SANS Diary Reconstructs Full Akira Ransomware Kill Chain Using Only Firewall and Windows Logs
A SANS diary demonstrates how defenders can reconstruct an Akira ransomware intrusion from initial access to encryption using only SSLVPN syslog and Windows EVTX logs, without EDR or memory captures.
A detailed diary published by the SANS Internet Storm Center reconstructs a complete Akira ransomware intrusion using only two log sources: perimeter firewall syslog and Windows EVTX exports. The analysis, covering a mid-sized organization with a single-site Active Directory forest, shows that the entire kill chain—from credential stuffing to file encryption—was visible in logs the organization already retained. No EDR, no memory captures, and no PCAP were needed.
The initial access vector was a credential stuffing attack against a local SSLVPN account. Firewall authentication logs revealed a six-hour brute-force pattern from a single source IP in a hosting-provider range. The targeted account had been disabled in Active Directory but remained provisioned as a local firewall user with no MFA enabled. Once a credential matched, the attacker walked straight into the internal network without pausing to test the credential—a behavioral fingerprint consistent with credential stuffing against a known target.
Once on the VPN, the attacker pivoted to a jump host used by legitimate remote administrators. Windows Security event logs captured the full discovery phase: EID 4688 process creation events showed the attacker running nltest for domain controller discovery, net group for privilege enumeration, whoami for identity checks, and a renamed AdFind executable for Active Directory reconnaissance. Approximately 24 hours later, a cluster of EID 4769 events—all RC4-encrypted, all from the jump host, all within a 90-second window—revealed a Kerberoasting attack targeting three service accounts.
Lateral movement unfolded over two days, relying almost exclusively on RDP. EID 4624 Logon Type 10 events traced the attacker from the jump host to the file server, both domain controllers, and the backup server. Each domain controller logon was followed by EID 4672 (special privilege assignment), confirming domain-level privilege escalation. Notably, the attacker created a new account in a non-default OU and added it to a built-in group using its Well-Known SID rather than the localized group name—a small but reliable indicator of scripting for environment portability. PowerShell sessions with the -EncodedCommand flag, once decoded, showed reconnaissance against backup infrastructure and shadow-copy state.
The final 12 hours collapsed into a rapid sequence: the Security event log on the jump host was cleared (EID 1102), endpoint protection services were stopped via sc.exe and net stop (System EID 7036), and vssadmin delete shadows /all /quiet ran across every reachable host. Encryption followed within minutes. The diary emphasizes that the encryption event represents only about five percent of the total dwell time; the other 95 percent is where defensive opportunity sits, and almost all of it was visible in logs the organization already had.
The SANS diary underscores a critical lesson for defenders: perimeter logs and endpoint event logs are typically handled by separate teams, but joining them reveals the full intrusion narrative. An analyst working only the firewall syslog would have caught the brute force and successful login but missed the internal discovery and lateral movement. An analyst working only Windows event logs would have seen the Kerberoasting and lateral movement but missed the initial access vector. The join between the two sources provides the complete picture, enabling defenders to detect and disrupt intrusions long before encryption occurs.