Summaries

Akira Ransomware Kill Chain Reconstruction — Perimeter and Endpoint Log Analysis

A SANS diary reconstructs an Akira ransomware intrusion from start to encryption using only firewall syslog and Windows EVTX, demonstrating how joined log sources reveal the full kill chain.

View on Graph

Summary

Manuel Humberto Santander Pelaez published a SANS diary detailing the forensic reconstruction of an Akira ransomware intrusion at a mid-sized organization, using only firewall syslog and Windows EVTX exports — no EDR, no PCAP, no proxy logs. The reconstruction demonstrates how joining perimeter and endpoint log sources can recover a complete kill chain.

Initial Access (Stage 1): The attacker brute-forced a local SSLVPN account over six hours from a single hosting-provider IP. The account had been disabled in Active Directory but remained provisioned in the firewall with no MFA. The successful authentication landed inside the attack ramp — no testing pause before leveraging the credential, consistent with credential stuffing.

Discovery and Credential Access (Stages 2–3): From the VPN, the attacker pivoted to a jump host and executed textbook discovery: nltest /dclist:, net group "Domain Admins" /domain, whoami /all, and an AdFind-equivalent binary. Approximately 24 hours later, a cluster of RC4-encrypted EID 4769 events from the jump host against three service accounts in a 90-second window confirmed Kerberoasting.

Lateral Movement (Stage 4): Over two days, the attacker moved via RDP (EID 4624 Logon Type 10) from the jump host to the file server, domain controllers, and backup server. A new account was created in a non-default OU and added to a built-in group via Well-Known SID — an indicator of scripted, portable operations. PowerShell -EncodedCommand sessions targeted backup infrastructure and shadow-copy state.

Defense Evasion and Impact (Stages 5–6): In the final 12 hours, the attacker cleared the Security event log (EID 1102), stopped endpoint protection services via sc.exe and net stop, ran vssadmin delete shadows /all /quiet across all reachable hosts, and deployed encryption.

The critical insight: the encryption event represented only ~5% of total dwell time. The other 95% was visible in logs the organization already had — just not joined. The firewall alone caught the brute force and login. EVTX alone caught the anomalous internal activity. Only the joined view provided the full kill chain.

Why It Matters

This reconstruction is a master class in log-source joining for organizations that cannot afford EDR across every endpoint. Many mid-sized organizations leave their firewall and Windows event logs at default retention, and the two sources are often managed by separate teams. The Akira case proves that the joined signal — source IP as pivot, normalized time as axis — is the most cost-effective detection improvement most organizations can make. For SOC analysts, the message is clear: fix your time sync and log retention before buying another tool.

Defender Takeaways

  • Reconcile deprovisioned AD accounts against local firewall accounts — this was the initial access vector.
  • Enforce MFA on all VPN accounts, especially SSLVPN.
  • Monitor for EID 4769 clusters from a single source against multiple service accounts (Kerberoasting signature).
  • Join firewall authentication logs with Windows Security channel using source IP and normalized time.
  • Extend Windows event log retention — default sizes are insufficient for post-incident reconstruction.
  • Alert on EID 1102 (Security log clear) combined with service stop events as a precursor to ransomware impact.

Source

Title: Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs — SANS ISC
URL: https://isc.sans.edu/diary/rss/33024