- Home
- Play books
- Response workflow for Mimikatz execution
Response workflow for Mimikatz execution
In this page
Playbook Description
This playbook mitigates Mimikatz execution and verifies file reputation, deletes dumped files, and enables Credential Guard to prevent attack propagation. It further remediates the attack by removing persistence, terminating malicious processes, disabling affected accounts, closing RDP sessions, isolating impacted hosts, and notifying the security team.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Credential Access(TA0006) | OS Credential Dumping(T1003) | LSASS Memory(T1003.001) |
| Credential Access(TA0006) | OS Credential Dumping(T1003) | Security Account Manager(T1003.002) |
| Credential Access(TA0006) | OS Credential Dumping(T1003) | LSA Secrets(T1003.004) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Detect(D3-Detect) | Identifier Analysis(D3-ID) | File Hash Reputation Analysis(D3FHRA) |
Playbook input type
Alert
Dependencies
Utility functions:
- utility_getRequiredTime
- windows_detectMaliciousProcessChain
- utility_extractFieldFromList
- utility_convertToString
- utility_compareListElements
- utility_convertTimeToUTC
- utility_sendMail
Scripts
| Script Name | Description | Arguments |
|---|---|---|
| FetchRDPUser.ps1 | Retrieves RDP session details for a given session ID using query user | SessionId |
| StopAndQuarantineProcess.ps1 | # Terminates processes by PID (decimal/hex) or by executable file path, then quarantines the executable to a forensic directory. # Protects critical OS processes and the SOAR agent from termination. | ProcessIdentifiers |
| TerminateSession.ps1 | Logs off one or more user sessions using logoff , with optional RDP-only filtering by remote IP | UserNames |
| QuarantineFiles.ps1 | Moves one or more files to a quarantine directory ( %USERPROFILE%\Forensic_Quarantine ), strips inherited permissions via .NET ACL API, and grants read-only access to Administrators. Skips protected PowerShell executables. | FilePaths |
| EnableCredentialGuard.ps1 | Enables Windows Credential Guard by configuring Virtualization-Based Security (VBS), Hypervisor-Enforced Code Integrity (HVCI), and Credential Guard registry keys. A reboot is required for changes to take effect. | - |
| FetchPersistenceEntries.ps1 | Scans for persistence mechanisms including scheduled tasks, registry Run/RunOnce keys, startup folder entries, and services to identify potential malicious persistence | - |
| StopProcess.ps1 | Stops processes by PID or file path. Supports hex PIDs and comma-separated inputs. Skips protected PowerShell executables. | ProcessIdentifiers |
Sub playbooks
- Windows - File enrichment
Execution workflow
Investigation:
- Executes the "Windows - File enrichment" sub-playbook.
Decision logic:
- Proceeds to remediation based on the following conditions:
- The file or process reputation indicates high risk.
- The file or process reputation indicates medium or higher risk.
- If suspicious but not confirmed malicious, sends a notification for manual review and stops further actions.
- If no malicious indicators are confirmed, the playbook ends with no further actions.
Remediation:
- Fetches the process tree.
- Checks the process reputation.
- Checks whether malicious flow exists.
- Disables the malicious process.
- Fetches the dump file.
- Checks whether dump files are present.
- Retrieves the file paths.
- Quarantines the dump file.
- Stops the process.
- Logs off the user.
- Fetches the device related alerts.
- Notifies the user about alerts.
- Fetches the RDP users.
- Checks whether users are present in RDP.
- Fetches the usernames.
- Checks whether the user is already present in alerts.
- Checks whether all RDP users are terminated.
- Closes all remote sessions.
- Enables the Credential Guard.
- Removes the persistence task.
- Restarts the machine.
- Validates if all remediation actions are completed successfully.
- Builds the notification email with remediation details and findings.
- Sends a notification email regarding the actions taken and required next steps.
Post execution procedure
- Reset passwords for all users who were logged into the compromised endpoint.
- Investigate whether harvested credentials were used for lateral movement.
- Scan other endpoints for similar Mimikatz indicators.
- Review and harden Credential Guard policies across the organization.
