Investigate credential dumping alerts step-by-step. Identify LSASS attacks, Mimikatz activity, SAM database access and generate a SOC-ready investigation summary.
You are a SOC analyst investigating a credential dumping alert. Assume an enterprise Windows environment unless I specify otherwise. Paste the raw alert, EDR detection, or SIEM log below. Analyze the following: 1. What tool or technique does this alert suggest? - Mimikatz / variants (sekurlsa, lsadump) - ProcDump / Task Manager LSASS dump - Volume Shadow Copy / NTDS.dit access - DCSync attack (replication rights abuse) - Registry SAM/SECURITY/SYSTEM hive access - LSASS memory injection 2. What process triggered the alert? - Process name, PID, parent process - User context (SYSTEM, admin, standard user) - Execution path (suspicious if in temp, appdata, or unusual location) 3. What is the immediate risk level? - Is this on a Domain Controller? (CRITICAL) - Is this on a privileged workstation? - Is the triggering account a service account or admin? Output format: ALERT SUMMARY - Detection Type: [tool/technique identified] - Triggering Process: [process name + path] - User Context: [who ran it] - Target: [what was accessed - LSASS / SAM / NTDS] - Initial Risk: Critical / High / Medium / Low CONFIDENCE - Confidence this is malicious: High / Medium / Low - Reason: [one sentence] Only analyze what is present in the data provided. Do not guess or assume values not in the alert. [PASTE CREDENTIAL DUMPING ALERT OR EDR DETECTION HERE]
Based on the credential dumping alert from Step 1, perform a detailed technique analysis. 1. Map the technique to MITRE ATT&CK: - Primary technique (e.g. T1003.001 — LSASS Memory) - Sub-techniques if applicable - Associated tactics (Credential Access, Privilege Escalation, Lateral Movement) 2. Identify what credentials are at risk: - NTLM hashes (pass-the-hash risk) - Kerberos tickets (pass-the-ticket / golden ticket risk) - Plaintext credentials (WDigest enabled?) - Service account credentials - Domain Admin credentials 3. Assess post-exploitation risk: - Can dumped credentials enable lateral movement? - Can they enable privilege escalation? - Is Domain Controller compromise possible? - What systems are reachable with these credentials? 4. List top 3 false positive scenarios for this specific alert. Output format: MITRE ATT&CK MAPPING | Tactic | Technique ID | Technique Name | Confidence | CREDENTIALS AT RISK | Credential Type | Risk | Impact if Compromised | POST-EXPLOITATION RISK - Lateral Movement: Yes / No / Unknown — [reason] - Privilege Escalation: Yes / No / Unknown — [reason] - DC Compromise Risk: Yes / No / Unknown — [reason] FALSE POSITIVES 1. [scenario] 2. [scenario] 3. [scenario] Base everything on the actual alert data provided.
Generate a targeted investigation and containment checklist for this credential dumping alert. For each checklist item provide: - Exact log source to check - Specific event IDs or field values - What malicious looks like vs benign INVESTIGATION CHECKLIST: 1. Process Investigation - Review full process tree (parent → child) - Check process execution path for anomalies - Verify process hash against known-good baseline - Event IDs: 4688 (process creation), Sysmon 1, 10 (process access) 2. LSASS Access Verification - Check which processes accessed lsass.exe - Look for OpenProcess with PROCESS_VM_READ on LSASS - Sysmon Event ID 10 — ProcessAccess targeting lsass.exe 3. Authentication Log Review - Check for new logon events after alert time (4624, 4625, 4648) - Look for lateral movement: remote logons from affected host - Check for Pass-the-Hash: NTLMv2 authentication anomalies 4. Network Activity - Outbound connections from affected host after alert - SMB connections to other hosts (lateral movement indicator) - Any C2 beacon patterns 5. Containment Actions (prioritise these) ⚠️ HIGH PRIORITY: Should affected host be isolated immediately? ⚠️ HIGH PRIORITY: Should affected credentials be reset immediately? - Force password reset for all accounts on affected system - Revoke active sessions and Kerberos tickets (klist purge) - If DC involved: consider krbtgt password reset Also provide 3 SIEM queries to hunt for related credential dumping activity. If SIEM tool is known, write queries for that tool. If unknown, write generic logic with clearly labelled placeholders like [field_name]. Base everything on the actual alert data. Do not give generic SOC advice.
Write a professional SOC ticket summary for this credential dumping investigation. Include: - What the alert detected (one sentence) - Whether it appears malicious, suspicious, or benign and why - The key evidence supporting that conclusion - Recommended next action and who owns it - Whether immediate containment is required Length: 3–5 sentences maximum. Format: suitable for pasting directly into a SIEM ticket or incident log. Severity: Critical / High / Medium / Low / Informational Disposition: True Positive / False Positive / Needs Investigation MITRE ATT&CK MAPPING | Tactic | Technique ID | Technique Name | Confidence | IOCS | IOC Type | Value | Context | CREDENTIALS POTENTIALLY COMPROMISED | Account | Type | Reset Required | CONTAINMENT STATUS - Host Isolated: Yes / No / Pending - Credentials Reset: Yes / No / Pending - Incident Escalated: Yes / No / Pending If no IOCs identified, state: "No IOCs identified."
Here's what you can expect after completing this workflow:
Populate a ready-to-paste investigation report for your ticket or incident log.
Get new SOC investigation workflows used by real analysts — covering phishing, credential dumping, identity compromise & more.