Investigation Requirements:
A list of questions to be solved by HTB users throughout the investigation process.
Investigation evidence is appropriately handled and hashed before delivery to HTB.
Full disc images have been pre-processed in Autopsy, and the case file has been provided to HTB.
Memory dump maximum size of 8 GB.
The artifacts can’t only contain malicious data and must have some user-created & realistic background data.
Any malware delivered as part of the investigation is zipped and password protected with the password
hacktheblue.Do not provide nested JSON logs.
Documentation:
Full writeup showing the intended path for the investigation. Due to the nature of investigation-based labs, there can be numerous investigation paths, but your intended path is necessary for submission.
The write-up must include screenshots as to how each question can be answered.
Produce a detailed “scenario” write-up to fully immerse HTB users in the investigation. A sample scenario can be provided to assist in this process if necessary.
Description of important processes running on each machine involved in the challenge and any important application services installed.
Description of any CVEs utilized to generate the investigation artifacts.
Network/Architecture diagram if more than one host is included in the investigation.
Description of user accounts important to the “scenario”.
Description of how any “PII” or “PCI” data was generated.
Best Practices:
We recommend you perform the investigation yourself and then produce questions for each stage of the investigation. Try to consider questions that would be important to answer in an investigation.
Try to keep the investigation realistic where possible.
Nothing inappropriate, trolly, offensive, political, sexual or insulting.
The investigation should present a coherent path containing worthwhile elements.
Don’t use commercial (paid) software (including trials).
Do not include copyrighted material in any form.
Level Definitions & Payments
Very Easy
An extremely beginner-friendly & bite-size investigation. Typically, the attack life cycle is clear & the tools used fairly loud. Endpoint log granularity would typically be high. No complex reverse engineering would be expected on any easy challenge. A very easy investigation should typically take no longer than 1 hour but heavily depends on experience.
Difficulty | Earn (up to) | Complexity / Realism (up to) | Quality Bonus (up to) |
Very Easy | $100 | $25 | $25 |
Easy
A beginner-friendly & entry-level investigation. Typically, the attack life cycle is clear & the tools used fairly loud. Endpoint log granularity would typically be high. No complex reverse engineering would be expected on any easy challenge. An easy investigation should typically take no longer than 2-4 hours to investigate but is heavily dependent on experience.
Difficulty | Earn (up to) | Complexity / Realism (up to) | Quality Bonus (up to) |
Easy | $200 | $50 | $50 |
Medium
An investigation that requires intermediate knowledge of at least one subject within the realm of defensive security. The attack life cycle is complex and usually involves multiple steps, with detection mechanisms being harder to find. Endpoint log granularity varies depending on the attack vector and is at the discretion of the creator. A medium investigation should typically take no longer than 4-8 hours to complete. However, it is heavily dependent on experience.
Difficulty | Earn (up to) | Complexity / Realism (up to) | Quality Bonus (up to) |
Medium | $400 | $100 | $100 |
Hard
An investigation that requires advanced knowledge of at least one subject within the realm of defensive security. The attack life cycle is extremely complex and involves multiple steps and simulated activity often used by advanced/state nation actors. The investigation presents varying types of data, often from a variety of OSs and applications. Endpoint log granularity varies depending on the attack vector and is at the creator's discretion. A hard investigation should typically take no longer than 2 days to complete. However, it is heavily dependent on experience.
Difficulty | Earn (up to) | Complexity / Realism (up to) | Quality Bonus (up to) |
Hard | $650 | $150 | $150 |
Insane
A multi-faceted investigation that requires expert knowledge of at least one subject within the realm of defensive security. The attack life cycle is as complex as you can make it & the attacker activity is extremely hard to detect/find. If malware is used, then it should not already exist on Virustotal (or a similar platform) and be reverse-engineered as part of the investigation. An insane investigation should typically take no longer than 5 days to complete. However, it is heavily dependent on experience.
Difficulty | Earn (up to) | Complexity / Realism (up to) | Quality Bonus (up to) |
Insane | $1000 | $250 | $£250 |