Kira

Kira Badge
Difficulty
Difficulty Easy
Score
Score 4000
Tags
Completions
Completions 0
Rating

NorthLedger have been targeted by Akira and do not have a clear starting point for their investigation. Their logging granularity is limited, and following the attack they had to reinstall Splunk in an attempt to recover visibility over parts of the incident.

You will find two indexes available for analysis:

winevt winevt-recover

Initial triage suggests the threat actor may have gained access using a compromised VPN account belonging to james.harris, an IT Admin within the NorthLedger environment. Due to his elevated role, this account may have provided the attacker with access to administrative systems, internal tooling, and privileged areas of the network.

Your task is to analyse the available Windows event logs across both indexes, identify the earliest signs of compromise, and reconstruct the attack timeline as far as the available evidence allows. Pay close attention to authentication activity, privilege use, lateral movement, suspicious PowerShell execution, service changes, staging activity, and any actions consistent with ransomware preparation or deployment.

Defensive


Activity

Lab Released 2026-07-01 12:30:00