🔑 Credential Theft

Identify Patient Zero (First Compromised System)

Patient Zero

Phishing Email Triage and Indicator Extraction

Phishing Triage

Validate the Initial Access Vector

Access Validation

Containment

(3 procedures)

Credential and Account Lockdown

Account Lockdown

Revoke Cloud Sessions and Tokens

Revoke Cloud Sessions

Phishing Containment: Block, Quarantine, Purge

Phishing Quarantine

Preservation

(3 procedures)

Volatile Memory Capture

Memory Capture

Log Preservation and Snapshot

Log Snapshot

Document Chain of Custody for All Collected Evidence

Chain of Custody

Collection

(6 procedures)

Phishing Artifact Collection: Headers, URLs, Attachments

Phishing Artifact Collection

EDR Telemetry Collection

EDR Collection

M365 Unified Audit Log Collection

M365 UAL Collection

Azure AD Sign-In and Audit Log Collection

Azure AD Logs

Identify Alternative Evidence When Primary Logs Are Missing

Missing Log Fallback

Coordinate Log Collection from Third-Party Vendors

Third-Party Logs

Analysis

(3 procedures)

Lateral Movement Analysis and Mapping

Lateral Movement

Analyze Evidence of Credential Dumping Techniques

Credential Dumping

Phishing Campaign Scope and Credential Exposure

Phishing Campaign Analysis

Eradication

(7 procedures)

Remove Malware, Backdoors, and Persistence Mechanisms

Malware Removal

Mass Credential Reset and Session Invalidation

Credential Reset

Comprehensive Persistence Mechanism Sweep

Persistence Hunt

Eradication Verification Checklist

Eradication Verification

Phishing Remediation: Purge, Reset, Revoke

Phishing Remediation

Patch Exploited Vulnerabilities to Prevent Re-Compromise

Patch Vulnerability

Post-Incident Configuration Hardening

Config Hardening

180min

Recovery

(2 procedures)

Rebuild Compromised Systems from Known-Good Images

System Rebuild

240min

Phased Service Restoration with Enhanced Monitoring

Service Restoration

Post-Incident Review

(3 procedures)

Create New Detection Rules Based on Incident Findings

Detection Improvement

Generate Comprehensive Incident Report

Incident Report

180min

Conduct Lessons Learned Review Session

Lessons Learned