npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
When to Use
Use this skill when:
- SOC teams need a standardized ransomware response playbook for Tier 1-3 analysts
- An organization lacks documented procedures for ransomware containment and recovery
- Tabletop exercises reveal gaps in ransomware response coordination
- Compliance requirements (NIST CSF, ISO 27001) mandate documented incident playbooks
Do not use during an active ransomware incident as the sole guide — have pre-built playbooks tested and rehearsed before incidents occur.
Prerequisites
- SIEM platform (Splunk ES, Elastic Security, or Sentinel) with endpoint and network data
- EDR solution (CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint) with network isolation capability
- Backup infrastructure with tested recovery procedures and offline/immutable backups
- Communication plan with legal, executive leadership, and external IR retainer contacts
- MITRE ATT&CK knowledge for ransomware technique chains
Workflow
Step 1: Define Detection Triggers
Create SIEM detection rules for early ransomware indicators:
Mass File Encryption Detection (Splunk):
index=sysmon EventCode=11
| bin _time span=1m
| stats dc(TargetFilename) AS unique_files, values(TargetFilename) AS sample_files by Computer, Image, _time
| where unique_files > 100
| eval suspicious_extensions = if(match(mvjoin(sample_files, ","), "\.(encrypted|locked|crypt|enc|ransom)"), "YES", "NO")
| where suspicious_extensions="YES" OR unique_files > 500
| sort - unique_filesShadow Copy Deletion (T1490):
index=wineventlog sourcetype="WinEventLog:Security" OR index=sysmon EventCode=1
(CommandLine="*vssadmin*delete*shadows*" OR CommandLine="*wmic*shadowcopy*delete*"
OR CommandLine="*bcdedit*/set*recoveryenabled*no*" OR CommandLine="*wbadmin*delete*catalog*")
| table _time, Computer, User, ParentImage, Image, CommandLineRansomware Note File Creation:
index=sysmon EventCode=11
TargetFilename IN ("*README*.txt", "*DECRYPT*.txt", "*RANSOM*.txt", "*RECOVER*.html", "*HOW_TO*.txt")
| stats count by Computer, Image, TargetFilename
| where count > 5Elastic Security EQL variant:
sequence by host.name with maxspan=2m
[process where event.type == "start" and
process.args : ("*vssadmin*", "*delete*", "*shadows*")]
[file where event.type == "creation" and
file.name : ("*README*DECRYPT*", "*RANSOM*", "*HOW_TO_RECOVER*")]Step 2: Build Triage Decision Tree
RANSOMWARE ALERT TRIAGE
│
├── Is encryption actively occurring?
│ ├── YES → IMMEDIATE: Isolate host from network (Step 3)
│ │ Do NOT power off (preserve memory for forensics)
│ └── NO → Is this a pre-encryption indicator?
│ ├── Shadow copy deletion → HIGH PRIORITY: Isolate and investigate
│ ├── Known ransomware hash → HIGH PRIORITY: Block hash, scan enterprise
│ └── Suspicious process behavior → MEDIUM: Investigate, prepare isolation
│
├── How many hosts affected?
│ ├── Single host → Contained incident, follow host isolation procedure
│ ├── Multiple hosts (2-10) → Escalate to Tier 2, begin enterprise-wide scan
│ └── Enterprise-wide (>10) → Activate full IR team, engage external retainer
│
└── Is data exfiltration confirmed?
├── YES → Double extortion scenario, engage legal for breach notification
└── NO/UNKNOWN → Check for Cobalt Strike/C2 beacons, review outbound transfersStep 3: Containment Procedures
Network Isolation via EDR (CrowdStrike Falcon):
# Isolate host using CrowdStrike Falcon API
curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"ids": ["device_id_here"]}'Network Isolation via Microsoft Defender for Endpoint:
# Isolate machine via MDE API
$headers = @{Authorization = "Bearer $token"}
$body = @{Comment = "Ransomware containment - IR-2024-0500"; IsolationType = "Full"} | ConvertTo-Json
Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/isolate" `
-Method Post -Headers $headers -Body $body -ContentType "application/json"Firewall Emergency Rules:
# Palo Alto — Block SMB lateral spread
set rulebase security rules RansomwareContainment from Trust to Trust
set rulebase security rules RansomwareContainment application ms-ds-smb
set rulebase security rules RansomwareContainment action deny
set rulebase security rules RansomwareContainment disabled no
commitActive Directory Emergency Actions:
# Disable compromised account
Disable-ADAccount -Identity "compromised_user"
# Reset Kerberos TGT (if domain admin compromised)
# WARNING: This resets krbtgt and requires two resets 12+ hours apart
Reset-KrbtgtKeys -Server "DC-PRIMARY" -Force
# Block lateral movement by disabling remote services
Set-Service -Name "RemoteRegistry" -StartupType Disabled -Status StoppedStep 4: Evidence Collection and Preservation
Collect forensic artifacts before remediation:
# Capture running processes and network connections
Get-Process | Export-Csv "C:\IR\processes_$(hostname).csv"
Get-NetTCPConnection | Export-Csv "C:\IR\netstat_$(hostname).csv"
# Capture memory dump (if host still running)
winpmem_mini_x64.exe C:\IR\memory_$(hostname).raw
# Collect ransomware artifacts
Copy-Item "C:\Users\*\Desktop\*README*" "C:\IR\ransom_notes\" -Recurse
Copy-Item "C:\Users\*\Desktop\*.encrypted" "C:\IR\encrypted_samples\" -Force
# Capture event logs
wevtutil epl Security "C:\IR\Security_$(hostname).evtx"
wevtutil epl System "C:\IR\System_$(hostname).evtx"
wevtutil epl "Microsoft-Windows-Sysmon/Operational" "C:\IR\Sysmon_$(hostname).evtx"Step 5: Eradication and Recovery
Identify ransomware variant:
- Upload encrypted sample and ransom note to ID Ransomware (https://id-ransomware.malwarehunterteam.com/)
- Check No More Ransom Project (https://www.nomoreransom.org/) for available decryptors
- Search for ransomware family IOCs in MalwareBazaar
Enterprise-wide IOC scan in Splunk:
index=sysmon (EventCode=1 OR EventCode=11 OR EventCode=3)
(TargetFilename="*ransomware_binary_name*" OR sha256="KNOWN_HASH"
OR DestinationIp="C2_IP_ADDRESS" OR CommandLine="*malicious_command*")
| stats count by Computer, EventCode, Image, CommandLine
| sort - countRecovery from backups:
- Verify backup integrity (offline/immutable backups not affected)
- Rebuild affected systems from known-good images
- Restore data from last clean backup
- Validate restored systems before reconnecting to network
- Monitor restored systems for 72 hours for reinfection
Step 6: Post-Incident Documentation
Structure the playbook conclusion with lessons learned:
POST-INCIDENT REVIEW TEMPLATE
1. Timeline of events (detection to full recovery)
2. Initial access vector identification
3. Dwell time analysis (time from initial compromise to encryption)
4. Detection gaps identified
5. Response effectiveness metrics (MTTD, MTTC, MTTR)
6. Playbook improvements recommended
7. New detection rules deployed
8. Backup and recovery procedure updatesKey Concepts
| Term | Definition |
|---|---|
| Double Extortion | Ransomware tactic combining data encryption with data theft, threatening public release if ransom unpaid |
| Dwell Time | Duration between initial compromise and detection — ransomware operators average 5-9 days before encryption |
| MTTC | Mean Time to Contain — time from detection to successful isolation of affected systems |
| Kill Chain | Ransomware progression: Initial Access -> Execution -> Persistence -> Privilege Escalation -> Lateral Movement -> Collection -> Exfiltration -> Impact |
| Immutable Backup | Backup storage that cannot be modified or deleted for a defined retention period (WORM storage) |
| RTO/RPO | Recovery Time Objective / Recovery Point Objective — maximum acceptable downtime and data loss thresholds |
Tools & Systems
- CrowdStrike Falcon / SentinelOne: EDR platforms with network isolation, process kill, and threat hunting capabilities
- Splunk ES / Elastic Security: SIEM platforms for detection rule deployment and enterprise-wide IOC scanning
- ID Ransomware: Online service identifying ransomware variants from encrypted file samples and ransom notes
- No More Ransom Project: Europol-backed initiative providing free decryption tools for known ransomware families
- Veeam / Rubrik: Enterprise backup solutions with immutable backup support and instant recovery capabilities
Common Scenarios
- LockBit Attack: Detected via SMB lateral movement and mass file encryption — isolate, scan for Cobalt Strike beacons
- BlackCat/ALPHV: Detected via ransomware note creation — check for data exfiltration via Rclone or Mega upload
- Conti/Royal: Detected via shadow copy deletion — check for prior BazarLoader/Emotet initial access
- RansomHub: Detected via anomalous process execution — investigate for compromised VPN or RDP credentials
- Play Ransomware: Detected via service account abuse — audit AD for newly created accounts and group membership changes
Output Format
RANSOMWARE PLAYBOOK EXECUTION — IR-2024-0500
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Phase 1 - Detection:
Alert: Mass file encryption detected on FILESERVER-03
Variant: LockBit 3.0 (confirmed via ID Ransomware)
MTTD: 12 minutes from first encryption to SOC alert
Phase 2 - Containment:
[DONE] FILESERVER-03 isolated via CrowdStrike at 14:35 UTC
[DONE] SMB blocked enterprise-wide via firewall emergency rule
[DONE] Compromised service account disabled in AD
MTTC: 23 minutes
Phase 3 - Eradication:
[DONE] 3 additional hosts with C2 beacon identified and isolated
[DONE] Cobalt Strike C2 domain (c2[.]evil[.]com) sinkholed
[DONE] Enterprise-wide IOC scan completed — no additional infections
Phase 4 - Recovery:
[DONE] FILESERVER-03 rebuilt from gold image
[DONE] Data restored from immutable Veeam backup (RPO: 4 hours)
[DONE] Systems monitored 72 hours — no reinfection
MTTR: 18 hours
Total Affected: 1 server, 3 workstations
Data Loss: 4 hours of file modifications (backup RPO)
Exfiltration: No evidence of data exfiltration confirmedReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.2 KB
API Reference: Ransomware Playbook Automation Agent
Overview
Automates ransomware incident response workflow: sample identification, host isolation via CrowdStrike, IOC extraction via MalwareBazaar, and enterprise-wide IOC scanning via Splunk.
Dependencies
| Package | Version | Purpose |
|---|---|---|
| requests | >=2.28 | HTTP API communication |
CLI Usage
python agent.py --incident-id IR-2024-0500 --sample encrypted_file.locked \
--device-id <device_id> --cs-token <token> \
--splunk-url https://splunk:8089 --splunk-key <key>Arguments
| Argument | Required | Description |
|---|---|---|
--incident-id |
Yes | Incident ticket identifier |
--sample |
No | Path to encrypted file sample for identification |
--device-id |
No | CrowdStrike device ID to isolate |
--cs-token |
No | CrowdStrike API bearer token |
--splunk-url |
No | Splunk management URL |
--splunk-key |
No | Splunk session key |
--output |
No | Output report file (default: ransomware_ir_report.json) |
Key Functions
check_id_ransomware(sample_path)
Uploads encrypted file sample to ID Ransomware for variant identification.
query_nomoreransom(ransomware_family)
Checks the No More Ransom Project for available free decryptors.
query_malwarebazaar_hash(file_hash)
Queries Abuse.ch MalwareBazaar API for sample metadata and family attribution.
isolate_host_crowdstrike(api_base, token, device_id)
Isolates a host using the CrowdStrike Falcon contain action API.
search_iocs_splunk(splunk_url, session_key, ioc_list)
Searches Splunk Sysmon data for enterprise-wide IOC matches.
collect_iocs_from_sample(sample_path)
Computes SHA-256/MD5 hashes of a sample and enriches via MalwareBazaar.
External APIs Used
| API | Endpoint | Purpose |
|---|---|---|
| MalwareBazaar | https://mb-api.abuse.ch/api/v1/ |
Hash lookup and family ID |
| CrowdStrike Falcon | /devices/entities/devices-actions/v2 |
Host isolation |
| ID Ransomware | https://id-ransomware.malwarehunterteam.com/ |
Variant identification |
| Splunk REST | /services/search/jobs |
Enterprise IOC search |
Scripts 1
agent.py5.9 KB
#!/usr/bin/env python3
"""Ransomware Playbook Automation Agent - Automates SOC ransomware response steps."""
import json
import logging
import os
import argparse
import hashlib
from datetime import datetime
import requests
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
def check_id_ransomware(sample_path):
"""Upload encrypted file sample to ID Ransomware for variant identification."""
url = "https://id-ransomware.malwarehunterteam.com/index.php"
with open(sample_path, "rb") as f:
files = {"sampleUpload": (sample_path, f)}
resp = requests.post(url, files=files, timeout=60)
logger.info("ID Ransomware response status: %d", resp.status_code)
return resp.text
def query_nomoreransom(ransomware_family):
"""Check No More Ransom Project for available decryptors."""
url = f"https://www.nomoreransom.org/en/decryption-tools.html"
resp = requests.get(url, timeout=30)
if ransomware_family.lower() in resp.text.lower():
logger.info("Decryptor may be available for %s on No More Ransom", ransomware_family)
return True
logger.info("No decryptor found for %s", ransomware_family)
return False
def query_malwarebazaar_hash(file_hash):
"""Query MalwareBazaar for IOC details by SHA-256 hash."""
url = "https://mb-api.abuse.ch/api/v1/"
data = {"query": "get_info", "hash": file_hash}
resp = requests.post(url, data=data, timeout=30)
result = resp.json()
if result.get("query_status") == "ok":
sample = result["data"][0]
logger.info(
"MalwareBazaar match: %s (family: %s)",
sample.get("sha256_hash"),
sample.get("signature"),
)
return sample
return None
def isolate_host_crowdstrike(api_base, token, device_id):
"""Isolate a compromised host via CrowdStrike Falcon API."""
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
resp = requests.post(
f"{api_base}/devices/entities/devices-actions/v2?action_name=contain",
headers=headers,
json={"ids": [device_id]},
timeout=30,
)
resp.raise_for_status()
logger.info("Host %s isolated via CrowdStrike", device_id)
return resp.json()
def search_iocs_splunk(splunk_url, session_key, ioc_list):
"""Search Splunk for IOC matches across the enterprise."""
ioc_query = " OR ".join([f'"{ioc}"' for ioc in ioc_list])
query = (
f"search index=sysmon (EventCode=1 OR EventCode=11 OR EventCode=3) ({ioc_query}) "
"| stats count by Computer, EventCode, Image, CommandLine | sort - count"
)
resp = requests.post(
f"{splunk_url}/services/search/jobs",
headers={"Authorization": f"Splunk {session_key}"},
data={"search": f"search {query}", "output_mode": "json"},
verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true", # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
timeout=30,
)
return resp.json()
def generate_ir_report(incident_id, variant, affected_hosts, containment_actions, iocs):
"""Generate a structured ransomware incident response report."""
report = {
"incident_id": incident_id,
"timestamp": datetime.utcnow().isoformat(),
"ransomware_variant": variant,
"affected_hosts": affected_hosts,
"containment_actions": containment_actions,
"indicators_of_compromise": iocs,
"phases": {
"detection": "Completed",
"containment": "Completed" if containment_actions else "Pending",
"eradication": "Pending",
"recovery": "Pending",
},
}
print(json.dumps(report, indent=2))
return report
def collect_iocs_from_sample(sample_path):
"""Extract IOCs from a ransomware sample file hash."""
with open(sample_path, "rb") as f:
content = f.read()
sha256 = hashlib.sha256(content).hexdigest()
md5 = hashlib.md5(content).hexdigest()
logger.info("Sample SHA-256: %s", sha256)
logger.info("Sample MD5: %s", md5)
bazaar_info = query_malwarebazaar_hash(sha256)
iocs = {"sha256": sha256, "md5": md5}
if bazaar_info:
iocs["family"] = bazaar_info.get("signature", "unknown")
iocs["tags"] = bazaar_info.get("tags", [])
return iocs
def main():
parser = argparse.ArgumentParser(description="Ransomware Playbook Automation Agent")
parser.add_argument("--incident-id", required=True, help="Incident ticket ID")
parser.add_argument("--sample", help="Path to encrypted file sample")
parser.add_argument("--device-id", help="CrowdStrike device ID for isolation")
parser.add_argument("--cs-token", help="CrowdStrike API bearer token")
parser.add_argument("--splunk-url", help="Splunk management URL")
parser.add_argument("--splunk-key", help="Splunk session key")
parser.add_argument("--output", default="ransomware_ir_report.json")
args = parser.parse_args()
iocs = {}
variant = "Unknown"
containment_actions = []
if args.sample:
iocs = collect_iocs_from_sample(args.sample)
variant = iocs.get("family", "Unknown")
query_nomoreransom(variant)
if args.device_id and args.cs_token:
isolate_host_crowdstrike(
"https://api.crowdstrike.com", args.cs_token, args.device_id
)
containment_actions.append(f"Isolated device {args.device_id} via CrowdStrike")
if args.splunk_url and args.splunk_key and iocs:
search_iocs_splunk(args.splunk_url, args.splunk_key, [iocs.get("sha256", "")])
report = generate_ir_report(
args.incident_id, variant, [args.device_id] if args.device_id else [], containment_actions, iocs
)
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
logger.info("IR report saved to %s", args.output)
if __name__ == "__main__":
main()