Use the T1003 - Defense Evasion - Mimikatz DCShadow playbook

Versão de lançamento: Australia

Atualizado 12 de mar. de 2026

1 min. de leitura

Use this playbook to investigate security incidents suspected to be caused by Mimikatz DCShadow. The following steps give you a walkthrough of the actions, tasks, and subflows that are available in the T1003 - Defense Evasion - Mimikatz DCShadow playbook.

Antes de Iniciar

Role required:

sn_si.admin
flow_designer

Procedimento

When the playbook is triggered and starts executing, in Action 1, find out which account is responsible for the creation of the new DC (Domain Controller).
In Action 2, reach out to the user to validate the business justification.
You can use the provided email template to contact the user.
In Action 3, check whether the user provided a valid business justification.
In Action 4, if the user provided a valid business justification, perform the following steps:

Figura 1. T1003 - Defense Evasion - Mimikatz DCShadow playbook
1. In Action 5, document the findings so far.
2. In Action 6, initiate a post incident review.
  In Action 7, after the post incident review, the flow ends.
In Action 8, if the user didn’t provide a valid business justification, perform the following steps:

Figura 2. Using the T1003 - Defense Evasion - Mimikatz DCShadow playbook
1. In Action 9, lock down or quarantine all the accounts, computers, and other devices involved.
2. In Action 10, perform a forensic investigation on the locked-down accounts and identify if any data has been exfiltrated or any malicious code has been injected.
3. In Action 11, reimage the affected resources.
4. In Action 12, lift containment and bring systems back to operational standards.
5. In Action 13, complete the post-incident review before closing the task.

Use the playbook

Australia Security Management

Use the T1003 - Defense Evasion - Mimikatz DCShadow playbook

Antes de Iniciar

Procedimento