**Clarify & priorities**- Isolate suspected account activity window, affected hosts/shares, and business impact. Prioritize containment to stop further exfiltration while preserving evidence.**Containment actions**- Immediately disable the domain account in a staged way: remove from privileged groups (Domain Admins, Enterprise Admins) then disable in AD to avoid breaking services that use the account.- Isolate involved endpoints and file servers from network (or apply host-based firewall rules) to stop lateral movement and exfil.- Block account logons via logon restrictions (Logon Workstations or deny logon via GPO) and revoke active Kerberos tickets (see remediation below).**Forensic evidence collection (preserve chain of custody first)**- Collect Windows Event Logs from domain controllers and hosts for the timeframe: - Security (4624, 4625, 4648, 4672, 4673, 4688, 4698/4699) - AD DS/Directory Service logs (replication/auth anomalies) - System and Application logs- Collect Microsoft-Windows-SMBServer/Operational and File Server Resource Manager logs- Export Sysmon logs (if deployed): process creations, network connections, file creation- Collect Kerberos logs (Event IDs 4768/4769/4776) and ticket-granting events- Pull Netlogon debug and DC diagnostics if replication or DC compromise suspected- Acquire forensic images of involved endpoints and file servers (volatile memory first if possible) and preserve USN Journal, MFT, SAM, and Volume Shadow Copies- Pull open file/SMB session info live: use Net File and Get-SmbSession/Get-SmbOpenFile- Query SIEM for data egress: network flows, DNS, proxy/HTTP logs, and DLP alertsExample commands to gather live evidence:powershell
# Get SMB sessions on a file server
Get-SmbSession | Select-Object ClientComputerName,UserName,SessionId
# List open files
Get-SmbOpenFile | Select-Object ClientUserName,Path,FileId
# Query Security log for Kerberos and privilege events
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=@(4624,4672,4768,4769,4625)} -MaxEvents 500
**Account remediation**- Disable account in AD after ensuring any dependent services are reconfigured.- Force credential rotation: reset password, rotate associated service account keys/certificates, and revoke/renew any linked credentials (SSH keys, stored secrets in vaults).- Revoke Kerberos tickets: restart affected service hosts or use klist purge on endpoints; clear TGTs using domain controller revocation when necessary.- Check and remove suspicious group memberships and scheduled tasks, service registrations, and delegated permissions.- If account used for automation, replace with new managed service accounts and update runbooks.**Determine scope of access**- Query DC Security logs for all successful logons (4624) and privileged elevation (4672) for the account across time window.- On file servers, parse SMB open/close logs and File Access auditing to list files accessed/copies. Use FSRM or audit Object Access (4663) and correlate to user tokens.- Use MFT, USN Journal, and volume shadow copy snapshots to detect file creation/reads/deletes.- Correlate with network logs (proxy, VPN, firewall) and endpoint network connections from Sysmon to identify exfil endpoints and transfer methods (SMB copy, RDP, cloud upload).- Search for created archives (zip/rar), use timeline analysis to prioritize files exfiltrated.**Reporting & recovery**- Produce timeline, list of accessed resources, indicators of compromise (IOCs) and recommend password resets organization-wide if needed.- Remediate hosts (patch, reimage if compromised), harden audit policies, enable/verify Sysmon and file-audit policies.- Implement least privilege reviews, break-glass monitoring, MFA for privileged accounts, and credential vaulting.This sequence balances stopping active damage, preserving evidence for investigation/legal needs, and restoring secure operation.