Skip to main content
Akira Ransomware: Full Kill Chain IR operation cover
AdvancedSIEMXDRFirewallPRO

Akira Ransomware: Full Kill Chain IR

The intrusion began with a search engine advertisement and ended with the deployment of Akira ransomware. This scenario covers the full 2025 threat landscape, emphasizing identity-based compromise, MFA bypass via AiTM kits, and rapid lateral movement toward Active Directory. Analysts must navigate a complex environment of Windows workstations, Domain Controllers, and Cisco VPN infrastructure to reconstruct the timeline from initial access to data exfiltration and final encryption.

2h
10 tasks
150 points
Pro

Start this operation

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

Identify the Ransomware Payload

10

CORP-FS-01 went dark overnight: files across the share were renamed to an unfamiliar extension and a ransom note appeared. The host that drove the encryption is corp-wks-102. Working from the impact backward, identify the executable that carried out the mass-encryption stage on that host.

SOC{...}Hint available
2

Recover the Encryption Key Argument

10

Akira's operators pass their per-victim encryption key on the command line when they launch the encryptor. Having identified the payload on corp-wks-102, examine how it was invoked and recover the key value the operator supplied at runtime.

SOC{...}Hint available
3

Trace the Pre-Encryption Data Staging

10

Before detonating the ransomware, the actor staged data for theft — a 14 GB transfer left CORP-FS-01 for an external host the night before encryption. On corp-wks-102 a burst of process activity preceded that transfer. Determine which legitimate-looking third-party utility the actor used to compress and bundle the data for exfiltration.

SOC{...}Hint available
4

Identify the Command-and-Control Channel

10

The operator needed an interactive channel to drive corp-wks-102 between initial access and impact. Shortly after the loader executed on the host, it began beaconing outbound to an external server. Identify the command-and-control destination the host was reaching out to.

SOC{...}Hint available
5

Uncover the Lateral Movement Mechanism

10

From corp-wks-102 the actor pivoted toward the Domain Controller, installing a service on the remote host to run commands with SYSTEM privileges. Identify the service binary that carried out this remote-execution-based lateral movement.

SOC{...}Hint available
6

Identify the Attacker-Created Privileged Account

10

To move freely and reach the Domain Controller, the actor needed privileges beyond the compromised user benjamin.smith. Investigate the net.exe activity on corp-wks-102 and the related account-management events to identify the high-privilege account the actor created and then reused to run the encryptor.

SOC{...}Hint available
7

Determine the Targeted Active Directory Artifact

10

With a privileged account in hand, the actor went after Active Directory's credential store wholesale. Review the file-system activity in XDR on corp-wks-102 and identify the critical Active Directory database file the actor accessed to harvest every domain credential at once.

SOC{...}Hint available
8

Reconstruct the Credential Harvesting Technique

10

The privileged account did not appear from nowhere — earlier in the intrusion the actor harvested credentials directly from memory on corp-wks-102. Examine the process-execution chain and credential-access behavior in XDR to determine which signed system DLL was abused, alongside rundll32.exe, to dump LSASS memory.

SOC{...}Hint available
9

Identify the Alternate Execution Interpreter

10

Tracing further back toward the foothold: after the malicious installer ran on corp-wks-102, the actor sidestepped PowerShell controls by running their logic through a different scripting interpreter. Review the execution events that follow the msiexec.exe activity and identify the interpreter the actor used.

SOC{...}Hint available
10

Pinpoint the Initial Access Foothold

10

Closing the loop on root cause: the entire intrusion began with user benjamin.smith on corp-wks-102, where a file was dropped into a user temp directory after slipping past standard filtering. Analyze the XDR file-system artifacts for that user and identify the document written to disk as the initial-access foothold.

SOC{...}Hint available

10 tasks · 100 points total

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
XDR log analysis
Firewall log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Advanced

Complex multi-stage investigations. Realistic noise, ambiguous indicators, lateral movement.

Prerequisites

  • Basic understanding of security alerts
  • Experience with log analysis tools
  • Familiarity with SIEM concepts
  • Familiarity with XDR concepts
  • Familiarity with Firewall concepts

Ready to investigate?

More Operations

View all
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m25 pts
BeginnerXDRSIEM

Malicious npm Package: Postinstall Infostealer

A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.

25m25 pts
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m25 pts