Unknown Scope of Credential Compromise

One or more accounts are confirmed compromised, but it is unclear how many additional credentials the attacker has obtained. Resetting only known-compromised accounts may be insufficient, while a mass reset disrupts operations.

Signals

•Attacker demonstrated access to multiple accounts with no clear common phishing vector
•Credential dumping tools (Mimikatz, secretsdump) detected on a compromised host
•Pass-the-hash or pass-the-ticket activity observed in authentication logs
•LSASS memory access alerts from EDR on one or more systems

Pivot Actions

1.Audit LSASS access and credential-dumping indicators across all endpoints via EDR sweep
2.Query Active Directory for accounts with recent password changes, new SPNs, or modified attributes that indicate attacker manipulation
3.Review Kerberos ticket-granting logs (Event ID 4768/4769) for anomalous TGT/TGS requests
4.Scope the blast radius by mapping every host the confirmed-compromised accounts touched and treating those hosts as potentially compromised
5.Implement tiered credential reset: immediate reset for confirmed-compromised and high-privilege accounts, monitored reset for the remaining population

Alternate Evidence Sources

•Domain controller Security Event Logs (4624, 4625, 4648, 4768, 4769, 4776) for authentication anomalies
•EDR credential-access telemetry (LSASS reads, SAM hive access, DPAPI abuse)
•Azure AD Identity Protection risk detections and sign-in risk reports

Related Procedures

Credential and Account Lockdown

contain

Lateral Movement Analysis and Mapping

analyze

Validate the Initial Access Vector

triage