User details : DFIR CTF Challenge - The dangers of daydreaming in O365

Level 1: MINAF-PC7, 500 / 650 (77%)

Level 2: Alert! Emergency!, 750 / 750 (100%)

Level 3: We're not happy, 525 / 725 (72%)

Total: 1,775 / 2,125 (83.5%)

Challenge	Solved	Points
3.7 From which REAL domain was this last attack launched? (Level 3: We're not happy)	#10, 2 years, 3 months after release (2024-03-06 17:25:35)	75
3.6 Before this successful attack, they tried another one, more sneaky but unsucessful. Could you tell the "code" they used? (Level 3: We're not happy)	#4, 2 years, 3 months after release (2024-03-06 17:16:53)	100
3.5 The attackers are nice tricksters because they also fooled this user. Which URL did they make him/her click? (Level 3: We're not happy)	#4, 2 years, 3 months after release (2024-03-06 17:11:41)	100
3.4 The compromised user have connecting from another countries ... Which one is the most frequent? (Level 3: We're not happy)	#8, 2 years, 3 months after release (2024-03-06 16:58:39)	50
3.1 Attackers have tricked someone to consent the installation of something. What is its name? (Level 3: We're not happy)	#11, 2 years, 3 months after release (2024-03-06 16:40:58)	125
3.2 Who fooled this user to install the "thingy" ? (Level 3: We're not happy)	#6, 2 years, 3 months after release (2024-03-06 16:33:09)	75
2.9 Which in the "innocent" password of the compromised account ? (Level 2: Alert! Emergency!)	#9, 2 years, 3 months after release (2024-03-06 16:23:43)	100
2.8 When the attackers did first successfully use the stolen account ? (Level 2: Alert! Emergency!)	#9, 2 years, 3 months after release (2024-03-06 16:22:08)	75
2.7 Attackers have left a privileged backdoor to MINAF's O365. Which form does it take? (Level 2: Alert! Emergency!)	#8, 2 years, 3 months after release (2024-03-06 16:14:54)	125
2.5 Attackers also created an email rule that filtered out some keywords. Which ones? (Level 2: Alert! Emergency!)	#10, 2 years, 3 months after release (2024-03-06 16:10:18)	75
2.6 To expand their activities, the attackers have obtained full access to some mailboxes. Which ones? (Level 2: Alert! Emergency!)	#7, 2 years, 3 months after release (2024-03-06 16:03:25)	75
2.4 The attackes have given themselves permissions over two Sharepoint sites. Who are their owners? (Level 2: Alert! Emergency!)	#8, 2 years, 3 months after release (2024-03-06 15:57:09)	75
2.3 ... and from which IP address? (Level 2: Alert! Emergency!)	#9, 2 years, 3 months after release (2024-03-06 15:29:30)	50
2.2. When did the attackers got the World_Happiness_Plan.docx? (Level 2: Alert! Emergency!)	#9, 2 years, 3 months after release (2024-03-06 15:26:29)	100
1.6 Where did all these malware was downloaded from? (Level 1: MINAF-PC7)	#23, 2 years, 3 months after release (2024-03-06 15:18:53)	75
2.1 María José Feliz shared this file with an user ... who reshared it with a third user. Who? (Level 2: Alert! Emergency!)	#11, 2 years, 3 months after release (2024-03-06 15:13:56)	75
1.9 María José Feliz shared this document with other user. Which one? (Level 1: MINAF-PC7)	#15, 2 years, 3 months after release (2024-03-06 13:26:23)	75
1.7 Which user advises Maria Jose Files to "install" everything? (Level 1: MINAF-PC7)	#15, 2 years, 3 months after release (2024-03-06 13:21:47)	125
1.4 Which payload do these files have? (Level 1: MINAF-PC7)	#21, 2 years, 3 months after release (2024-03-06 12:40:57)	75
1.5 In that folder there is DEFINITELY another file that Windows Defender strongly dislikes. Which one? (Level 1: MINAF-PC7)	#17, 2 years, 3 months after release (2024-03-06 12:18:39)	50
1.2 Which file generated the most recent AV alert? (Level 1: MINAF-PC7)	#22, 2 years, 3 months after release (2024-03-06 12:15:46)	50
1.3 If you look carefully in the user folder, you'll see some suspicious compressed files. What final extension is the most used? (Level 1: MINAF-PC7)	#21, 2 years, 3 months after release (2024-03-06 12:15:20)	50

Ellendar

Solved challenges