๐ Credential Theft Response Quickstart
Time-boxed response path for credential theft incidents including credential dumping, pass-the-hash, Kerberoasting, and credential harvesting attacks. Focuses on rapid account lockdown, volatile-evidence capture, credential-dumping technique analysis, and comprehensive credential reset across the environment.
First 15 Minutes
0/4Validate the credential-theft alert by reviewing the triggering detection. Common indicators include LSASS process access (Sysmon Event ID 10), suspicious Mimikatz or Rubeus tool signatures in EDR, Kerberoasting activity (Event ID 4769 with RC4 encryption), DCSync operations (Event ID 4662 with DS-Replication-Get-Changes), or credential-dumping tool artifacts in memory. Confirm the alert is a true positive before escalating to full incident response.
Determine which accounts have been compromised by analyzing the credential-theft technique. For LSASS dumps, all accounts with active sessions on the affected host are compromised. For Kerberoasting, all service accounts with SPNs are at risk. For DCSync, the entire domain credential database may be compromised. Cross-reference with Azure AD sign-in logs to check whether stolen credentials have already been used for unauthorized access to cloud resources.
Immediately disable or reset passwords for all accounts identified as compromised or at risk. For domain accounts, reset passwords and disable the account in Active Directory. For cloud accounts, revoke sessions and refresh tokens in Azure AD. Prioritize domain-admin accounts, service accounts with elevated privileges, and any accounts that authenticate to critical infrastructure. Consider whether a KRBTGT password reset is necessary if a DCSync attack is confirmed.
Network-isolate the hosts where credential theft occurred to prevent the attacker from using stolen credentials for lateral movement. Use EDR network-isolation features, firewall rules, or VLAN changes to cut off the affected systems while maintaining forensic access. If the attacker has already moved laterally, identify and isolate those systems as well. Do not power off the systems as memory evidence is critical for understanding the credential-theft technique.
First 60 Minutes
0/3Acquire full memory dumps from all systems where credential theft was detected. Memory analysis is essential for credential-theft investigations because it reveals the exact tool used (Mimikatz, Rubeus, ProcDump, comsvcs.dll), the technique employed (LSASS dump, SAM extraction, DCSync), and the credentials that were extracted. Memory may also contain the attacker command history, injected code, and network connections to C2 infrastructure. Use WinPMEM and hash all acquisitions.
Preserve Windows Security event logs and Sysmon logs from all affected hosts and domain controllers covering at least 7 days before the credential-theft event. Key events include logon events (4624, 4625, 4648), Kerberos ticket operations (4768, 4769), directory-service access (4662), and Sysmon process-access events targeting LSASS (Event ID 10). These logs reconstruct the attack timeline and reveal whether the stolen credentials were already used for lateral movement.
Pull EDR telemetry from affected systems focusing on process-creation events, process-access events (especially targeting LSASS), file writes to sensitive locations, and PowerShell/command-line activity. EDR data helps identify the full credential-theft kill chain from initial tool deployment through credential extraction and subsequent use. Look for defense-evasion techniques such as unhooking NTDLL, disabling Event Tracing for Windows, or using direct syscalls to avoid detection.
First 4 Hours
0/4Perform detailed analysis of the credential-theft technique to determine the exact scope of compromise. For LSASS memory dumps, analyze the dump to enumerate all extracted credentials. For Kerberoasting, identify which service-account tickets were requested and assess password strength. For DCSync, determine whether the full ntds.dit database was replicated. Examine Prefetch files for evidence of credential-theft tool execution and correlate timestamps with Security event logs.
Search for persistence mechanisms the attacker may have established to maintain access after credential resets. Common persistence methods in credential-theft scenarios include Golden Ticket attacks (requires KRBTGT hash), Silver Ticket attacks (service-account hashes), skeleton-key installations on domain controllers, DCShadow modifications, and backdoor accounts. Examine Amcache and ShimCache for evidence of attacker tool execution and check for newly created or modified accounts in Active Directory.
Map the full extent of lateral movement using stolen credentials by correlating logon events across all domain-joined systems. Look for Type 3 (network) and Type 10 (RDP) logons from the compromised accounts, remote service creation, scheduled-task creation on remote systems, and WMI/PowerShell remoting activity. Each system accessed with stolen credentials must be treated as potentially compromised and added to the investigation scope for persistence hunting and evidence collection.
Execute a comprehensive credential reset based on the scope of compromise determined during analysis. For LSASS dumps, reset all accounts with sessions on affected hosts. For Kerberoasting, reset all service-account passwords to long, complex values and convert to managed service accounts where possible. For DCSync, reset the KRBTGT password twice (with 12-hour interval), reset all domain-admin passwords, and consider resetting all domain-user passwords. Coordinate the reset timing to minimize business disruption while ensuring all attacker access is revoked.
DFIR Assist โ Credential Theft Response Quickstart Quickstart | Printed 3/1/2026