🔑 Credential Theft
Theft of authentication credentials through brute force, credential stuffing, keylogging, LSASS dumping, or password database compromise.
31 procedures8 lifecycle stages
Triage
(4 procedures)Bound the Investigation Timeframe
Timeframe Bounding
30min
View procedure
Identify Patient Zero (First Compromised System)
Patient Zero
60min
View procedure
Phishing Email Triage and Indicator Extraction
Phishing Triage
30min
View procedure
Validate the Initial Access Vector
Access Validation
45min
View procedure
Containment
(3 procedures)Credential and Account Lockdown
Account Lockdown
45min
View procedure
Revoke Cloud Sessions and Tokens
Revoke Cloud Sessions
30min
View procedure
Phishing Containment: Block, Quarantine, Purge
Phishing Quarantine
45min
View procedure
Sponsored
Preservation
(3 procedures)Collection
(6 procedures)Phishing Artifact Collection: Headers, URLs, Attachments
Phishing Artifact Collection
60min
View procedure
EDR Telemetry Collection
EDR Collection
120min
View procedure
M365 Unified Audit Log Collection
M365 UAL Collection
90min
View procedure
Azure AD Sign-In and Audit Log Collection
Azure AD Logs
60min
View procedure
Identify Alternative Evidence When Primary Logs Are Missing
Missing Log Fallback
60min
View procedure
Coordinate Log Collection from Third-Party Vendors
Third-Party Logs
120min
View procedure
Analysis
(3 procedures)Eradication
(7 procedures)Remove Malware, Backdoors, and Persistence Mechanisms
Malware Removal
120min
View procedure
Mass Credential Reset and Session Invalidation
Credential Reset
90min
View procedure
Comprehensive Persistence Mechanism Sweep
Persistence Hunt
120min
View procedure
Eradication Verification Checklist
Eradication Verification
90min
View procedure
Phishing Remediation: Purge, Reset, Revoke
Phishing Remediation
60min
View procedure
Patch Exploited Vulnerabilities to Prevent Re-Compromise
Patch Vulnerability
60min
View procedure
Post-Incident Configuration Hardening
Config Hardening
180min
View procedure