// credential dumping

Credential Dumping Investigation

Investigate credential dumping alerts step-by-step. Identify LSASS attacks, Mimikatz activity, SAM database access and generate a SOC-ready investigation summary.

⚡ Takes ~2–3 minutes 📊 Output: Summary + IOCs 🔒 No login required

No setup needed — just paste and run

LSASS memory access detected by EDR
Mimikatz or credential dumping tool signatures fired
SAM or NTDS.dit database access alert
Suspicious process accessing lsass.exe
Multiple failed authentications followed by successful logins
Post-exploitation credential harvesting suspected

[01]

Alert Triage & Tool Identification

▶

You are a SOC analyst investigating a credential dumping alert. Assume an enterprise Windows environment unless I specify otherwise. Paste the raw alert, EDR detection, or SIEM log below. Analyze the following: 1. What tool or technique does this alert suggest? - Mimikatz / variants (sekurlsa, lsadump) - ProcDump / Task Manager LSASS dump - Volume Shadow Copy / NTDS.dit access - DCSync attack (replication rights abuse) - Registry SAM/SECURITY/SYSTEM hive access - LSASS memory injection 2. What process triggered the alert? - Process name, PID, parent process - User context (SYSTEM, admin, standard user) - Execution path (suspicious if in temp, appdata, or unusual location) 3. What is the immediate risk level? - Is this on a Domain Controller? (CRITICAL) - Is this on a privileged workstation? - Is the triggering account a service account or admin? Output format: ALERT SUMMARY - Detection Type: [tool/technique identified] - Triggering Process: [process name + path] - User Context: [who ran it] - Target: [what was accessed - LSASS / SAM / NTDS] - Initial Risk: Critical / High / Medium / Low CONFIDENCE - Confidence this is malicious: High / Medium / Low - Reason: [one sentence] Only analyze what is present in the data provided. Do not guess or assume values not in the alert. [PASTE CREDENTIAL DUMPING ALERT OR EDR DETECTION HERE]

[02]

Technique Analysis & MITRE Mapping

▶

Based on the credential dumping alert from Step 1, perform a detailed technique analysis. 1. Map the technique to MITRE ATT&CK: - Primary technique (e.g. T1003.001 — LSASS Memory) - Sub-techniques if applicable - Associated tactics (Credential Access, Privilege Escalation, Lateral Movement) 2. Identify what credentials are at risk: - NTLM hashes (pass-the-hash risk) - Kerberos tickets (pass-the-ticket / golden ticket risk) - Plaintext credentials (WDigest enabled?) - Service account credentials - Domain Admin credentials 3. Assess post-exploitation risk: - Can dumped credentials enable lateral movement? - Can they enable privilege escalation? - Is Domain Controller compromise possible? - What systems are reachable with these credentials? 4. List top 3 false positive scenarios for this specific alert. Output format: MITRE ATT&CK MAPPING | Tactic | Technique ID | Technique Name | Confidence | CREDENTIALS AT RISK | Credential Type | Risk | Impact if Compromised | POST-EXPLOITATION RISK - Lateral Movement: Yes / No / Unknown — [reason] - Privilege Escalation: Yes / No / Unknown — [reason] - DC Compromise Risk: Yes / No / Unknown — [reason] FALSE POSITIVES 1. [scenario] 2. [scenario] 3. [scenario] Base everything on the actual alert data provided.

[03]

Investigation Checklist & Containment

▶

Generate a targeted investigation and containment checklist for this credential dumping alert. For each checklist item provide: - Exact log source to check - Specific event IDs or field values - What malicious looks like vs benign INVESTIGATION CHECKLIST: 1. Process Investigation - Review full process tree (parent → child) - Check process execution path for anomalies - Verify process hash against known-good baseline - Event IDs: 4688 (process creation), Sysmon 1, 10 (process access) 2. LSASS Access Verification - Check which processes accessed lsass.exe - Look for OpenProcess with PROCESS_VM_READ on LSASS - Sysmon Event ID 10 — ProcessAccess targeting lsass.exe 3. Authentication Log Review - Check for new logon events after alert time (4624, 4625, 4648) - Look for lateral movement: remote logons from affected host - Check for Pass-the-Hash: NTLMv2 authentication anomalies 4. Network Activity - Outbound connections from affected host after alert - SMB connections to other hosts (lateral movement indicator) - Any C2 beacon patterns 5. Containment Actions (prioritise these) HIGH PRIORITY: Should affected host be isolated immediately? HIGH PRIORITY: Should affected credentials be reset immediately? - Force password reset for all accounts on affected system - Revoke active sessions and Kerberos tickets (klist purge) - If DC involved: consider krbtgt password reset Also provide 3 SIEM queries to hunt for related credential dumping activity. If SIEM tool is known, write queries for that tool. If unknown, write generic logic with clearly labelled placeholders like [field_name]. Base everything on the actual alert data. Do not give generic SOC advice.

[04]

SOC Ticket Summary

▶

Write a professional SOC ticket summary for this credential dumping investigation. Include: - What the alert detected (one sentence) - Whether it appears malicious, suspicious, or benign and why - The key evidence supporting that conclusion - Recommended next action and who owns it - Whether immediate containment is required Length: 3–5 sentences maximum. Format: suitable for pasting directly into a SIEM ticket or incident log. Severity: Critical / High / Medium / Low / Informational Disposition: True Positive / False Positive / Needs Investigation MITRE ATT&CK MAPPING | Tactic | Technique ID | Technique Name | Confidence | IOCS | IOC Type | Value | Context | CREDENTIALS POTENTIALLY COMPROMISED | Account | Type | Reset Required | CONTAINMENT STATUS - Host Isolated: Yes / No / Pending - Credentials Reset: Yes / No / Pending - Incident Escalated: Yes / No / Pending If no IOCs identified, state: "No IOCs identified."

Example Output

Here's what you can expect after completing this workflow:

CREDENTIAL DUMPING INVESTIGATION REPORT ======================================== Report ID: CRED-2024-0089 Analyst: SOC Team Date: 2024-03-22 11:15:00 UTC ALERT SUMMARY ============= Detection Type: LSASS Memory Access (T1003.001) — Mimikatz sekurlsa::logonpasswords Triggering Process: mimikatz.exe (C:\Users\jsmith\AppData\Local\Temp\mimikatz.exe) User Context: jsmith (standard user — unusual for this technique) Target: lsass.exe (PID 648) Initial Risk: CRITICAL MITRE ATT&CK MAPPING ==================== | Tactic | Technique ID | Technique Name | Confidence | | Credential Access | T1003.001 | LSASS Memory | High | | Defense Evasion | T1036 | Masquerading | Medium | CREDENTIALS AT RISK =================== | Credential Type | Risk | Impact if Compromised | | NTLM Hashes | High | Pass-the-Hash lateral movement | | Kerberos Tickets | High | Pass-the-Ticket / Golden Ticket | | Domain Admin creds | High | Full domain compromise | POST-EXPLOITATION RISK ====================== - Lateral Movement: Yes — NTLM hashes enable pass-the-hash to adjacent hosts - Privilege Escalation: Yes — Domain Admin credentials potentially exposed - DC Compromise Risk: Yes — dumped credentials include domain admin account SOC TICKET ========== Severity: CRITICAL Disposition: True Positive Mimikatz execution detected on WKSTN-042 accessing LSASS memory under standard user jsmith. Binary executed from user temp directory — consistent with attacker-dropped tooling. Immediate host isolation and credential reset recommended. Escalate to Tier 3 and IR team. CONTAINMENT STATUS ================== - Host Isolated: Pending - Credentials Reset: Pending - Incident Escalated: Yes

Generate SOC Investigation Summary

Populate a ready-to-paste investigation report for your ticket or incident log.

Copied!