Scoreboard : DFIR CTF Challenge - The dangers of daydreaming in O365 - Mellivora, the CTF engine

#	Team	Country	Points
1	SiCk-Boy		1,975
2	h4cK_3nD-B3Er5		900
3	adriandlhc		875
4	bomoca		200
5	Rioja		0
6	it was DNS's team		0
7	bL4Ck p4nTh3r		0
8	xaquin		0
9	loxza		0
10	FMA		0
11	The North is Cumming		0
12	AloneART		0
13	bluehawk		0

Level 1: MINAF-PC7	Points	Solved by	First solvers
1.1 At which time did María José Feliz create the document "World_Happiness_Plan.docx" on her computer?	50	75%	SiCk-Boy adriandlhc bomoca
1.2 Which file generated the most recent AV alert?	50	100%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.3 If you look carefully in the folder where the previous file were, you'll see some suspicious compressed files. What extension is the most used?	50	100%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.4 Which payload do these files have?	75	75%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.5 In that folder there is DEFINITELY another file that Windows Defender strongly dislikes. Which one?	50	75%	h4cK_3nD-B3Er5 adriandlhc bomoca
1.6 Where did all these malware was downloaded from?	75	75%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.7 Which user advises Maria Jose Files to "install" everything?	125	75%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
1.8 How many times have been the compressed payload successfully executed?	100	50%	SiCk-Boy adriandlhc
1.9 María José Feliz shared this document with other user. Which one?	75	75%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc

Level 2: Alert! Emergency!	Points	Solved by	First solvers
2.1 María José Feliz shared this file with an user ... who reshared it with a third user. Who?	75	75%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
2.2. When did the attackers got the World_Happiness_Plan.docx?	100	75%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
2.3 ... and from which IP address?	50	75%	h4cK_3nD-B3Er5 SiCk-Boy adriandlhc
2.4 The attackes have given themselves permissions over two Sharepoint sites. Who are their owners?	75	25%	SiCk-Boy
2.5 Attackers also created an email rule that filtered out some keywords. Which ones?	75	25%	SiCk-Boy
2.6 To expand their activities, the attackers have obtained full access to some mailboxes. Which ones?	75	25%	SiCk-Boy
2.7 Attackers have left a privileged backdoor to MINAF's O365. Which form does it take?	125	25%	SiCk-Boy
2.8 When the attackers did first successfully use the stolen account ?	75	25%	SiCk-Boy
2.9 Which in the "innocent" password of the compromised account ?	100	50%	h4cK_3nD-B3Er5 SiCk-Boy

Level 3: We're not happy	Points	Solved by	First solvers
3.1 Attackers have tricked someone to consent the installation of something. What is its name?	125	25%	SiCk-Boy
3.2 Who fooled this user to install the "thingy" ?	75	50%	h4cK_3nD-B3Er5 SiCk-Boy
3.3 This kind of attack is EXACTLY called ...	100	25%	SiCk-Boy
3.4 The compromised user have connecting from another countries ... Which one is the most frequent?	50	25%	SiCk-Boy
3.5 The attackers are nice tricksters because they also fooled this user. Which URL did they make him/her click?	100	25%	SiCk-Boy
3.6 Before this successful attack, they tried another one, more sneaky but unsucessful. Could you tell the "code" they used?	100	0%	Unsolved
3.7 From which REAL domain was this last attack launched?	75	25%	SiCk-Boy
3.8 In what time the attackers first set foot on MINAF's O365 infrastructure?	100	25%	SiCk-Boy