Look for processes accessing LSASS memory (lsass.exe) - Check for Mimikatz artifacts in memory - Examine process handles for access to credential stores - Look for ntdsutil.exe or suspicious vshadow.exe activity