NorthLedger have been targeted by Akira and do not have a clear starting point for their investigation. Their logging granularity is limited, and following the attack they had to reinstall Splunk in an attempt to recover visibility over parts of the incident.
You will find two indexes available for analysis:
winevt
winevt-recover
Initial triage suggests the threat actor may have gained access using a compromised VPN account belonging to james.harris, an IT Admin within the NorthLedger environment. Due to his elevated role, this account may have provided the attacker with access to administrative systems, internal tooling, and privileged areas of the network.
Your task is to analyse the available Windows event logs across both indexes, identify the earliest signs of compromise, and reconstruct the attack timeline as far as the available evidence allows. Pay close attention to authentication activity, privilege use, lateral movement, suspicious PowerShell execution, service changes, staging activity, and any actions consistent with ransomware preparation or deployment.
