Playbooks
T1558.001, T1003.001, T1134Credential Theft Incident Response
A step-by-step playbook for responding to confirmed credential theft — Kerberos ticket abuse (golden/silver), LSASS dumping, token manipulation, and stolen credential lateral movement. Includes detection Event IDs, containment steps, and recovery procedures.
View on Graph
What This Playbook Covers
- This playbook handles incidents where credential theft has been confirmed — not suspected, but confirmed by detection signals (e.g., LSASS handle opened by a suspicious process, forged Kerberos ticket indicators, or token manipulation events).
- It covers the three most common credential theft scenarios: Kerberos ticket theft (golden/silver tickets), LSASS credential dumping, and token manipulation/abuse.
- MITRE ATT&CK references:
T1558.001(Golden Ticket),T1558.002(Silver Ticket),T1003.001(LSASS Memory),T1134(Access Token Manipulation). - Parallel playbooks: Suspicious Authentication (for initial triage of credential-based alerts), Privilege Escalation Investigation (for privilege abuse after credential theft).
Phase 1: Confirm Credential Theft (0-10 minutes)
Before executing containment, determine which credential theft scenario you are dealing with:
Scenario A — Kerberos Ticket Abuse (Golden/Silver Ticket)
| Signal | Where to Check | What Confirms It |
|---|---|---|
| Anomalous TGT lifetime | Windows Event ID 4768 — Ticket Lifetime > 10 hours | Forged TGT — normal Kerberos TGT lifetime is 10 hours |
| Anomalous service ticket | Windows Event ID 4769 — ticket request for service account + same user from different IPs | Kerberoasting or silver ticket forgery |
| KRBTGT hash dump | Event ID 4663 (file access) on ntds.dit or LSASS process access | DCSync or LSASS dump — the KRBTGT hash is now compromised |
| DCSync indicators | Event ID 4662 (Directory Service Access) with DS-Replication-Get-Changes | Domain replication initiated by non-DC account |
SPL query — anomalous TGT lifetime (Event ID 4768):
index=windows sourcetype="WinEventLog:Security" EventCode=4768
| rex field=Message "Ticket Lifetime: (?<lifetime>\d+)h"
| where lifetime > 10
| eval alert = "CRITICAL — TGT lifetime of " . lifetime . " hours from " . ClientAddress . " — possible golden ticket"
| table _time, ClientAddress, TargetUserName, lifetime, alertScenario B — LSASS Credential Dumping
| Signal | Where to Check | What Confirms It |
|---|---|---|
| LSASS process access | Sysmon Event ID 10 — lsass.exe accessed by non-LSASS process | Credential dumping — Mimikatz, Procdump, or custom tool |
| LSASS minidump file | Sysmon Event ID 11 — file creation matching *lsass*.dmp | Dump file — attacker exported LSASS memory |
| Mimikatz process execution | Event ID 4688 or Sysmon Event ID 1 — mimikatz.exe, procdump.exe, outflank-dumpert.exe | Direct tool usage |
| Suspicious DLL loaded into LSASS | Sysmon Event ID 7 — DLL loaded into lsass.exe from non-standard path | Injected credential dumper |
SPL query — LSASS process access (Sysmon Event ID 10) — run in Splunk:
index=windows sourcetype="WinEventLog:Sysmon" EventCode=10
| search TargetImage="*lsass.exe"
| where SourceImage NOT IN ("C:\\Windows\\System32\\wininit.exe", "C:\\Windows\\System32\\lsass.exe")
| eval alert = "CRITICAL — " . SourceImage . " accessed lsass.exe — possible credential dumping"
| table _time, Computer, SourceImage, TargetImage, GrantedAccess, alertScenario C — Token Manipulation
| Signal | Where to Check | What Confirms It |
|---|---|---|
| Duplicate token | Windows API monitoring — DuplicateTokenEx | Token duplication for privilege escalation |
| Token impersonation | Event ID 4672 (Special Privilege Assigned) — unexpected SeImpersonatePrivilege | Token theft or impersonation |
| Process token assignment | Sysmon Event ID 8 — thread creation with token from another process | Token assigned to a new process |
Phase 2: Immediate Containment (10-30 minutes)
The containment steps depend on which scenario was confirmed.
For Kerberos Ticket Abuse
| Step | Action | Verification |
|---|---|---|
| 1 | Reset KRBTGT password TWICE — Microsoft requires two resets to invalidate all existing tickets | Reset-ADAccountPassword krbtgt — note: this breaks all Kerberos auth until replicated |
| 2 | Force domain controller replication — ensure password reset reaches all DCs | repadmin /syncall /AdeP |
| 3 | Invalidate current Kerberos tickets — force users to re-authenticate | GPO — set MaxTicketAge to 0 temporarily, then restore to 10h |
| 4 | Check for silver tickets — if service account NTLM hashes were also dumped, those credentials must also be rotated | Check each service account for compromised hashes |
| 5 | Audit domain admin accounts — verify no new admin accounts created | Event ID 4720 (user created) + 4728/4732 (group membership changes) |
For LSASS Credential Dumping
| Step | Action | Verification |
|---|---|---|
| 1 | Isolate the compromised host — disable network, do not shut down | Block switch port or disable VM NIC |
| 2 | Force user password reset — any user whose credentials may have been in LSASS memory | Event ID 4723 (password change) — target all users logged on at the time |
| 3 | Verify no domain replication occurred — check if the stolen credentials were used for DCSync | Event ID 4662 (DS-Replication-Get-Changes) |
| 4 | Collect forensic image — capture memory (DumpIt, WinPMem) and disk image before remediation | Use Velociraptor offline collector or FTK Imager |
| 5 | Scan for additional compromised hosts — attackers who dump LSASS often move laterally immediately | Check for Event ID 4624 with the compromised credentials on other hosts |
For Token Manipulation
| Step | Action | Verification |
|---|---|---|
| 1 | Identify which process had its token stolen | Check which process was target of DuplicateTokenEx or thread creation with modified token |
| 2 | Kill the attacker’s process — or isolate the host if the token was used remotely | EDR — terminate the process performing token manipulation |
| 3 | Review any privileged operations performed with the stolen token | Check Event ID 4672 (Special Privilege Assigned) during the token manipulation timeframe |
| 4 | Reset the affected service account credentials | Rotate any service account whose token may have been duplicated |
Phase 3: Evidence Preservation (30-45 minutes)
Collect and preserve evidence for further investigation, attribution, and potential legal proceedings.
Collection Checklist
- Memory dump from the compromised host (DumpIt, WinPMem, or Velociraptor)
- Full event logs — Security, System, Sysmon, PowerShell (Event ID 4104)
- LSASS process memory — if the attack is still in progress, collect a full memory image
- Network captures — from the timeframe of the credential theft (look for outbound C2)
- Timeline of token/Kerberos events — correlate Event IDs 4768, 4769, 4776 with Sysmon Event IDs 1, 8, 10
- Registry hives — especially SAM, SYSTEM, SECURITY (for offline credential analysis)
- Screenshot of running processes — document what was running during the investigation
- Chain of custody form — document who collected what, when, and where
Analysis — Correlating the Attack Flow
Timeline analysis example:
T+0:00 — Sysmon Event 10 — unknown.exe opens lsass.exe with PROCESS_ALL_ACCESS
T+0:01 — Event 4688 — powershell.exe launched with encoded command
T+0:05 — Sysmon Event 3 — outbound connection to 185.220.101.x:443
T+0:10 — Event 4768 — anomalously long TGT lifetime detected
T+0:12 — Event 4662 — DCSync replication request from non-DC host
T+0:15 — Event 4728 — user added to Domain Admins groupPhase 4: Recovery and Hardening (45-90 minutes)
Credential Hygiene
| Action | Tool/Method | Why |
|---|---|---|
| Rotate KRBTGT twice | Reset-ADAccountPassword | Invalidates all existing Kerberos tickets (golden and silver) |
| Rotate domain admin passwords | LAPS or manual reset | Any credential that was in LSASS memory on compromised hosts |
| Rotate service account passwords | Identity management system | Service account hashes can be used for silver ticket attacks |
| Revoke all certificates | PKI infrastructure | If AD CS is in use, attacker may have used stolen credentials to request certificates |
| Reset machine account passwords | PowerShell Reset-ComputerMachinePassword | Prevents attacker from using machine account for pass-the-hash |
Detection Hardening
- Enable LSASS protection —
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1— prevents non-Microsoft processes from accessing LSASS - Enable Credential Guard — virtualizes LSASS to protect credentials from dumping
- Deploy Sysmon with rules for process access to LSASS (SwiftOnSecurity config)
- Enable PowerShell ScriptBlock Logging — Event ID 4104 captures encoded commands
- Configure Windows Defender Credential Guard — managed via GPO
Phase 5: Post-Incident (90+ minutes)
- Root cause analysis — how did the attacker get initial access to dump credentials?
- TTP mapping — map the attack path to MITRE ATT&CK for detection gaps
- Report — document findings, timeline, evidence chain, and remediation steps
- Tabletop exercise — run through the playbook with the team to identify gaps
Related
- Active Directory Compromise Response — detection and response for T1558 techniques
- Privilege Escalation Investigation — detection and response for T1068 techniques
- Cloud Threats — Credential Theft, IMDS Abuse, Hijacking, Privilege Escalation — detection and response for T1525, T1552, T1613 techniques
- Active Directory Basics — covers the active directory basics concepts
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques