User details : DFIR CTF - The dangers of daydreaming in the clouds - O365 training scenario

Level 1: MINAF-PC7, 350 / 650 (54%)

Level 2: Alert! Emergency!, 650 / 750 (87%)

Level 3: We're not happy, 625 / 725 (86%)

Total: 1,625 / 2,125 (76.5%)

Challenge	Solved	Points
3.8 In what time the attackers first set foot on MINAF's O365 infrastructure? (Level 3: We're not happy)	#30, 3 years, 7 months after release (2025-07-09 16:54:48)	100
3.7 From which REAL domain was this last attack launched? (Level 3: We're not happy)	#30, 3 years, 7 months after release (2025-07-09 16:38:52)	75
3.6 Before this successful attack, they tried another one, more sneaky but unsucessful. Could you tell the "code" they used? (Level 3: We're not happy)	#19, 3 years, 7 months after release (2025-07-09 16:36:47)	100
3.4 The compromised user have connecting from another countries ... Which one is the most frequent? (Level 3: We're not happy)	#38, 3 years, 7 months after release (2025-07-09 16:29:31)	50
3.3 This kind of attack is EXACTLY called ... (Level 3: We're not happy)	#36, 3 years, 7 months after release (2025-07-09 16:28:36)	100
3.2 Who fooled this user to install the "thingy" ? (Level 3: We're not happy)	#41, 3 years, 7 months after release (2025-07-09 16:27:09)	75
3.1 Attackers have tricked someone to consent the installation of something. What is its name? (Level 3: We're not happy)	#41, 3 years, 7 months after release (2025-07-09 16:26:42)	125
2.8 When the attackers did first successfully use the stolen account ? (Level 2: Alert! Emergency!)	#37, 3 years, 7 months after release (2025-07-09 16:09:54)	75
2.7 Attackers have left a privileged backdoor to MINAF's O365. Which form does it take? (Level 2: Alert! Emergency!)	#34, 3 years, 7 months after release (2025-07-09 16:03:11)	125
2.6 To expand their activities, the attackers have obtained full access to some mailboxes. Which ones? (Level 2: Alert! Emergency!)	#35, 3 years, 7 months after release (2025-07-09 15:44:24)	75
2.5 Attackers also created an email rule that filtered out some keywords. Which ones? (Level 2: Alert! Emergency!)	#36, 3 years, 7 months after release (2025-07-09 15:32:54)	75
2.4 The attackes have given themselves permissions over two Sharepoint sites. Who are their owners? (Level 2: Alert! Emergency!)	#38, 3 years, 7 months after release (2025-07-09 15:12:57)	75
2.3 ... and from which IP address? (Level 2: Alert! Emergency!)	#37, 3 years, 7 months after release (2025-07-09 15:00:55)	50
2.2. When did the attackers got the World_Happiness_Plan.docx? (Level 2: Alert! Emergency!)	#39, 3 years, 7 months after release (2025-07-09 14:57:53)	100
2.1 María José Feliz shared this file with an user ... who reshared it with a third user. Who? (Level 2: Alert! Emergency!)	#43, 3 years, 7 months after release (2025-07-09 14:31:32)	75
1.7 Which user advises Maria Jose Files to "install" everything? (Level 1: MINAF-PC7)	#57, 3 years, 7 months after release (2025-07-09 14:21:27)	125
1.4 Which payload do these files have? (Level 1: MINAF-PC7)	#54, 3 years, 7 months after release (2025-07-09 11:59:14)	75
1.3 If you look carefully in the user folder, you'll see some suspicious compressed files. What final (real) extension is the most used? (Level 1: MINAF-PC7)	#70, 3 years, 7 months after release (2025-07-09 11:46:44)	50
1.2 Which file generated the most recent AV alert? (Level 1: MINAF-PC7)	#69, 3 years, 7 months after release (2025-07-09 11:21:32)	50
1.1 At which time did María José Feliz create the document "World_Happiness_Plan.docx" on her computer? (Level 1: MINAF-PC7)	#59, 3 years, 7 months after release (2025-07-09 11:16:58)	50

A por ello

Solved challenges