SOP-27: Credential Dumping (LSASS / Mimikatz / SAM) Response

SOC analyst playbook for detecting and responding to credential dumping via LSASS memory access, Mimikatz, ntdsutil, and SAM extraction. Sysmon Event 10, GrantedAccess masks, procdump, comsvcs MiniDump. KQL for Sentinel, SPL for Splunk.

2026-06-28T09:32:15.941Z
Rudra Verma, Senior Security Architect & Researcher