Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs, (Wed, May 27th)

This SANS ISC diary reconstructs an Akira ransomware intrusion using only SSLVPN and Windows EVTX logs: attackers used credential stuffing against a deprovisioned local VPN account, performed discovery (nltest/net), Kerberoasted service accounts, RDP’d laterally to domain controllers, cleared logs and deleted shadow copies, then encrypted files; the report emphasizes the importance of joining perimeter and endpoint logs, provides concrete detection/hunting recommendations (SSLVPN MFA, EID 4688/4769/1102 monitoring, vssadmin auditing, time sync), and maps observed TTPs to MITRE ATT&CK.