Compromised Credentials Response Playbook

Compromised Credentials Response Playbook

Download your free copy now

Since security incidents can occur in a variety of ways, there is no one-size-fits-all solution for handling them.

Please use these response guides as a framework for your business to respond in the event of a potential threat.

Your credentials are a virtual keyring to sensitive information, and when they fall into the wrong hands they can jeopardize the information that you’re responsible for protecting. This response guide gives you step-by-step help in the event of a compromised credentials incident.

Free Resource

Download our free Compromised Credentials Response Playbook now.



To guide in responding to a compromised credentials incident.

How to Use This Playbook

The steps in this playbook should be followed sequentially where appropriate. With many steps in the Containment, Eradication, and Recovery steps, some overlap may occur and is expected.

Table of Contents


Note: Preparation steps should primarily be completed prior to an event or incident.

  1. Determine the members of the Cybersecurity Incident Response Team (CSIRT).
    1. The core CSIRT members should be comprised of individuals responsible for cybersecurity only.
      1. This may include some members of Information Technology roles, depending on the organization size.
      2. The limited size of the core CSIRT is to assist with confidentiality and efficiency.
      3. The core CSIRT may be activated often to investigate security events that may or may not result in an incident.
    2. Assign roles and responsibilities to each member.
  2. Determine extended CSIRT members.
    1. This will often be Legal, Compliance, Public Relations, and Executive Leadership.
  3. Define escalation paths.
    1. Incidents may start as events, or as a lower impact/severity and then increase as more information is gathered. Establishing an escalation path is critical to success.
  4. Ensure logging levels for account login system components (i.e. Active Directory, VPN, Remote Access, etc.) are set to appropriate levels.
    1. 90 days should be the minimum.
  5. Ensure logging for account login system components are stored in secure locations, preferably on a secondary system such as a SIEM.


  1. Use the evidence that resulted in notification of compromise to determine next steps based on method of compromise. (Some steps may be irrelevant based on the method of compromise.)
    1. Example of evidence: an email from an external client saying they received a phishing email or malware, abnormal login behavior or locations, actions performed by a user account that can’t be accounted for by the user, etc.
    2. Method of compromise examples: credential harvesting phish, credential scraping from local systems, brute forced password, etc.
  2. Determine initial method of account compromise.
    1. Interview impacted user to gather details on potential points of compromise.
      1. Example questions:
        1. Did you receive a suspicious email?
        2. Did you enter your email credentials after clicking a link, or on a website that seemed to not accept them?
        3. Have you downloaded any new software?
        4. Have you received any documents via email that you weren’t expecting?
        5. Have no noticed abnormal actions on your workstation?
    2. Search for phishing emails.
      1. Phishing emails are the most common method for credential theft.
    3. Search for emails with links to credential harvesting sites.
    4. Search the user’s web history to determine if any potentially malicious sites were visited.
    5. Search for potential malware on the user’s workstation.
      1. Credential harvesters such as Mimikatz.
      2. Keystroke recording software.
      3. Clipboard scraping malware.
  3. Once method of initial compromise is determined, use the Indicators of Compromise (IoCs) gathered to search the environment for other victims.
    1. Potential query inputs for email system: Email subject name, document name, document hash, URL from email, etc.
    2. Potential query inputs for SIEM or log searches: IP addresses, URLs, workstation names, etc.
  4. Review logs in account login systems searching for anomalies.
    1. Login activity from unusual locations, systems, or browser fingerprints.
    2. Note all systems accessed by the attacker if possible.
  5. Assess victim accounts to determine if sensitive information may be contained in them, or if they have access to sensitive information on centralized storage such as fileservers.
    1. This may need to be extended to other sources these users and/or accounts have access to such as OneDrive, Google Drive, SharePoint, shared mailboxes, fileservers, etc.
    2. If sensitive information is a possibility, consult legal counsel for next steps.
  6. Use the information gathered in Step 4b to determine what sensitive information could’ve been accessed by the attacker.
    1. If logs are unavailable, assume all accessible data was accessed by the attacker.


  1. Reset all passwords associated with all identified victims.
    1. Begin with the known compromised account passwords, but all accounts associated with the user should have their passwords reset or disabled.
  2. Enable Multi-Factor authentication anywhere possible for the impacted user account.
  3. Disable user account’s ability to login remotely.
  4. Revoke authentication tokens for all identified victim accounts.
    1. This should cover the email system and any other accounts that are associated with the impacted users.
  5. If an external organization is identified during the investigation, notify the organization of any compromises or concerns.
    1. Work with legal counsel to determine this process.
    2. This will help prevent the organization’s users from being targeted again from the same compromised source.
  6. If an external organization is identified during the investigation, block their related domains from sending email to your organization.
  7. If malware is discovered during the investigation:
    1. Preserve a sample of the malware.
    2. Analyze the malware with any tools available.
      1. Gather file hash using PowerShell “Get-Filehash” cmdlet.
      2. Submit hash to community sources VirusTotal, Hybrid-Analysis, etc.
        1. If community sources have seen the hash, note the malware characteristics.
    3. Isolate infected systems, do not power them off unless absolutely necessary.
      1. Preserve the system(s) for further forensic investigation including log review, MFT analysis, deep malware scans, etc.
  8. Block all associated IoCs in email system, firewall, and other security components such as endpoint protection systems.
    1. URLs, domains, message-ID, etc. in spam filters, email based antimalware, etc.
    2. File hashes, malware identified, IP addresses identified, etc.


  1. Preserve artifacts, systems, and relevant backups according to the sensitivity and scale of the incident. These may be important for future forensics.
    1. If rebuilding or replacing physical systems, preserve physical hard disks, solid state drives, or forensically sound images of those storage drives.
    2. If rebuilding or replacing virtual machines, preserve a copy, full (independent) snapshot, or a backup of the system.
  2. Preserve any volatile data that may have been collected during the identification and containment phases.
    1. This may include log files, backups, malware samples, memory images, etc.
  3. Once all relevant data, equipment, and/or systems have been preserved, replace, or rebuild systems accordingly.


  1. Restore impacted systems from a clean backup, taken prior to infection if these backups are available.
  2. For systems not restorable from backup, rebuild the machines from a known good image or from bare metal.
  3. Remediate any vulnerabilities and gaps identified during the investigation.
  4. Reset passwords for all impacted accounts and/or create replacement accounts and leave the impacted accounts disabled permanently.
  5. Continue to monitor for malicious activity related to this incident for an extended period.
    1. Alerts should be configured to aid in quick detection and response.

Lessons Learned

  1. Conduct a meeting after the incident to discuss the following:
    1. What things went well during the investigation?
    2. What things did not go well during the investigation?
    3. What vulnerabilities or gaps in the organization’s security status were identified?
      1. How will these be remediated?
    4. What further steps or actions would have been helpful in preventing the incident?
    5. Do modifications need to be made to any of the following:
      1. Authentication practices?
        1. Multi-Factor Authentication
        2. Password complexity and use
      2. Network segmentation
      3. Firewall configuration
      4. Application security
      5. Operating System and/or Application patching procedures
      6. Employee, IT, or CSIRT training
  2. Create and distribute an incident report to relevant parties.
    1. A primary, and more technical, report should be completed for the CSIRT.
    2. An executive summary should be completed and presented to the management team.

Cheat Sheets


Incident Response Playbooks

Policy Templates

Program Guides


Compromised Credentials Response Playbook

Download your free copy today.