This write-up reconstructs an Akira-attributed intrusion by joining SSLVPN syslog with Windows EVTX to show how the attackers gained access, escalated privileges, and prepared for ransomware deployment. It highlights that the most useful defensive evidence appears before encryption, including brute-force login attempts, Kerberoasting, RDP movement, log clearing, and shadow copy deletion. #Akira #Kerberoasting #nltest #vssadmin
Keypoints
- A forgotten local SSLVPN account was brute-forced and successfully used for initial access.
- Windows logs showed discovery commands such as nltest.exe, net.exe, and whoami.exe on the jump host.
- RC4-based Kerberos ticket requests indicated Kerberoasting against service accounts.
- The attacker used RDP for lateral movement and gained domain-level privileges.
- Defense evasion included clearing logs, stopping protections, and deleting shadow copies before encryption.