace24-3: Blizzard BreakdownCloudMediumCloud investigation in a campaign-style case.

Week 9 - APT, Memory/Event Correlation, Hard Network, Hard Malware

LabAreaLevelPractice
APTNightmareDFIRMediumAPT-style investigation, multi-stage incident reconstruction.
OpTinselTrace-3DFIRMediumVolatility3, Chainsaw, memory plus event log correlation.
ProcNetDFIRHardNetwork traffic analysis, malware investigation, API data capture.
Lockpick3.0Malware AnalysisHardHard ransomware and malware continuation after Lockpick2.0.

Week 10 - Final Capstone

LabAreaLevelPractice
OpTinselTrace-4DFIREasyData exfiltration, C2 communication analysis.
OpTinselTrace-5DFIRHardFull APT chain reconstruction and final reporting.
Lockpick4.0Malware AnalysisInsaneRansomware/malware capstone, deeper encryption and key recovery reasoning.
LogForgeDFIRMediumBlind final exam style practice: log correlation without leaning on public writeups.

Reading Layer

PriorityTopicRead withLink
MustC2 communication detectionMeerkat, Litter, ProcNet, OpTinselTrace-4, APTNightmareHTB
MustLLMNR poisoning detectionNoxious, Reaper, Campfire-1, Campfire-2HTB
MustSmartScreen logs for execution evidencePikaptcha, Noted, LogJammerHTB
MustPsExec lateral movement artifactsTracer, CrownJewel-2, APTNightmareHTB
MustAWS CloudTrail log analysisNubilum-1, Nubilum2, MisCloud, OpTinselTrace24-3HTB
StrongWindows event logs for incident respondersUnit42, LogJammer, Campfire-1, Campfire-2, ReaperHTB
StrongIncident response report templateAll labs, especially Week 4 onwardHTB
StrongNetwork traffic analysisMeerkat, Litter, Noxious, Reaper, ProcNetHTB
StrongVolatility and memory forensicsRecollection, OpTinselTrace-3, APTNightmareHTB
StrongAnti-forensics techniquesBFT, Unit42, Noted, APTNightmare, OpTinselTraceHTB
Optional career and vocabulary reads
TopicWhen I read itLink
SOC onboarding planBefore applying or interviewingHTB
SOC analyst interview questionsAfter Weeks 2, 4, 8, and 10HTB
SOC analyst skill mapWeek 1 or before CV workHTB
Blue team job directionBefore role mappingHTB
Weekly SOC team habitsWhen thinking about real SOC workflowHTB
Cloud weakness contextBefore cloud weeksHTB
USB attack detectionOptional endpoint add-onHTB
Red team tool contextOptional attacker-tool vocabularyCrackTheLab

Terminology Reference

The glossary is intentionally grouped so I can review only the terms related to the lab I am working on.

Investigation workflow terms
TermShort explanation
SOCSecurity Operations Center. Đội theo dõi alert, điều tra sự kiện đáng ngờ, phân loại true positive/false positive và escalation khi cần.
DFIRDigital Forensics and Incident Response. Mảng tập trung vào thu thập evidence, phân tích artifact, dựng timeline và xử lý incident.
Purple TeamCách học hoặc vận hành kết hợp Red Team và Blue Team: hiểu attacker làm gì để viết detection và response tốt hơn.
IoCIndicator of Compromise. Dấu hiệu compromise như IP, domain, hash, file path, username, process, registry key.
MITRE ATT&CKKnowledge base để map hành vi attacker thành tactic/technique, ví dụ credential access, lateral movement, exfiltration.
ContainmentBước chặn incident lan rộng: isolate host, disable account, revoke key, block IoC, preserve evidence.
TimelineChuỗi timestamp theo thứ tự để trả lời: chuyện gì xảy ra trước, user/host nào bị ảnh hưởng, attacker làm gì tiếp theo.
Evidence stackingKhông dựa vào một artifact duy nhất. Ví dụ muốn chứng minh execution thì cross-check Sysmon, Prefetch, LNK, SmartScreen, ShimCache.
SIEMNền tảng gom log và alert như Splunk, Sentinel, Elastic. Dùng để search, correlate, detect và triage.
EDREndpoint Detection and Response. Agent trên endpoint giúp thấy process, file, network, command line và response như isolate host.
Windows forensic artifacts
TermShort explanation
SysmonWindows telemetry tool ghi process creation, network connection, DNS query, file creation, registry event. Rất quan trọng trong DFIR.
Event IDMã định danh của Windows event. Ví dụ 4769 liên quan Kerberos service ticket, 4768 liên quan AS-REQ/AS-REP.
PowerShell 4104Event ID ghi PowerShell Script Block Logging. Rất hữu ích khi attacker chạy script hoặc command obfuscated.
PrefetchWindows artifact cho biết program từng chạy, thời gian chạy gần đây và file liên quan. Dùng để chứng minh execution.
ShimCache / AppCompatCacheArtifact Windows lưu dấu vết application compatibility. Có thể hỗ trợ chứng minh file từng tồn tại hoặc từng được hệ thống xử lý.
LNK / Jump List / RecentDocsArtifact user activity. Dùng để thấy user mở file nào, shortcut nào được tạo, file nào xuất hiện gần đây.
SmartScreen logsLog của Windows SmartScreen có thể hỗ trợ chứng minh app/file được mở hoặc user tương tác với file đáng ngờ.
$MFTMaster File Table của NTFS. Chứa metadata file/folder như timestamp, path, size, record. Rất mạnh cho file-system timeline.
USN JournalNTFS change journal. Ghi thay đổi file như create, delete, rename, overwrite. Hay dùng để trace lateral movement hoặc tool execution.
Zone.IdentifierAlternate Data Stream cho biết file đến từ Internet zone. Hữu ích khi điều tra downloaded file hoặc phishing attachment.
Network, C2, and Active Directory terms
TermShort explanation
PCAPPacket capture. File ghi network packets để phân tích traffic, protocol, request/response, beaconing, C2 hoặc exfiltration.
SuricataIDS/IPS engine tạo alert từ network traffic. Trong SOC lab, alert Suricata thường là điểm bắt đầu để pivot sang PCAP.
C2Command and Control. Kênh attacker dùng để gửi lệnh, nhận output, deploy payload, maintain access hoặc exfiltrate data.
BeaconingPattern kết nối lặp lại theo interval. Thường dùng để phát hiện C2 khi host gọi ra ngoài đều đặn.
DNS tunnelingKỹ thuật nhét data hoặc command vào DNS query/response để tránh detection truyền thống.
DGADomain Generation Algorithm. Malware tự sinh nhiều domain để tìm C2 server, làm blocklist khó hơn.
LLMNRLink-Local Multicast Name Resolution. Giao thức Windows dùng để hỏi tên host trong LAN khi DNS không resolve được, chạy UDP 5355.
NBT-NSNetBIOS Name Service. Giao thức cũ hơn để resolve NetBIOS name trong LAN, chạy UDP 137, thường bị abuse cùng LLMNR.
NetNTLMv2Challenge-response hash Windows gửi khi xác thực NTLM. Attacker có thể capture rồi crack offline hoặc relay.
NTLM relayAttacker chuyển tiếp NTLM authentication của victim sang service khác để đăng nhập thay victim, thường liên quan SMB/LDAP.
SMB signingCơ chế ký SMB message để giảm rủi ro relay. Nếu không enforced, NTLM relay dễ xảy ra hơn.
KerberoastingAttack xin Kerberos service ticket cho SPN account rồi crack offline để lấy password service account.
AS-REP roastingAttack nhắm user không bật Kerberos pre-authentication, lấy AS-REP rồi crack offline.
RubeusTool phổ biến cho Kerberos abuse như Kerberoasting, AS-REP roasting, ticket manipulation.
PowerViewPowerShell tool dùng để enumerate Active Directory: user, group, session, ACL, SPN, trust.
NTDS.ditDatabase của Active Directory chứa domain data và password hashes. Nếu bị dump là incident nghiêm trọng.
Volume Shadow CopyWindows snapshot mechanism. Attacker có thể abuse để copy locked files như NTDS.dit.
Pass-the-HashLateral movement technique dùng NTLM hash để authenticate mà không cần plaintext password.
PsExecSysinternals tool cho remote execution qua SMB/service creation. Legit admin tool nhưng attacker hay abuse để lateral movement.
Named pipeIPC mechanism trên Windows. Một số remote execution/C2/lateral movement tools để lại named pipe artifacts.
Cloud, web, malware, and memory terms
TermShort explanation
CloudTrailAWS audit log cho API activity từ console, CLI, SDK. Dùng để điều tra IAM abuse, EC2, S3, access key activity.
EC2 / S3EC2 là compute instance của AWS; S3 là object storage. Hai dịch vụ này hay xuất hiện trong cloud IR case.
Web shellFile/script trên web server cho phép attacker chạy command hoặc quản lý server từ xa.
SQLiteLightweight database dạng file. Hay gặp trong app/web artifact, browser data, hoặc lab web compromise.
PE fileWindows executable format như .exe hoặc .dll. Malware triage thường bắt đầu từ PE metadata, strings, imports.
PEStudioTool static triage PE file: imports, strings, indicators, entropy, suspicious metadata.
GhidraReverse engineering tool để đọc decompiled code, function, string reference và malware logic.
VirusTotalDịch vụ tra hash/file/domain/IP để xem detection, relations, community notes và threat context.
VolatilityMemory forensics framework để phân tích RAM dump: process, network connection, command line, injected code.
ChainsawTool hunt Windows Event Logs bằng Sigma rules hoặc keyword logic, thường dùng để lọc nhanh event đáng ngờ.
ExfiltrationHành vi đưa dữ liệu ra khỏi môi trường nạn nhân. Evidence có thể nằm ở network traffic, cloud logs, archive files, upload events.
Threat IntelligenceContext bên ngoài về IP, domain, hash, campaign, TTP, malware family hoặc actor để enrich investigation.

By the end, I want clean notes, real evidence, detection ideas, containment steps, and short interview-ready explanations.