Akira Ransomware: Full Kill Chain IR

After gaining access to the svc_backup account, the adversary executed a series of commands on the domain controller. Analyze the XDR behaviors and file events to determine which critical Active Directory database was accessed or copied during the intrusion.

During the investigation of corp-wks-110, an analyst noted a series of suspicious command executions involving akira.exe and powershell.exe. You must determine which legitimate-looking third-party utility was leveraged by the threat actor to prepare files for exfiltration during the final stages of the breach.

After gaining initial access and pivoting through the network, the adversary executed a series of commands at 2025-05-13T01:30:03.812Z to deploy the final stage of the attack. Investigate the child processes spawned during this window to determine the specific filename of the ransomware artifact used to encrypt the system.

After gaining initial access, the threat actor moved laterally to the file server corp-fs-01. At 2025-05-10T20:13:34.686Z, a suspicious process tree was observed involving msiexec.exe and akira.exe. You must analyze the process tree children to find the SHA256 hash of the binary used during the final stage of this execution chain.

After gaining initial access, the adversary attempted to harvest credentials from memory. Review the process execution chain on corp-wks-110 to determine which specific DLL was leveraged alongside rundll32.exe to facilitate this credential access attempt.

After the execution of a suspicious binary on corp-wks-110, the system initiated an outbound connection to an unauthorized external server. Review the XDR Timeline around 2025-05-06T09:15:07.345Z to pinpoint the destination IP used for data exfiltration and command reception.

During the lateral movement phase on 2025-05-09T14:29:55.983Z, the adversary successfully escalated privileges. Investigate the process execution flow to determine which high-privilege account was used to spawn the suspicious net.exe and akira.exe processes.

An alert triggered on corp-wks-110 indicating a suspicious download that bypassed standard filtering. You need to analyze the telemetry for user alicia.garcia to determine exactly which document was opened before the execution of subsequent discovery commands.

The attacker appears to have bypassed standard PowerShell restrictions by leveraging a secondary interpreter. Investigate the timeline events following the initial msiexec.exe activity to determine which process was used to run the malicious logic.

After gaining access to the environment, the adversary attempted to pivot from corp-wks-110 to the Domain Controller. Review the XDR Timeline to pinpoint the exact binary responsible for the service-based lateral movement used during this phase of the attack.