This playbook provides systematic remediation steps to investigate incidents suspected to be caused by Mimikatz DCSync. This playbook triggers when one of the Mimikatz functions (lsadump::dcsync) is used. The function is typically used on attacked Domain Controllers (DC).

Mimikatz is a popular hacking tool that enables users to issue commands that help retrieve confidential data from the attacked system. The confidential data includes passwords, their hashes, and others.