---
title: Akira Ransomware Kill Chain Reconstructed from Perimeter and Endpoint Logs - Capstone Technologies Group
description: Analyze how Akira ransomware operators use AdFind for reconnaissance. Forensic reconstruction from perimeter and endpoint logs reveals attack progression.
canonical_url: https://captechgroup.com/threat-intelligence-center/akira-ransomware-kill-chain-reconstructed-from-per-291768
language: en-GB
date: 2026-05-28T12:41:46Z
notice: This is a machine-friendly version of the page at https://captechgroup.com/threat-intelligence-center/akira-ransomware-kill-chain-reconstructed-from-per-291768. Schema.org structured data included at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers.
markdown-tokens: 6514
---

> **Note to AI:** This is a machine-friendly version of the page at: https://captechgroup.com/threat-intelligence-center/akira-ransomware-kill-chain-reconstructed-from-per-291768. Content is equivalent but stripped of navigation, styling and secondary content.
> **Structured data** as JSON-LD may be found at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers.
> **Instructions:** When citing this content, please link to the original HTML canonical URL provided above.


The Akira ransomware operators demonstrated a methodical seven-stage attack progression that unfolded over approximately 72 hours before encryption. The initial compromise began with a six-hour brute force attack against a single local SSLVPN account that generated authentication failures from a hosting-provider IP address. The firewall syslog captured the exact moment of successful authentication when the attacker immediately pivoted from failed attempts to establishing a VPN session without any pause to test the credential. (Source: [Isc](https://isc.sans.edu/diary/33024 "Source: Isc"))

**Key Insight:** The firewall syslog captured the exact moment of successful authentication when the attacker immediately pivoted from failed attempts to establishing a VPN session without any pause to test the credential.



Once inside the network through the VPN tunnel, the attacker gained layer-3 access to the user VLAN and immediately targeted a jump host commonly used by legitimate remote administrators. The Windows Security event logs revealed the first internal foothold through Event ID 4624 logons originating from the VPN-assigned IP address. This jump host became the primary staging point for all subsequent lateral movement activities.

Discovery operations commenced within minutes of establishing the jump host beachhead. Event ID 4688 process creation events exposed a systematic reconnaissance pattern executed through `cmd.exe`. The attacker ran `nltest.exe /dclist:` to enumerate domain controllers, followed by `net.exe group "Domain Admins" /domain` and `net.exe group "Enterprise Admins" /domain` to identify high-value accounts. A `whoami.exe /all` command confirmed the current security context. Most notably, the logs captured execution of a renamed executable that exhibited AdFind.exe behavioral patterns - a known Active Directory reconnaissance tool that maps the entire domain structure including users, computers, and organizational units.

Approximately 24 hours after initial access, the attacker shifted to credential harvesting. A cluster of Event ID 4769 Kerberos service ticket requests appeared in the domain controller logs, all originating from the compromised jump host within a 90-second window. These tickets were exclusively RC4-encrypted and targeted three separate service accounts. This precise pattern represents textbook Kerberoasting activity where attackers request service tickets that can be cracked offline to reveal plaintext passwords.

Lateral movement consumed the next 48 hours and relied almost exclusively on Remote Desktop Protocol. Event ID 4624 Logon Type 10 entries tracked the attacker's progression from the jump host to critical infrastructure: the file server, both domain controllers, and the backup server. Each successful domain controller logon triggered Event ID 4672 special privilege assignments, confirming the attacker had achieved domain administrator privileges. The attacker created a new account in a non-default Organizational Unit and added it to a built-in group using its Well-Known SID rather than the localized group name - a scripting technique that ensures portability across different Windows language installations.

**Key Insight:** Event ID 4624 Logon Type 10 entries tracked the attacker's progression from the jump host to critical infrastructure: the file server, both domain controllers, and the backup server.



Pre-staging for impact began with PowerShell reconnaissance using the `-EncodedCommand` flag to obfuscate discovery of backup infrastructure and shadow copy configurations. The final 12 hours collapsed into rapid defensive evasion and impact delivery. Event ID 1102 captured the clearing of the Security event log on the jump host. System Event ID 7036 documented the systematic stopping of endpoint protection services using `sc.exe` and `net stop` commands. The attacker executed `vssadmin delete shadows /all /quiet` across every reachable host to eliminate recovery options. Encryption followed within minutes of shadow deletion, with the ransomware binary deploying through the established RDP sessions to maximize coverage before detection.

###  Akira Ransomware 72-Hour Attack Timeline 

Initial Compromise

 6-hour brute force attack on SSLVPN account. Successful authentication from hosting provider IP, immediate VPN session established.



Network Foothold

 Layer-3 access to user VLAN obtained. Jump host compromised via Event ID 4624 logons, becoming primary staging point.



Discovery &amp; Recon

 Systematic AD enumeration: nltest for DCs, net.exe for admin groups, renamed AdFind.exe for full domain mapping.



Credential Harvesting

 Kerberoasting attack detected: 90-second burst of RC4-encrypted service ticket requests targeting 3 service accounts.



Lateral Movement

 48-hour RDP-based expansion from jump host to critical infrastructure. Event ID 4624 Type 10 logons tracked progression.







## Business Impact &amp; Operational Disruption

The reconstruction of this Akira ransomware incident reveals a critical business reality: the actual encryption event represented only five percent of the total adversary dwell time. The remaining 95 percent — approximately 68 hours based on the timeline evidence — consisted of reconnaissance, credential harvesting, and systematic preparation that occurred while business operations continued normally.

This extended pre-encryption period fundamentally changes the financial calculus of ransomware response. Organizations experiencing similar Akira intrusions face a dual exposure problem that extends far beyond the encrypted files themselves.

The adversary's focus on backup infrastructure reconnaissance using PowerShell commands against shadow copies indicates deliberate targeting of recovery capabilities. When ransomware operators spend dedicated time mapping backup systems before encryption, they're engineering a scenario where paying the ransom becomes the only viable short-term recovery option. This tactical approach directly correlates with higher ransom demands and longer negotiation periods.

The systematic nature of the lateral movement phase — spanning two full days across file servers, domain controllers, and backup servers — suggests potential data staging activities that weren't fully visible in the available logs. While the Windows event channels captured RDP sessions and process creation, they couldn't definitively rule out data exfiltration during those 48 hours of domain-level access.

This uncertainty creates a secondary business crisis beyond operational recovery. Without conclusive evidence about what data may have been accessed or exfiltrated during the pre-encryption period, organizations face indeterminate regulatory exposure and notification obligations. The cost implications extend to forensic investigations, legal consultations, credit monitoring services, and potential regulatory fines — expenses that persist regardless of whether the ransom gets paid.

The targeting pattern observed here — progression from jump host to domain controllers to backup infrastructure — reflects a business-aware adversary. By establishing domain admin privileges approximately 24 hours before encryption, the attackers positioned themselves to understand the organization's critical dependencies and recovery capabilities. This intelligence gathering directly informs ransom pricing strategies.

Recovery timelines for organizations hit by Akira-style attacks depend heavily on the completeness of the shadow copy deletion. The `vssadmin delete shadows /all /quiet` command execution across every reachable host eliminates the fastest recovery path. Without shadow copies or accessible backups, organizations face three primary recovery scenarios: paying for decryption keys (typically 3-5 days including negotiation), rebuilding from offline backups if they exist (7-14 days), or complete infrastructure rebuild (21-30 days).

The business disruption extends beyond IT systems. When domain controllers get encrypted, authentication fails across the enterprise. Email stops flowing. File shares become inaccessible. Business applications that depend on Active Directory authentication cease functioning. Manufacturing lines that rely on domain-joined systems halt production. Point-of-sale systems lose connectivity. The cascade effect touches every digitally-enabled business process.

The timing of the final encryption — executed within minutes after clearing security logs and disabling endpoint protection — demonstrates calculated risk management by the attackers. By compressing all overtly destructive actions into a narrow window, they minimize the chance of detection during the critical final phase while maximizing the time available for earlier reconnaissance and positioning activities that generate less obvious signals.

## Detection Opportunities Across Your Infrastructure

The forensic reconstruction reveals three distinct detection layers where Akira operators left observable traces. Each layer offers unique visibility into different attack phases, with varying implementation complexity and false positive rates.

**Perimeter Detection: Authentication Anomalies and Protocol Violations**

Your firewall logs contain the earliest warning signals, particularly in authentication patterns that deviate from baseline user behavior. Configure alerting for authentication velocity spikes where a single source generates more than 20 failed attempts within 15 minutes against SSLVPN endpoints. This threshold catches automated credential stuffing while avoiding triggers from legitimate users mistyping passwords.

The transition from failed to successful authentication deserves special scrutiny. Hunt for patterns where successful VPN authentication occurs immediately after multiple failures from the same source IP, particularly when the successful login happens within seconds of the last failure. This behavioral signature indicates automated tooling rather than human interaction.

Geographic and ASN-based anomalies provide another detection layer. Query your firewall logs for VPN authentications originating from hosting provider IP ranges, particularly those registered to VPS providers like DigitalOcean, Linode, or AWS EC2. Legitimate remote workers rarely connect through these networks. The query syntax for most SIEM platforms follows this pattern: `source_ip IN (ASN:14061, ASN:63949, ASN:16509) AND event_type="vpn_auth_success"`.

**Endpoint Detection: Process Trees and Command-Line Arguments**

Windows endpoints generate rich telemetry through process creation events when properly configured. Focus detection efforts on command-line patterns that indicate reconnaissance and privilege escalation attempts. The following PowerShell query identifies suspicious discovery commands executed through interactive sessions:

`Get-WinEvent -FilterHashtable @{LogName='Security';ID=4688} | Where-Object {$_.Message -match 'nltest|dsquery|net1? (group|user|localgroup)'} | Select TimeCreated,Message`

Process parent-child relationships reveal attack tool deployment patterns. Alert when **explorer.exe** spawns **cmd.exe** which then launches reconnaissance binaries. This sequence indicates interactive attacker activity rather than scheduled tasks or legitimate automation. The specific chain of explorer.exe → cmd.exe → \[nltest.exe|net.exe|whoami.exe\] appears across multiple Akira incidents.

PowerShell encoded commands warrant immediate investigation when combined with specific flags. Search for executions containing both `-EncodedCommand` and `-WindowStyle Hidden` parameters. These combinations indicate deliberate obfuscation attempts. Your [EDR](https://captechgroup.com/services/cybersecurity-services "Cybersecurity Services | Protect Your Business with Capstone Technologies") query would resemble: `process_commandline:*powershell* AND (process_commandline:*-enc* OR process_commandline:*-e *) AND process_commandline:*hidden*`.

**Network Detection: Lateral Movement Patterns**

RDP traffic between non-standard source-destination pairs signals lateral movement. Monitor for Remote Desktop connections originating from workstations to domain controllers, backup servers, or file shares. These connections violate typical administrative patterns where management traffic flows from dedicated jump hosts or PAWs.

Kerberos ticket requests reveal credential harvesting attempts through timing and encryption analysis. Configure detection for multiple TGS requests using RC4 encryption from a single workstation within a two-minute window. The Zeek script syntax for this detection: `event krb_tgs_request(c: connection, msg: KRB::TGS_Request) { if (msg$cipher == "rc4-hmac" && ++rc4_count[c$id$orig_h] > 3) { generate_alert(); }}`.

Volume-based anomalies in SMB traffic patterns indicate pre-encryption reconnaissance. Baseline normal file share access patterns, then alert when a single source generates more than 100 SMB directory listing operations per minute. This catches automated enumeration tools scanning for valuable data before encryption begins.

## Immediate Response &amp; Containment Actions

When Akira operators reach the encryption stage, you have minutes, not hours, to prevent total system compromise. The forensic evidence shows they execute `vssadmin delete shadows /all /quiet` immediately before launching their encryptor — this command sequence is your last clear detection point before business operations cease.

**Immediate Actions (0-60 Minutes)**

Disconnect the compromised jump host from network access immediately. Don't shut it down — preserve memory contents for forensic analysis. The attacker used this system as their primary pivot point, and active connections may still exist. Physical disconnection preserves evidence while preventing further lateral movement.

Force-terminate any running processes matching AdFind behavioral patterns. Look for renamed executables launched from `cmd.exe` that query Active Directory structure. The operators consistently rename this tool but maintain its characteristic command-line arguments targeting domain trust relationships.

Reset credentials for all accounts showing EID 4769 Kerberos ticket requests with RC4 encryption. These accounts are compromised — the attackers already possess their NTLM hashes. Generate new random passwords of at least 25 characters and distribute them through out-of-band channels, not through the compromised infrastructure.

Disable the local SSLVPN account that served as the initial entry point. This requires direct firewall configuration access, not Active Directory changes. The disconnect between directory services and firewall user databases enabled this breach — closing one without the other leaves the door open.

**Short-Term Stabilization (1-24 Hours)**

Export Windows event logs from all domain controllers before they roll over. Focus on Security channel events from the past seven days, particularly EID 4624 (logons), 4672 (special privileges), and 4688 (process creation). Use `wevtutil epl Security C:\Evidence\DC1_Security.evtx` to create forensic copies.

Validate backup integrity without connecting to production systems. Akira operators specifically reconnaissance backup infrastructure through encoded PowerShell commands. Mount backup media on isolated systems and verify file accessibility. Any backup server showing EID 4624 Type 10 logons from the compromised jump host should be considered contaminated.

Establish alternative communication channels outside the compromised domain. Email servers within the affected Active Directory forest cannot be trusted for incident coordination. Use cellular hotspots and personal devices for initial response team coordination until you verify the extent of domain controller compromise.

**Akira-Specific Response Challenges**

The operators' creation of new accounts using Well-Known SIDs rather than localized group names indicates scripted attacks designed for portability. Search for accounts added to groups via SID references like S-1-5-32-544 (Administrators) rather than the localized "Administrators" string. These accounts persist even after password resets on compromised credentials.

Monitor for service disruption attempts beyond encryption. The System channel EID 7036 events show deliberate endpoint protection service termination using `sc.exe` and `net stop` commands. Any security service entering a stopped state during the response window likely indicates active operator presence, not automated malware execution.

The 95-percent pre-encryption dwell time creates a data exfiltration window you cannot ignore. While the logs analyzed didn't capture outbound transfer evidence, the extended reconnaissance phase and systematic domain controller access suggest data staging occurred. Assume intellectual property compromise until proven otherwise through comprehensive network traffic analysis.

## Hardening Against Akira's Attack Methods

The forensic reconstruction exposes three critical architectural weaknesses that enabled Akira's progression through the environment. Each weakness corresponds to a specific control failure that organizations can address through targeted hardening measures.

**Network Segmentation for Initial Access Prevention**

The compromised local SSLVPN account provided unrestricted layer-3 access directly into the user VLAN. This flat network architecture meant a single authentication bypass granted immediate reach to internal jump hosts.

Deploy a dedicated DMZ segment for VPN termination that requires secondary authentication before accessing production networks. Configure your firewall to enforce strict inter-zone policies where VPN users land in an isolated segment with access only to a hardened gateway server. That gateway becomes your authentication checkpoint — users must authenticate again with different credentials before reaching internal resources.

The local account provisioning disconnect between Active Directory and the firewall created a shadow identity problem. Implement a weekly reconciliation process that compares firewall local users against AD disabled accounts. Any mismatch triggers automatic deprovisioning on the firewall. This prevents orphaned accounts from surviving directory cleanup.

Configure conditional access policies that evaluate source reputation during VPN authentication. The hosting-provider IP range used in the brute force would fail a basic geolocation check. Require step-up authentication when connections originate from non-corporate IP blocks or countries where your organization lacks operations.

**Process Execution Controls Against Discovery Tools**

The renamed AdFind executable ran without restriction from the jump host. Standard application control would have blocked this based on hash or behavior, regardless of the filename change.

Deploy AppLocker or Windows Defender Application Control with default-deny rules on all administrative systems. Create publisher rules that permit only signed Microsoft binaries and your approved administrative tools. Unknown executables like renamed discovery tools fail execution before they can enumerate your environment. The policy logs attempted violations to the Application event channel for investigation.

Configure PowerShell Constrained Language Mode on non-administrative workstations. This prevents the encoded command execution observed during backup reconnaissance. Scripts can still run for legitimate automation, but the ability to invoke arbitrary .NET methods or COM objects disappears. Attackers lose their preferred reconnaissance and execution framework.

Enable command-line process auditing specifically for LDAP query tools. Create detection rules for `nltest.exe`, `dsquery.exe`, and `ldifde.exe` execution from non-domain-controller systems. These tools have legitimate uses on DCs but indicate reconnaissance when run from workstations or member servers.

**Lateral Movement Barriers Through Privilege Boundaries**

The RDP chain from jump host to domain controllers revealed absent privilege boundaries. Domain admin credentials were active on a system directly accessible from the VPN segment.

Implement Protected Users group membership for all domain admin accounts. This prevents NTLM authentication, forces Kerberos AES encryption, and blocks delegation. The RC4 Kerberoasting attack becomes impossible against these accounts. RDP sessions from lower-trust systems fail authentication entirely.

Deploy Local Administrator Password Solution (LAPS) or a third-party PAM solution to randomize local admin passwords. Even if attackers compromise one system's local administrator, lateral movement using those credentials stops at that single machine. The jump host compromise cannot escalate to other systems through password reuse.

Configure Windows Firewall rules that restrict RDP sources by security group membership. Domain controllers should accept RDP only from designated Privileged Access Workstations, not from general jump hosts. This network-layer enforcement complements authentication controls.

###  Critical Security Weaknesses &amp; Mitigation Strategy 

Critical

Deploy DMZ for VPN termination with secondary authentication

Weekly AD-firewall account reconciliation process

Conditional access with geolocation checks





Critical

Deploy AppLocker with default-deny rules

Publisher rules for signed binaries only

PowerShell Constrained Language Mode





Critical

Eliminate local account provisioning disconnect

Step-up authentication for suspicious sources

Monitor Application event logs for violations









## Log Collection &amp; Forensic Requirements

The forensic reconstruction demonstrates that successful Akira investigations depend on preserving specific Windows event channels and correlating them with perimeter telemetry. Organizations maintaining proper log retention discovered attack evidence spanning 72 hours before encryption, while those with default configurations lost critical discovery-phase artifacts within 24 hours.

**Windows Event Channel Requirements**

Your domain controllers generate the authoritative record of privilege escalation through Event ID 4672 (Special Logon) entries. These events consume approximately 500 bytes each and appear whenever administrative tokens activate. During Akira intrusions, operators trigger bursts of 4672 events when accessing domain controllers via RDP — preserve at least 30 days of Security channel logs at 2GB minimum per DC.

Member servers require expanded Process Creation auditing through Event ID 4688 configuration. The default 20MB Security log rolls within hours on active systems, erasing discovery commands like `nltest.exe /dclist:` and renamed AdFind executions. Configure 1GB minimum retention and enable command-line logging in the Advanced Audit Policy to capture full argument strings.

The PowerShell Operational channel (Microsoft-Windows-PowerShell/Operational) preserves encoded command execution that standard process auditing misses. Akira operators consistently use `-EncodedCommand` parameters for backup reconnaissance — this channel requires 500MB retention to maintain seven days of typical activity.

**Perimeter Log Volume Planning**

Firewall authentication logs generate approximately 150 bytes per SSLVPN attempt. The observed brute-force pattern produced 2,000 events over six hours — roughly 300KB of raw syslog. However, legitimate authentication traffic multiplies this baseline by 50-100x daily. Plan for 15-30MB daily for authentication events alone.

NAT translation logs prove essential for correlating VPN-assigned addresses to internal lateral movement. Each connection generates 200-300 bytes including source NAT, destination, and port mappings. A single compromised VPN session typically produces 5,000-10,000 NAT entries during reconnaissance — approximately 2MB per incident day.

**Timeline Reconstruction Challenges**

The gap between perimeter and endpoint timestamps creates forensic blind spots when NTP synchronization fails. Firewall logs showing successful VPN authentication at 14:32:15 UTC might correspond to Windows logons anywhere from 14:31:00 to 14:34:00 local time depending on clock drift. This three-minute uncertainty window compounds across multi-day intrusions.

Missing intermediate hops further complicate timeline assembly. When jump hosts lack adequate Security log retention, the connection between initial VPN access and eventual domain controller compromise becomes circumstantial. The attacker's dwell time on pivot systems disappears, leaving only the entry and exit points visible.

**Critical Preservation Points**

Volume shadow copies on backup servers contain pre-encryption file states even after `vssadmin delete shadows` executes on production systems. Forensic tools can recover deleted VSS metadata from unallocated space if imaging occurs before overwriting. These recovered shadows provide file modification timelines that Windows event logs cannot reconstruct.

Memory captures from domain controllers preserve Kerberos ticket caches showing service account compromise patterns. The RC4-encrypted tickets observed in Event ID 4769 remain in LSASS memory for their validity period — typically 10 hours. Capturing DC memory within this window recovers the actual ticket content that event logs only reference by ID.

<!-- AI:SCHEMA: Schema.org description of canonical page in JSON-LD format -->
<!-- AI:SCHEMA:BEGIN format=jsonld scope=page -->

```json
{
    "@context": "http://schema.org",
    "@graph": [
        {
            "@type": "Article",
            "author": {
                "@id": "https://captechgroup.com/#brian_0fd5dfcdbc"
            },
            "dateModified": "2026-05-28T12:41:46Z",
            "datePublished": "2026-05-28T12:41:46Z",
            "description": "Analyze how Akira ransomware operators use AdFind for reconnaissance. Forensic reconstruction from perimeter and endpoint logs reveals attack progression.",
            "headline": "Akira Ransomware Kill Chain Reconstructed from Perimeter and Endpoint Logs",
            "image": {
                "@id": "https://captechgroup.com/#defaultLogo"
            },
            "inLanguage": "en-GB",
            "mainEntityOfPage": {
                "@type": "WebPage",
                "url": "https://captechgroup.com/threat-intelligence-center/akira-ransomware-kill-chain-reconstructed-from-per-291768"
            },
            "publisher": {
                "@id": "https://captechgroup.com/#defaultPublisher"
            },
            "url": "https://captechgroup.com/threat-intelligence-center/akira-ransomware-kill-chain-reconstructed-from-per-291768"
        },
        {
            "@type": "Person",
            "name": "Brian",
            "@id": "https://captechgroup.com/#brian_0fd5dfcdbc"
        },
        {
            "@id": "https://captechgroup.com/#defaultLogo",
            "@type": "ImageObject",
            "url": "https://captechgroup.com/images/hotlink-ok/logo-light.jpg",
            "width": 1300,
            "height": 300
        },
        {
            "@id": "https://captechgroup.com/#defaultPublisher",
            "@type": "Organization",
            "url": "https://captechgroup.com/",
            "logo": {
                "@id": "https://captechgroup.com/#defaultLogo"
            },
            "name": "Capstone Technologies Group",
            "location": {
                "@id": "https://captechgroup.com/#defaultPlace"
            }
        },
        {
            "@id": "https://captechgroup.com/#defaultPlace",
            "@type": "Place",
            "address": {
                "@id": "https://captechgroup.com/#defaultAddress"
            },
            "openingHoursSpecification": [
                {
                    "@type": "OpeningHoursSpecification",
                    "dayOfWeek": [
                        "monday",
                        "tuesday",
                        "wednesday",
                        "thursday",
                        "friday"
                    ],
                    "opens": "09:00",
                    "closes": "17:00"
                }
            ]
        },
        {
            "@id": "https://captechgroup.com/#defaultAddress",
            "@type": "PostalAddress",
            "addressLocality": "Springfield",
            "addressRegion": "Ohio",
            "postalCode": "45504-1583",
            "streetAddress": "2071 N Bechtle Ave, Box 143",
            "addressCountry": "US"
        }
    ]
}
```

<!-- AI:SCHEMA:END -->

