Scoreboard : DFIR CTF - Ransomware ate my network!

#	Team	Points
1	GabberBro	3,050
2	elsa__	3,050
3	kuko__	3,050
4	imnotarobot	2,650
5	+q (Forgot Password)	2,500
6	Secun	2,425
7	SierraX	2,400
8	FerrisRS	2,100
9	Toni	2,025
10	carlos	1,900
11	Hattori Hanzo	1,900
12	Chicharo95	1,900
13	Fran C	1,825
14	c0qu1n4$$	1,725
15	Redes LAN	1,725
16	lauper	1,700
17	Scrach	1,700
18	Andres Y	1,675
19	Jonos	1,475
20	JavierAlbiac	1,425
21	Gonzalo	1,300
22	wh1tedrvg0n	1,150
23	Tania	1,050
24	Murugan	975
25	S2 Grupo - II Forensication	950
26	Brian	175
27	W4nn4Die	0
28	manolorastaman	0
29	forense	0
30	+q	0
31	MySOChasHoles	0
32	WmanuW	0
33	AlvaroOrtiz	0
34	mariotol	0
35	BlueOscuro	0
36	Raf	0
37	hugo sanz	0
38	S2 Grupo - II Forensicaton	0
39	carpese	0
40	Elena_Moreno	0
41	DG	0
42	NoNamedX	0
43	jmartinez	0
44	fbarrachina	0
45	ces23	0
46	S2-AGS	0
47	Gorane	0
48	mario.munoz	0

#	Team	Points
1	DFIR Oscense	2,625
2	Lucky	2,550
3	Gwynble1dd	2,525
4	Alde	2,425
5	nes_us	2,250
6	NutcrackerOwO	2,100
7	Bridge 4	2,075
8	unizar2023	950
9	RotoGG	550
10	alone	500
11	freelen	275
12	miqnavcho	100
13	héctor	0
14	Miquel Navarro	0
15	cewibe7983@mcuma.com	0
16	miquel	0
17	Testing	0
18	Exemplo1	0

#	Team	Points
1	PhineasFisher	3,050
2	RootedCon24	2,450
3	mer	2,450
4	Ellendar	2,450
5	JonDoe	2,025
6	Ps	1,775
7	Xeyuin	1,700
8	aillusion	1,525
9	yosek26480	1,425
10	Rivery	1,275
11	Defender	1,000
12	hecutresc	750
13	Exemplo0	350
14	franlx_14_	0
15	catarata	0

#	Team	Points
1	Luisalb	650
2	ocaroline	650
3	crisix	550
4	atila	550
5	joseluis	550
6	mary4	550
7	JuanXXIII	550
8	bikthor	525
9	cpou	525
10	JXXIII	500
11	rosams	350
12	fgf	325
13	yyyttt+++	325
14	jluis	0
15	Garbanzos Torraos	0
16	BXVI	0
17	martafg	0

#	Team	Points
1	Alvaro :P	3,050
2	Salmón Segura	3,050
3	Termindiego25	3,050
4	EchoPing	2,875
5	Clau	2,850
6	Jabato Dongo	2,750
7	Perro Daniel	2,750
8	Celia Rosell	2,750
9	BUENASSSSS	2,650
10	Eli	2,575
11	Alejandro Chirivella	2,525
12	Elba	2,175
13	Enigmático	2,100
14	Huguillo	2,075
15	Alberto	2,075
16	brTT	1,225
17	HugoGB	0
18	PingKing	0
19	Test	0

#	Team	Points
1	IesTeis	1,925
2	Pablo	1,925
3	IES de Teis 2	1,925
4	Cora	1,850
5	David	1,825
6	Nozi	1,825
7	Puffito	1,750
8	ies dex teis	1,750
9	Ies de Teis	1,575
10	Danii	1,375
11	iesdeteis	1,150
12	cuernomax2	1,075
13	cristinac	775
14	JoseManuelDelaVega	775
15	IES TEIS	525
16	Boyomo	325
17	Josito22	175
18	IESTeisJesusir	75
19	Joselrp	75
20	Iago	0
21	cuernomax4	0
22	cuernomax3	0

#	Team	Points
1	mrobot	2,625
2	prr	2,625
3	Jteam	2,425
4	BOTS	2,425
5	L	2,425
6	NotFound	2,250
7	Team Kakamora	2,175
8	Zapper	2,150
9	J3SuS	2,050
10	Road Runner	1,875
11	Vega	1,825
12	Worldsleaks	1,750
13	CMG	1,675
14	Peritus	1,000
15	Zimanes	975
16	Pandrades	850
17	CTL	275
18	usuario	0
19	pr	0
20	PabloAndrades	0

#	Team	Country	Points

Level 1: Domain controller	Points	Solved by	First solvers
09. What is the IP used by the attackers to connect to the domain controller ?	25	79%	adriandlhc LosChunguitos Ximo
03. At what time can you see a logon type 10 user login on the domain controller?	50	88%	adriandlhc bob Asere Jévere
05. The antivirus detected a malicious file around this time. Which name does it have?	50	89%	adriandlhc Asere Jévere LosChunguitos
04. A foul-mouthed named script was executed a little after this user login. What is its name?	50	86%	adriandlhc LosChunguitos Ximo
07. Which ransomware family are the attackers planning to deploy?	50	79%	adriandlhc LosChunguitos Ximo
01- What is the name of the first anomalous GPO?	75	83%	Secun GabberBro imnotarobot
08. The GPO establish a fixed time for ransomware execution. Which time are the scheduled tasks of doom timed to start?	75	77%	LosChunguitos Ximo adriandlhc
06. Which specific threat is launched by the AV detection?	75	67%	Gonzalo GabberBro Toni
02. At which time can the second malicious GPO be considered as loaded and ready to be applied?	100	86%	adriandlhc LosChunguitos Ximo
09_Extra. Which kind of authentication used the attacker to log into the system?	100	50%	adriandlhc Ximo LosChunguitos
08_Extra: There is a GPO in the disk that sets a value for the Group Policy Refresh. What is the time between cheks?	100	36%	adriandlhc LosChunguitos Ximo
04_Extra: How this file arrived to the domain controller?	100	31%	adriandlhc LosChunguitos Ximo

Level 2: W10-PC3	Points	Solved by	First solvers
01. Which execution pinpoints the first lateral movement on this machine?	50	64%	Asere Jévere LosChunguitos adriandlhc
06. Which privileged account has been used by the attackers ?	50	62%	Secun GabberBro imnotarobot
04. This machine is listening in a really odd port for an endpoint. Which one?	50	69%	adriandlhc Ximo LosChunguitos
03. What is the external IP used by the attackers?	50	68%	adriandlhc Ximo LosChunguitos
02. This malicious execution is used to launch another known threat. At what UTC time?	75	61%	LosChunguitos Asere Jévere adriandlhc
07. How many different users did login on this computer on November 9 ?	75	61%	Asere Jévere adriandlhc Deckcard23
09. The first question refers to a malicious code execution. What IP addresses did this attack likely came from?	75	48%	Asere Jévere adriandlhc Deckcard23
05. The attackers are quite sassy ... but sloppy too. Can you locate the password for one of this accounts?	100	63%	adriandlhc LosChunguitos Asere Jévere
06_extra. How many times did the attackers login on the DC from a user of this computer ?	125	19%	Asere Jévere adriandlhc Fran C
08. What EXACT authentication data from dom.adm account has been compromised ?	200	37%	Asere Jévere adriandlhc GabberBro
08_extra. The attackers surely have left some persistence on this computer. Find it and give us the name/key/filename/whatever used.	200	12%	Asere Jévere adriandlhc Cyberscope

Level 3: W10-PC5	Points	Solved by	First solvers
01. What "disguise" has used the executable used to run code on W10-PC3?	50	59%	adriandlhc Deckcard23 teamrocket
08. This machine is plagued with evil. Name the file who drops the first malicious payload	75	48%	adriandlhc Asere Jévere Deckcard23
04. Attackers have used two Active Directory recon tools. When was the latest one first launched ?	75	45%	adriandlhc Cyberscope teamrocket
03. There are two different C2 used by the attackers. What are their IP?	75	50%	Asere Jévere adriandlhc Cyberscope
06. There is more than one malicious payloads running wild on this machine. When did the second one was deployed?	75	31%	adriandlhc Asere Jévere Deckcard23
07. What is the first recon command made by the attackers ?	75	40%	adriandlhc Asere Jévere Deckcard23
10. Which REAL domain/filename/underwear was used to spoof MINAF? Use the file attached	75	41%	imnotarobot Toni GabberBro
02. Which script/command/thingy is used by the attackers to disable the antivirus?	100	54%	adriandlhc Deckcard23 Cyberscope
05. Which file has an exploit used by the attackers to elevate privileges?	100	38%	imnotarobot Secun kuko__
09. Here you have the malicious file from the previous question. What payload drops?	100	35%	GabberBro +q (Forgot Password) SierraX
10_extra. With all the evidence you have collected, and having to make a wild guess (attribution is hard, we know it) ... Which country did the attackers came from?	150	30%	adriandlhc Cyberscope teamrocket
05_extra. What CVE have exploited the attackers to gain elevated privileges on the system?	200	34%	adriandlhc Deckcard23 Cyberscope

S2 Grupo Scoreboard

DFIR Unizar 2023 Scoreboard

BootCamp DFIR Rooted 2024 Scoreboard

Xunta CTF Scoreboard

ENIGMA 11 Scoreboard

IES TEIS Scoreboard

BootCamp DFIR Rooted 2025 Scoreboard

DFIR Marine Institute Scoreboard

Challenges