This is my collection of CTF writeups focused on blue team and DFIR disciplines, including memory and disk forensics, network traffic analysis, threat hunting, cloud forensics, and more. All challenges are sourced from platforms like CyberDefenders, HackTheBox Sherlocks, and TryHackMe. My goal is to provide a clear record of investigation techniques, tools, and reasoning used during each challenge.
Each writeup in this repository provides a step-by-step breakdown of the approach taken to answer each challenge question. The writeups explain the investigation process, including the tools, commands, and reasoning behind the analysis. Challenges are grouped by their general category, such as endpoint forensics, network forensics, threat hunting, etc. The difficulty labels categorized in the writeups follow the ratings provided by the original platform so whatever HackTheBox or TryHackMe labeled as Easy or Hard is what I used.
| Difficulty | Rating |
|---|---|
| Very Easy | ⭐ |
| Easy | ⭐⭐ |
| Medium | ⭐⭐⭐ |
| Hard | ⭐⭐⭐⭐ |
| Insane | ⭐⭐⭐⭐⭐ |
- Endpoint Forensics
- Network Forensics
- Threat Hunting
- Cloud Forensics
- DFIR
- Cyber Threat Intelligence (CTI)
- Open-Source Intelligence (OSINT)
- Phishing Analysis
- Tools
| Name | Writeup | Challenge | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| Rhadamanthys Lab | HIDDEN (Active Lab) | CyberDefenders | Medium | ⭐⭐⭐ | Event Log Explorer CyberChef Timeline Explorer |
| Spooler - APT28 Lab | Link | CyberDefenders | Hard | ⭐⭐⭐⭐ | Registry Explorer Timeline Explorer DB Browser for SQLite MFTECmd PECmd MITRE ATT&CK Event Log Explorer VirusTotal |
| KioskExpo7 Lab | HIDDEN (Active Lab) | CyberDefenders | Medium | ⭐⭐⭐ | DB Browser for SQLite Registry Explorer |
| CursorJack Lab | HIDDEN (Active Lab) | CyberDefenders | Easy | ⭐⭐ | DB Browser for SQLite Notepad++ Event Log Explorer Sysmon TrailInspector |
| T1598.002 - Dragonfly Lab | Link | CyberDefenders | Easy | ⭐⭐ | oledump |
| Fork Bomb - TeamPCP Lab | HIDDEN (Active Lab) | CyberDefenders | Easy | ⭐⭐ | Notepad++ Sysmon |
| ContainerBreak - Rootkit Trail Lab | HIDDEN (Active Lab) | CyberDefenders | Easy | ⭐⭐ | Linux Commnand Lines |
| MeteorHit - Indra Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | Registry Explorer Event Log Explorer |
| Andromeda Bot - UNC4210 Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | MemProcFS EvtxECmd Timeline Explorer VirusTotal ANY.RUN |
| XMRig Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | Photorec losetup strings mount ANY.RUN |
| Volatility Traces Lab | Link | CyberDefenders | Easy | ⭐⭐ | Volatility3 |
| AndroidBreach Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | ALEAPP jadx CyberChef DB Browser for SQLite |
| Reveal Lab | Link | CyberDefenders | Easy | ⭐⭐ | Volatility3 |
| Redline Lab | Link | CyberDefenders | Easy | ⭐⭐ | Volatility3 strings awk |
| Ramnit Lab | Link | CyberDefenders | Easy | ⭐⭐ | Volatility3 VirusTotal |
| Insider Lab | Link | CyberDefenders | Easy | ⭐⭐ | FTK Imager LogViewer2 |
| Amadey - APT-C-36 Lab | Link | CyberDefenders | Easy | ⭐⭐ | Volatility3 grep strings |
| The Crime Lab | Link | CyberDefenders | Easy | ⭐⭐ | ALEAPP |
| Name | Writeup | Challenge | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| RCEMiner Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | Wireshark |
| CallMeOnTheChain - EtherRAT Lab | HIDDEN (Active Lab) | CyberDefenders | Medium | ⭐⭐⭐ | Wireshark |
| RediShell - Kinsing Lab | HIDDEN (Active Lab) | CyberDefenders | Easy | ⭐⭐ | Wireshark |
| XXE Infiltration Lab | Link | CyberDefenders | Easy | ⭐⭐ | Wireshark |
| RetailBreach Lab | Link | CyberDefenders | Easy | ⭐⭐ | Wireshark |
| JetBrains Lab | Link | CyberDefenders | Easy | ⭐⭐ | Wireshark |
| Lockdown Lab | HIDDEN (Active Lab) | CyberDefenders | Easy | ⭐⭐ | Wireshark Volatility3 VirusTotal MalwareBazaar |
| XLMRat Lab | HIDDEN (Active Lab) |
CyberDefenders | Easy | ⭐⭐ | Wireshark CyberChef VirusTotal |
| Web Investigation Lab | Link | CyberDefenders | Easy | ⭐⭐ | Wireshark CyberChef |
| Tomcat Takeover Lab | Link | CyberDefenders | Easy | ⭐⭐ | Wireshark |
| PacketDetective Lab | Link | CyberDefenders | Easy | ⭐⭐ | Wireshark |
| DanaBot Lab | Link | CyberDefenders | Easy | ⭐⭐ | Wireshark VirusTotal |
| PsExec Hunt Lab | Link | CyberDefenders | Easy | ⭐⭐ | Wireshark |
| Poisoned Credentials Lab | Link | CyberDefenders | Easy | ⭐⭐ | Wireshark |
| Name | Writeup | Challenge | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| FalconEye Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | Splunk |
| Kerberoasted Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | Splunk |
| T1197 Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | Splunk |
| T1110-003 Lab | Link | CyberDefenders | Easy | ⭐⭐ | Splunk |
| Boss Of The SOC v1 Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | Splunk |
| ShadowRoast Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | Splunk |
| GoldenSpray Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | Splunk IPinfo |
| REvil - GOLD SOUTHFIELD Lab | Link | CyberDefenders | Easy | ⭐⭐ | Splunk ANY.RUN |
| NerisBot Lab | Link | CyberDefenders | Easy | ⭐⭐ | Splunk VirusTotal |
| Name | Writeup | Challenge | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| AbuSESer - Trufflenet Lab | HIDDEN (Active Lab) |
CyberDefenders | Easy | ⭐⭐ | CloudWatch |
| Rogue Azure Lab | HIDDEN (Active Lab) |
CyberDefenders | Easy | ⭐⭐ | Microsoft Sentinel |
| DynamicEscalate Lab | HIDDEN (Active Lab) |
CyberDefenders | Easy | ⭐⭐ | Microsoft Sentinel |
| S3CredentialsHunt Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | jq |
| IMDSv1 Lab | Link | CyberDefenders | Medium | ⭐⭐⭐ | Wireshark jq |
| AWSWatcher Lab | Link | CyberDefenders | Easy | ⭐⭐ | CloudTrail CloudWatch jq |
| AzureHunt Lab | Link | CyberDefenders | Easy | ⭐⭐ | ELK |
| AWSRaid Lab | Link | CyberDefenders | Easy | ⭐⭐ | Splunk |
| Name | Writeup | Challenge | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| Summit | Link | TryHackMe | Easy | ⭐⭐ | MITRE ATT&CK Pyramid of Pain |
| Campfire-2 | Link | HackTheBox | Very Easy | ⭐ | Event Viewer |
| Brutus | Link | HackTheBox | Very Easy | ⭐ | grep cat MITRE ATT&CK |
| Name | Writeup | Challenge | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| IceID Lab | Link | CyberDefenders | Easy | ⭐⭐ | VirusTotal MITRE ATT&CK |
| GrabThePhisher Lab | Link | CyberDefenders | Easy | ⭐⭐ | VSCode |
| 3CX Supply Chain Lab | Link | CyberDefenders | Easy | ⭐⭐ | VirusTotal MITRE ATT&CK |
| Red Stealer Lab | Link | CyberDefenders | Easy | ⭐⭐ | VirusTotal MalwareBazaar ThreatFox |
| Yellow RAT Lab | Link | CyberDefenders | Easy | ⭐⭐ | VirusTotal |
| Oski Lab | Link | CyberDefenders | Easy | ⭐⭐ | MITRE ATT&CK VirusTotal Any.Run |
| Eviction | Link | TryHackMe | Easy | ⭐⭐ | MITRE ATT&CK |
| Dream Job-1 | Link | HackTheBox | Easy | ⭐⭐ | MITRE ATT&CK VirusTotal |
| Name | Writeup | Challenge | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| MBuchus Lab | HIDDEN (Active Lab) |
CyberDefenders | Medium | ⭐⭐⭐ | AlienVault OTX VirusTotal IPinfo WhoisFreaks OSINT |
| Tusk Infostealer Lab | Link | CyberDefenders | Easy | ⭐⭐ | VirusTotal Threat Intelligence Reports |
| RaaS Unfold - RansomHub Lab | HIDDEN (Active Lab) |
CyberDefenders | Medium | ⭐⭐⭐ | Threat Intelligence Reports |
| Lespion Lab | Link | CyberDefenders | Easy | ⭐⭐ | Google Images search CyberChef |
| Dev Diaries | Link | TryHackMe | Easy | ⭐⭐ | pentesting-tools GitHub |
| Missing Person | Link | TryHackMe | Easy | ⭐⭐ | Google Images search exifmeta |
| Name | Writeup | Challenge | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| Snapped Phish-ing Line | Link | TryHackMe | Easy | ⭐⭐ | VirusTotal CyberChef whois grep |
| The Greenholt Phish | Link | TryHackMe | Easy | ⭐⭐ | whois VirusTotal |
| Phishing Analysis Tools | Link | TryHackMe | Easy | ⭐⭐ | CyberChef Any.Run |
| Tool | Category | Link |
|---|---|---|
| Splunk | Threat Hunting | https://www.splunk.com/ |
| LogViewer2 | Endpoint Forensics | https://github.com/woanware/LogViewer2 |
| FTK Imager | Endpoint Forensics | https://www.exterro.com/digital-forensics-software/ftk-imager |
| Volatility3 | Endpoint Forensics | https://github.com/volatilityfoundation/volatility3 |
| ALEAPP | Endpoint Forensics | https://github.com/abrignoni/ALEAPP |
| Wireshark | Network Forensics | https://www.wireshark.org/ |
| MITRE ATT&CK | CTI | https://attack.mitre.org/ |
| VirusTotal | CTI | https://www.virustotal.com/ |
| WhoIs | CTI | https://www.whois.com/whois/ |
| Any.Run | Malware Analysis | https://any.run/ |
| CyberChef | DFIR | https://gchq.github.io/CyberChef/ |
| ExifMeta | OSINT | https://exifmeta.com/ |