Use the T1003 - Defense Evasion - Mimikatz DCShadow playbook

  • Freigeben Version: Australia
  • Aktualisiert 12. März 2026
  • 1 Minute Lesedauer

    • Use this playbook to investigate security incidents suspected to be caused by Mimikatz DCShadow. The following steps give you a walkthrough of the actions, tasks, and subflows that are available in the T1003 - Defense Evasion - Mimikatz DCShadow playbook.

    Vorbereitungen

    Role required:
    • sn_si.admin
    • flow_designer

    Prozedur

    1. When the playbook is triggered and starts executing, in Action 1, find out which account is responsible for the creation of the new DC (Domain Controller).
    2. In Action 2, reach out to the user to validate the business justification.
      You can use the provided email template to contact the user.
    3. In Action 3, check whether the user provided a valid business justification.
    4. In Action 4, if the user provided a valid business justification, perform the following steps:
      Abbildung : 1. T1003 - Defense Evasion - Mimikatz DCShadow playbook
      Response task to check whether the user provided a valid business justification
      1. In Action 5, document the findings so far.
      2. In Action 6, initiate a post incident review.
        In Action 7, after the post incident review, the flow ends.
    5. In Action 8, if the user didn’t provide a valid business justification, perform the following steps:
      Abbildung : 2. Using the T1003 - Defense Evasion - Mimikatz DCShadow playbook
      Response tasks when the user didn't provide a valid business justification.
      1. In Action 9, lock down or quarantine all the accounts, computers, and other devices involved.
      2. In Action 10, perform a forensic investigation on the locked-down accounts and identify if any data has been exfiltrated or any malicious code has been injected.
      3. In Action 11, reimage the affected resources.
      4. In Action 12, lift containment and bring systems back to operational standards.
      5. In Action 13, complete the post-incident review before closing the task.