Role alignment
Threat Hunter / SecOps Analyst
Executive summary
Cyber-range Akira ransomware hunt using Microsoft Defender telemetry to reconstruct remote access, staging, lateral movement, defense evasion, data staging, and impact artifacts.
Hiring relevance
The ransomware hunt demonstrates the ability to reconstruct ransomware activity from telemetry, preserve a defensible timeline, and turn observed behavior into detection opportunities.
Full technical write-up available
This portfolio page summarizes the project for hiring review. Use the Evidence Links section to read the full technical write-up and review the supporting project artifacts.
2
Affected Hosts
40
Flag Analyses
Jan 27, 2026
First Known IOC
Jan 28, 2026
Last Known IOC
Problem
The investigation needed to determine how a ransomware event unfolded across AS-PC2 and AS-SRV, identify supporting evidence, map observed behavior to ATT&CK, and document detection gaps.
Environment / Tools
Approach
- 1Scoped the hunt to Microsoft Defender Advanced Hunting tables covering process, file, network, registry, logon, and device events.
- 2Used Akira ransom-note and .akira file artifacts to anchor the impact phase.
- 3Pivoted from AnyDesk relay traffic to suspicious execution path, external IP, and user context.
- 4Correlated wsync.exe, suspicious domains, hashes, and follow-on tooling.
- 5Investigated Defender registry tampering, LSASS-related telemetry, internal enumeration, SMB traffic, PowerShell downloads, data staging, shadow copy deletion, and cleanup behavior.
- 6Mapped the observed activity to MITRE ATT&CK and documented detection opportunities.
Evidence
- The repository README contains an executive summary, scope, ATT&CK mapping, 40 flag analyses, KQL queries, screenshots, detection gaps, and final assessment.
- Documented ransomware indicators include an Akira ransom note, .akira marker, updater.exe, and SHA256 e609d070ee9f76934d73353be4ef7ff34b3ecc3a2d1e5d052140ed4cb9e4752b.
- Remote access evidence includes AnyDesk activity from C:\Users\Public, relay-0b975d23.net.anydesk.com, external IP 88.97.164.155, and user David.Mitchell.
- Defense evasion and impact evidence includes kill.bat, DisableAntiSpyware, reg.exe, wmic shadowcopy delete, vssadmin delete shadows /all /quiet, and clean.bat.
- The report supports data staging through exfil_data.zip but does not claim confirmed successful exfiltration.
Ransomware Hunt Pivots
- 1.Anchor investigation on Akira ransom-note and .akira artifacts
- 2.Pivot to AnyDesk remote access activity and user context
- 3.Correlate staged tools, suspicious domains, and file hashes
- 4.Investigate Defender tampering and LSASS-related telemetry
- 5.Trace enumeration, SMB activity, downloads, and data staging
- 6.Confirm shadow copy deletion and cleanup commands
- 7.Convert observed activity into ATT&CK mapping and detection recommendations
Result
The report confirmed AS-PC2 and AS-SRV as affected hosts, documented a timeline from first known IOC on January 27, 2026 at 19:13:11 UTC through last known IOC on January 28, 2026 at 04:43:30 UTC, and identified detection recommendations for remote access misuse, Defender tampering, tool transfer, archive creation, shadow copy deletion, and privileged activity correlation.
What I learned
- Ransomware investigations require correlating impact artifacts with earlier remote access, staging, discovery, and defense evasion activity.
- MDE telemetry can support a timeline across process, file, registry, network, and logon evidence.
- Detection recommendations are stronger when tied to specific observed commands, hashes, paths, accounts, and ATT&CK techniques.