SOP-27: Credential Dumping (LSASS / Mimikatz / SAM) Response
SOC analyst playbook for detecting and responding to credential dumping via LSASS memory access, Mimikatz, ntdsutil, and SAM extraction. Sysmon Event 10, GrantedAccess masks, procdump, comsvcs MiniDump. KQL for Sentinel, SPL for Splunk.
Rudra Verma, Senior Security Architect & Researcher