
Akira Ransomware: Full Kill Chain IR
The intrusion began with a search engine advertisement and ended with the deployment of Akira ransomware. This scenario covers the full 2025 threat landscape, emphasizing identity-based compromise, MFA bypass via AiTM kits, and rapid lateral movement toward Active Directory. Analysts must navigate a complex environment of Windows workstations, Domain Controllers, and Cisco VPN infrastructure to reconstruct the timeline from initial access to data exfiltration and final encryption.
Start this operation
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Identify the Ransomware Payload
10CORP-FS-01 went dark overnight: files across the share were renamed to an unfamiliar extension and a ransom note appeared. The host that drove the encryption is corp-wks-102. Working from the impact backward, identify the executable that carried out the mass-encryption stage on that host.
Recover the Encryption Key Argument
10Akira's operators pass their per-victim encryption key on the command line when they launch the encryptor. Having identified the payload on corp-wks-102, examine how it was invoked and recover the key value the operator supplied at runtime.
Trace the Pre-Encryption Data Staging
10Before detonating the ransomware, the actor staged data for theft — a 14 GB transfer left CORP-FS-01 for an external host the night before encryption. On corp-wks-102 a burst of process activity preceded that transfer. Determine which legitimate-looking third-party utility the actor used to compress and bundle the data for exfiltration.
Identify the Command-and-Control Channel
10The operator needed an interactive channel to drive corp-wks-102 between initial access and impact. Shortly after the loader executed on the host, it began beaconing outbound to an external server. Identify the command-and-control destination the host was reaching out to.
Uncover the Lateral Movement Mechanism
10From corp-wks-102 the actor pivoted toward the Domain Controller, installing a service on the remote host to run commands with SYSTEM privileges. Identify the service binary that carried out this remote-execution-based lateral movement.
Identify the Attacker-Created Privileged Account
10To move freely and reach the Domain Controller, the actor needed privileges beyond the compromised user benjamin.smith. Investigate the net.exe activity on corp-wks-102 and the related account-management events to identify the high-privilege account the actor created and then reused to run the encryptor.
Determine the Targeted Active Directory Artifact
10With a privileged account in hand, the actor went after Active Directory's credential store wholesale. Review the file-system activity in XDR on corp-wks-102 and identify the critical Active Directory database file the actor accessed to harvest every domain credential at once.
Reconstruct the Credential Harvesting Technique
10The privileged account did not appear from nowhere — earlier in the intrusion the actor harvested credentials directly from memory on corp-wks-102. Examine the process-execution chain and credential-access behavior in XDR to determine which signed system DLL was abused, alongside rundll32.exe, to dump LSASS memory.
Identify the Alternate Execution Interpreter
10Tracing further back toward the foothold: after the malicious installer ran on corp-wks-102, the actor sidestepped PowerShell controls by running their logic through a different scripting interpreter. Review the execution events that follow the msiexec.exe activity and identify the interpreter the actor used.
Pinpoint the Initial Access Foothold
10Closing the loop on root cause: the entire intrusion began with user benjamin.smith on corp-wks-102, where a file was dropped into a user temp directory after slipping past standard filtering. Analyze the XDR file-system artifacts for that user and identify the document written to disk as the initial-access foothold.
10 tasks · 100 points total
Training Tools
Skills You'll Build
Complex multi-stage investigations. Realistic noise, ambiguous indicators, lateral movement.
Prerequisites
- Basic understanding of security alerts
- Experience with log analysis tools
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
- Familiarity with Firewall concepts
Ready to investigate?
More Operations
View allCredential Harvesting: The Lookalike Login
Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.
Malicious npm Package: Postinstall Infostealer
A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.
QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.