# Team Country Points
1 GabberBro es 3,050
2 elsa__ es 3,050
3 kuko__ es 3,050
4 imnotarobot es 2,650
5 +q (Forgot Password) im 2,500
6 Secun es 2,425
7 SierraX gw 2,400
8 FerrisRS es 2,100
9 Toni es 2,025
10 carlos es 1,900
11 Hattori Hanzo es 1,900
12 Chicharo95 es 1,900
13 Fran C es 1,825
14 c0qu1n4$$ es 1,725
15 Redes LAN es 1,725
16 lauper es 1,700
17 Andres Y es 1,675
18 JavierAlbiac es 1,425
19 Gonzalo es 1,300
20 wh1tedrvg0n es 1,150
21 Tania es 1,050
22 Murugan ru 975
23 S2 Grupo - II Forensication es 950
24 Brian es 175
25 MySOChasHoles us 0
26 WmanuW es 0
27 AlvaroOrtiz es 0
28 mariotol co 0
29 BlueOscuro es 0
30 Raf il 0
31 hugo sanz es 0
32 S2 Grupo - II Forensicaton co 0
33 carpese es 0
34 Elena_Moreno es 0
35 DG es 0
36 NoNamedX co 0
37 jmartinez es 0
38 fbarrachina es 0
39 ces23 es 0
40 S2-AGS es 0
41 Gorane es 0
42 mario.munoz es 0
43 W4nn4Die es 0
44 manolorastaman td 0
45 forense es 0
46 +q im 0
# Team Country Points
1 DFIR Oscense es 2,625
2 Lucky es 2,550
3 Gwynble1dd es 2,525
4 Alde es 2,425
5 nes_us es 2,250
6 NutcrackerOwO es 2,100
7 Bridge 4 es 2,075
8 unizar2023 es 950
9 RotoGG es 550
10 alone es 500
11 freelen jp 275
12 miqnavcho es 100
13 Miquel Navarro es 0
14 cewibe7983@mcuma.com ad 0
15 miquel es 0
16 Testing af 0
17 Exemplo1 ag 0
18 héctor es 0
# Team Country Points
1 PhineasFisher kp 3,050
2 RootedCon24 es 2,450
3 mer es 2,450
4 Ellendar es 2,450
5 JonDoe es 2,025
6 Ps es 1,775
7 Xeyuin es 1,700
8 aillusion es 1,525
9 yosek26480 es 1,425
10 Rivery es 1,275
11 Defender es 1,000
12 hecutresc es 750
13 Exemplo0 al 350
14 franlx_14_ es 0
15 catarata es 0
# Team Country Points
1 Luisalb es 650
2 ocaroline es 650
3 crisix ga 550
4 atila fo 550
5 joseluis es 550
6 mary4 es 550
7 JuanXXIII es 550
8 bikthor es 525
9 cpou es 525
10 JXXIII es 500
11 rosams es 350
12 fgf es 325
13 yyyttt+++ al 325
14 jluis es 0
15 BXVI es 0
16 martafg es 0
Level 1: Domain controller Points Solved by First solvers
01- What is the name of the first anomalous GPO? 75 76% First to solve this challenge!Secun
Second to solve this challenge!GabberBro
Third to solve this challenge!imnotarobot
02. At which time can the second malicious GPO be considered as loaded and ready to be applied? 100 85% First to solve this challenge!adriandlhc
Second to solve this challenge!LosChunguitos
Third to solve this challenge!Ximo
03. At what time can you see a logon type 10 user login on the domain controller? 50 92% First to solve this challenge!adriandlhc
Second to solve this challenge!bob
Third to solve this challenge!Asere Jévere
04. A foul-mouthed named script was executed a little after this user login. What is its name? 50 87% First to solve this challenge!adriandlhc
Second to solve this challenge!LosChunguitos
Third to solve this challenge!Ximo
04_Extra: How this file arrived to the domain controller? 100 26% First to solve this challenge!adriandlhc
Second to solve this challenge!LosChunguitos
Third to solve this challenge!Ximo
05. The antivirus detected a malicious file around this time. Which name does it have? 50 89% First to solve this challenge!adriandlhc
Second to solve this challenge!Asere Jévere
Third to solve this challenge!LosChunguitos
06. Which specific threat is launched by the AV detection? 75 60% First to solve this challenge!Gonzalo
Second to solve this challenge!GabberBro
Third to solve this challenge!Toni
07. Which ransomware family are the attackers planning to deploy? 50 75% First to solve this challenge!adriandlhc
Second to solve this challenge!LosChunguitos
Third to solve this challenge!Ximo
08. The GPO establish a fixed time for ransomware execution. Which time are the scheduled tasks of doom timed to start? 75 73% First to solve this challenge!LosChunguitos
Second to solve this challenge!Ximo
Third to solve this challenge!adriandlhc
08_Extra: There is a GPO in the disk that sets a value for the Group Policy Refresh. What is the time between cheks? 100 46% First to solve this challenge!adriandlhc
Second to solve this challenge!LosChunguitos
Third to solve this challenge!Ximo
09. What is the IP used by the attackers to connect to the domain controller ? 25 77% First to solve this challenge!adriandlhc
Second to solve this challenge!LosChunguitos
Third to solve this challenge!Ximo
09_Extra. Which kind of authentication used the attacker to log into the system? 100 51% First to solve this challenge!adriandlhc
Second to solve this challenge!Ximo
Third to solve this challenge!LosChunguitos
Level 2: W10-PC3 Points Solved by First solvers
01. Which execution pinpoints the first lateral movement on this machine? 50 55% First to solve this challenge!Asere Jévere
Second to solve this challenge!LosChunguitos
Third to solve this challenge!adriandlhc
02. This malicious execution is used to launch another known threat. At what UTC time? 75 49% First to solve this challenge!LosChunguitos
Second to solve this challenge!Asere Jévere
Third to solve this challenge!adriandlhc
03. What is the external IP used by the attackers? 50 60% First to solve this challenge!adriandlhc
Second to solve this challenge!Ximo
Third to solve this challenge!LosChunguitos
04. This machine is listening in a really odd port for an endpoint. Which one? 50 61% First to solve this challenge!adriandlhc
Second to solve this challenge!Ximo
Third to solve this challenge!LosChunguitos
05. The attackers are quite sassy ... but sloppy too. Can you locate the password for one of this accounts? 100 54% First to solve this challenge!adriandlhc
Second to solve this challenge!LosChunguitos
Third to solve this challenge!Asere Jévere
06. Which privileged account has been used by the attackers ? 50 48% First to solve this challenge!Secun
Second to solve this challenge!GabberBro
Third to solve this challenge!imnotarobot
06_extra. How many times did the attackers login on the DC from a user of this computer ? 125 19% First to solve this challenge!Asere Jévere
Second to solve this challenge!adriandlhc
Third to solve this challenge!Fran C
07. How many different users did login on this computer on November 9 ? 75 54% First to solve this challenge!Asere Jévere
Second to solve this challenge!adriandlhc
Third to solve this challenge!Deckcard23
08. What EXACT authentication data from dom.adm account has been compromised ? 200 30% First to solve this challenge!Asere Jévere
Second to solve this challenge!adriandlhc
Third to solve this challenge!GabberBro
08_extra. The attackers surely have left some persistence on this computer. Find it and give us the name/key/filename/whatever used. 200 17% First to solve this challenge!Asere Jévere
Second to solve this challenge!adriandlhc
Third to solve this challenge!Cyberscope
09. The first question refers to a malicious code execution. What IP addresses did this attack likely came from? 75 38% First to solve this challenge!Asere Jévere
Second to solve this challenge!adriandlhc
Third to solve this challenge!Deckcard23
Level 3: W10-PC5 Points Solved by First solvers
01. What "disguise" has used the executable used to run code on W10-PC3? 50 43% First to solve this challenge!adriandlhc
Second to solve this challenge!Deckcard23
Third to solve this challenge!teamrocket
02. Which script/command/thingy is used by the attackers to disable the antivirus? 100 40% First to solve this challenge!adriandlhc
Second to solve this challenge!Deckcard23
Third to solve this challenge!Cyberscope
03. There are two different C2 used by the attackers. What are their IP? 75 38% First to solve this challenge!Asere Jévere
Second to solve this challenge!adriandlhc
Third to solve this challenge!Cyberscope
04. Attackers have used two Active Directory recon tools. When was the latest one first launched ? 75 31% First to solve this challenge!adriandlhc
Second to solve this challenge!Cyberscope
Third to solve this challenge!teamrocket
05. Which file has an exploit used by the attackers to elevate privileges? 100 32% First to solve this challenge!imnotarobot
Second to solve this challenge!Secun
Third to solve this challenge!kuko__
05_extra. What CVE have exploited the attackers to gain elevated privileges on the system? 200 33% First to solve this challenge!adriandlhc
Second to solve this challenge!Deckcard23
Third to solve this challenge!Cyberscope
06. There is more than one malicious payloads running wild on this machine. When did the second one was deployed? 75 26% First to solve this challenge!adriandlhc
Second to solve this challenge!Asere Jévere
Third to solve this challenge!Deckcard23
07. What is the first recon command made by the attackers ? 75 36% First to solve this challenge!adriandlhc
Second to solve this challenge!Asere Jévere
Third to solve this challenge!Deckcard23
08. This machine is plagued with evil. Name the file who drops the first malicious payload 75 37% First to solve this challenge!adriandlhc
Second to solve this challenge!Asere Jévere
Third to solve this challenge!Deckcard23
09. Here you have the malicious file from the previous question. What payload drops? 100 27% First to solve this challenge!GabberBro
Second to solve this challenge!+q (Forgot Password)
Third to solve this challenge!SierraX
10. Which REAL domain/filename/underwear was used to spoof MINAF? Use the file attached 75 31% First to solve this challenge!imnotarobot
Second to solve this challenge!Toni
Third to solve this challenge!GabberBro
10_extra. With all the evidence you have collected, and having to make a wild guess (attribution is hard, we know it) ... Which country did the attackers came from? 150 27% First to solve this challenge!adriandlhc
Second to solve this challenge!Cyberscope
Third to solve this challenge!teamrocket