npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- A confirmed intrusion is in progress with an active adversary on the network
- Malware is spreading laterally across endpoints or servers
- A compromised account is being used for unauthorized access to systems
- Ransomware encryption has been detected and is actively propagating
- An attacker has established command-and-control communications from internal hosts
Do not use for post-incident cleanup when the adversary is no longer active; use eradication procedures instead.
Prerequisites
- Confirmed incident classification with P1 or P2 severity from triage
- EDR console access with host isolation capabilities (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne)
- Network firewall and switch management access for segmentation
- Active Directory or identity provider administrative access for credential actions
- Pre-approved containment authority documented in the incident response plan
- Evidence preservation plan to avoid destroying forensic artifacts during containment
Workflow
Step 1: Assess Containment Scope
Before taking containment actions, map the full scope of compromise to avoid partial containment that alerts the adversary:
- Identify all confirmed compromised hosts via EDR telemetry and SIEM correlation
- Map lateral movement paths using authentication logs (Windows Event ID 4624 Type 3 and Type 10)
- Identify all compromised credentials (check for pass-the-hash, Kerberoasting, DCSync activity)
- Determine C2 channels (beacon intervals, domains, IPs, protocols)
- Assess whether the adversary has domain admin or equivalent privileges
Containment Scope Assessment:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Compromised Hosts: 5 (WKSTN-042, WKSTN-087, SRV-FILE01, SRV-DC02, WKSTN-103)
Compromised Accounts: 3 (jsmith, svc-backup, admin-tier0)
C2 Channels: HTTPS beacon to 185.220.x.x every 60s ± 15% jitter
Lateral Movement: PsExec via svc-backup, RDP via admin-tier0
Adversary Privilege: Domain Admin (admin-tier0 compromised)
Data at Risk: Finance share (\\SRV-FILE01\finance$) accessedStep 2: Execute Short-Term Containment
Implement immediate actions to stop adversary operations without destroying evidence:
Network Containment:
- Isolate confirmed compromised endpoints via EDR network containment (maintains agent communication)
- Block C2 IP addresses and domains at perimeter firewall and internal DNS
- Implement microsegmentation rules to prevent communication between compromised hosts
- Sinkhole C2 domains at internal DNS to capture connection attempts from undiscovered implants
Identity Containment:
- Disable compromised user accounts in Active Directory (do not delete; preserve audit trail)
- Reset passwords for all compromised accounts
- Revoke active sessions and tokens (Azure AD:
Revoke-AzureADUserAllRefreshToken) - Disable the compromised service account and rotate its credentials
- If Domain Admin is compromised: double-reset the KRBTGT password (reset twice, 12 hours apart)
Endpoint Containment:
- Use EDR to terminate malicious processes on contained hosts
- Block known malicious hashes in EDR prevention policy
- Quarantine identified malware samples
- Disable remote services (WinRM, RDP, SMB) on critical servers not yet compromised
Step 3: Execute Long-Term Containment
Implement sustainable containment while the investigation continues:
- Create network ACLs isolating the compromised VLAN/subnet while allowing business-critical traffic
- Deploy temporary jump hosts for administrators to access contained systems for investigation
- Implement enhanced monitoring (full packet capture) on network segments adjacent to compromised hosts
- Enable advanced audit policies on all domain controllers (4768, 4769, 4771 for Kerberos attacks)
- Deploy canary tokens and honeypot accounts to detect adversary attempts to expand from containment
Step 4: Validate Containment Effectiveness
Confirm that containment measures have stopped adversary operations:
- Monitor for new C2 callbacks from any internal host to known adversary infrastructure
- Check for new lateral movement attempts (failed authentication from disabled accounts)
- Verify that contained hosts cannot reach the internet except through the EDR agent
- Confirm that compromised credentials produce authentication failures
- Review SIEM for any new alerts matching the adversary's known TTPs
Containment Validation Checklist:
[x] C2 beacon traffic ceased from all known compromised hosts
[x] Disabled accounts producing expected 4625 failure events (no new successes)
[x] Contained hosts unreachable via network scan from adjacent subnets
[x] No new hosts exhibiting IOCs from the initial compromise
[x] Honeypot account has not been accessed (adversary may be dormant)
[ ] Full packet capture running on finance VLAN (pending switch config)Step 5: Preserve Evidence During Containment
Containment must not destroy forensic evidence:
- Capture memory dumps from compromised hosts before any remediation (use WinPmem or Magnet RAM Capture)
- Collect volatile data: running processes, network connections, logged-on users, scheduled tasks
- Export relevant event logs before they rotate (Security, System, PowerShell, Sysmon)
- Capture network traffic between compromised hosts and C2 infrastructure
- Document all containment actions with timestamps for the incident timeline
Step 6: Communicate Containment Status
Provide structured status updates to incident commander and stakeholders:
- Current containment effectiveness (percentage of adversary activity stopped)
- Remaining risks (undiscovered implants, persistence mechanisms not yet identified)
- Business impact of containment actions (which systems are offline, user impact)
- Estimated timeline for eradication phase
- Escalation needs (law enforcement notification, external IR retainer activation)
Key Concepts
| Term | Definition |
|---|---|
| Short-Term Containment | Immediate actions to stop active adversary operations; typically network isolation and credential disablement |
| Long-Term Containment | Sustainable measures allowing continued investigation while preventing adversary re-access |
| KRBTGT Double Reset | Resetting the KRBTGT password twice to invalidate all existing Kerberos tickets including golden tickets |
| Network Containment | EDR feature that isolates an endpoint from all network communication except the EDR management channel |
| Lateral Movement | Adversary technique of moving from one compromised system to another within a network using stolen credentials or exploits |
| C2 Sinkholing | Redirecting DNS queries for C2 domains to an internal server to prevent adversary communication and detect additional victims |
| Microsegmentation | Granular network access controls between workloads that limit lateral communication paths |
Tools & Systems
- CrowdStrike Falcon: Endpoint containment with one-click network isolation preserving agent connectivity
- Microsoft Defender for Endpoint: Live response console for remote containment actions and evidence collection
- Palo Alto Networks NGFW: Application-aware firewall rules for C2 traffic blocking and microsegmentation
- Velociraptor: Open-source endpoint monitoring and response tool for artifact collection during containment
- BloodHound: Active Directory attack path mapping to identify potential lateral movement routes the adversary may exploit
Common Scenarios
Scenario: Ransomware Lateral Propagation via SMB
Context: EDR alerts on three file servers showing rapid file encryption. The ransomware is spreading via SMB using a compromised domain service account.
Approach:
- Immediately isolate all three file servers via EDR network containment
- Disable the compromised service account in Active Directory
- Block SMB (TCP 445) between all server VLANs at the network switch layer
- Deploy an emergency GPO disabling the SMB server service on non-critical endpoints
- Capture memory from one encrypted server before it reboots
- Search for the ransomware binary hash across all endpoints using EDR threat hunting
Pitfalls:
- Shutting down servers immediately, destroying volatile memory evidence
- Only disabling the known compromised account without checking for other persistence mechanisms
- Restoring from backup before confirming the adversary's access has been fully revoked
Output Format
CONTAINMENT STATUS REPORT
=========================
Incident: INC-2025-1547
Status: CONTAINED (Short-Term)
Timestamp: 2025-11-15T15:47:00Z
Containment Lead: [Name]
ACTIONS TAKEN
Network:
- [x] 5 hosts isolated via CrowdStrike containment
- [x] C2 IP 185.220.x.x blocked at perimeter FW (rule #4521)
- [x] C2 domain evil.example[.]com sinkholed to 10.0.0.99
Identity:
- [x] jsmith account disabled
- [x] svc-backup account disabled, password rotated
- [x] admin-tier0 account disabled
- [x] KRBTGT first reset completed at 15:30 UTC
Endpoint:
- [x] Malicious hash blocked in EDR prevention policy
- [x] Malware processes terminated on all contained hosts
EVIDENCE PRESERVED
- Memory dumps: 3 of 5 hosts completed
- Event logs exported: all 5 hosts
- Network capture: running on finance VLAN
REMAINING RISKS
- Possible undiscovered implants on non-EDR endpoints (15 legacy hosts)
- KRBTGT second reset pending (scheduled 03:30 UTC +1 day)
- Adversary may have exfiltrated data before containment
BUSINESS IMPACT
- Finance file share offline (affects 42 users)
- 3 user workstations isolated (users reassigned to loaners)
- Estimated restoration: pending eradication completionReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.5 KB
Active Breach Containment API Reference
CrowdStrike Falcon - Host Containment
# Contain a host (network isolation)
curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"ids": ["device_id_here"]}'
# Lift containment
curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=lift_containment" \
-H "Authorization: Bearer $TOKEN" \
-d '{"ids": ["device_id_here"]}'Microsoft Defender for Endpoint - Isolation
# Isolate machine via API
$body = @{ Comment = "Breach containment INC-2025-001"; IsolationType = "Full" } | ConvertTo-Json
Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/isolate" `
-Method Post -Headers @{Authorization = "Bearer $token"} -Body $body -ContentType "application/json"
# Release from isolation
Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/unisolate" `
-Method Post -Headers @{Authorization = "Bearer $token"} `
-Body (@{Comment = "Containment lifted"} | ConvertTo-Json) -ContentType "application/json"Active Directory - Credential Actions
# Disable compromised account
Disable-ADAccount -Identity "jsmith"
# Reset password
Set-ADAccountPassword -Identity "jsmith" -Reset -NewPassword (ConvertTo-SecureString "NewP@ss!" -AsPlainText -Force)
# Revoke Azure AD sessions
Revoke-AzureADUserAllRefreshToken -ObjectId "user-object-id"
# KRBTGT double reset (first reset)
Reset-KrbtgtKeys -Server DC01 -ForceNetwork Containment - iptables
# Block C2 IP
iptables -A INPUT -s 185.220.x.x -j DROP
iptables -A OUTPUT -d 185.220.x.x -j DROP
# Isolate host from network (allow management only)
iptables -A FORWARD -s 10.10.5.12 -d 10.10.0.1 -j ACCEPT
iptables -A FORWARD -s 10.10.5.12 -j DROP
# Block SMB lateral movement
iptables -A FORWARD -p tcp --dport 445 -j DROPDNS Sinkholing
# Add sinkhole entry
echo "127.0.0.1 evil.example.com" >> /etc/hosts
# Unbound DNS sinkhole
unbound-control local_zone "evil.example.com" redirect
unbound-control local_data "evil.example.com A 10.0.0.99"Evidence Collection
# Memory dump (Linux)
sudo dd if=/proc/kcore of=/evidence/memory.raw bs=1M
# Volatile data collection
ps auxww > /evidence/processes.txt
ss -tunap > /evidence/network.txt
cat /proc/net/arp > /evidence/arp.txtScripts 1
agent.py7.4 KB
#!/usr/bin/env python3
"""Active breach containment agent for incident response operations."""
import json
import subprocess
import sys
from datetime import datetime
def block_ip_at_firewall(ip_address, chain="INPUT", comment="breach-containment"):
"""Block a C2 or malicious IP address using iptables."""
cmd = [
"iptables", "-A", chain, "-s", ip_address, "-j", "DROP",
"-m", "comment", "--comment", comment,
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
return {
"action": "block_ip",
"ip": ip_address,
"success": result.returncode == 0,
"error": result.stderr.strip() if result.returncode != 0 else None,
"timestamp": datetime.utcnow().isoformat() + "Z",
}
except Exception as e:
return {"action": "block_ip", "ip": ip_address, "success": False, "error": str(e)}
def disable_ad_account(username, domain_controller=None):
"""Disable a compromised Active Directory account via PowerShell."""
ps_cmd = f'Disable-ADAccount -Identity "{username}" -Confirm:$false'
if domain_controller:
ps_cmd += f' -Server "{domain_controller}"'
cmd = ["powershell", "-Command", ps_cmd]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
return {
"action": "disable_account",
"username": username,
"success": result.returncode == 0,
"error": result.stderr.strip() if result.returncode != 0 else None,
"timestamp": datetime.utcnow().isoformat() + "Z",
}
except Exception as e:
return {"action": "disable_account", "username": username, "success": False, "error": str(e)}
def reset_ad_password(username, domain_controller=None):
"""Force password reset for a compromised AD account."""
ps_cmd = (
f'Set-ADAccountPassword -Identity "{username}" -Reset '
f'-NewPassword (ConvertTo-SecureString -AsPlainText '
f'"TempP@ss{datetime.now().strftime("%H%M%S")}!" -Force)'
)
if domain_controller:
ps_cmd += f' -Server "{domain_controller}"'
cmd = ["powershell", "-Command", ps_cmd]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
return {
"action": "reset_password",
"username": username,
"success": result.returncode == 0,
"timestamp": datetime.utcnow().isoformat() + "Z",
}
except Exception as e:
return {"action": "reset_password", "username": username, "success": False, "error": str(e)}
def isolate_host_firewall(host_ip, management_ip=None):
"""Isolate a compromised host by blocking all traffic except management."""
commands = []
if management_ip:
commands.append(
["iptables", "-A", "FORWARD", "-s", host_ip, "-d", management_ip, "-j", "ACCEPT"]
)
commands.append(
["iptables", "-A", "FORWARD", "-s", management_ip, "-d", host_ip, "-j", "ACCEPT"]
)
commands.append(["iptables", "-A", "FORWARD", "-s", host_ip, "-j", "DROP"])
commands.append(["iptables", "-A", "FORWARD", "-d", host_ip, "-j", "DROP"])
results = []
for cmd in commands:
try:
r = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
results.append({"cmd": " ".join(cmd), "success": r.returncode == 0})
except Exception as e:
results.append({"cmd": " ".join(cmd), "success": False, "error": str(e)})
return {
"action": "isolate_host",
"host_ip": host_ip,
"management_ip": management_ip,
"results": results,
"timestamp": datetime.utcnow().isoformat() + "Z",
}
def block_smb_lateral_movement():
"""Block SMB (port 445) between server VLANs to prevent lateral movement."""
cmd = ["iptables", "-A", "FORWARD", "-p", "tcp", "--dport", "445", "-j", "DROP"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
return {
"action": "block_smb",
"success": result.returncode == 0,
"timestamp": datetime.utcnow().isoformat() + "Z",
}
except Exception as e:
return {"action": "block_smb", "success": False, "error": str(e)}
def sinkhole_domain(domain, sinkhole_ip="127.0.0.1", hosts_file="/etc/hosts"):
"""Add DNS sinkhole entry for a C2 domain."""
entry = f"{sinkhole_ip}\t{domain}\t# breach-containment {datetime.utcnow().isoformat()}"
try:
with open(hosts_file, "r") as f:
existing = f.read()
if domain in existing:
return {"action": "sinkhole", "domain": domain, "status": "already_sinkholed"}
with open(hosts_file, "a") as f:
f.write("\n" + entry + "\n")
return {
"action": "sinkhole",
"domain": domain,
"sinkhole_ip": sinkhole_ip,
"success": True,
"timestamp": datetime.utcnow().isoformat() + "Z",
}
except Exception as e:
return {"action": "sinkhole", "domain": domain, "success": False, "error": str(e)}
def collect_volatile_evidence(host="localhost"):
"""Collect volatile system data from a compromised host for forensics."""
evidence = {}
commands = {
"processes": ["ps", "auxww"],
"network_connections": ["ss", "-tunap"],
"logged_users": ["who"],
"routing_table": ["ip", "route", "show"],
"arp_table": ["arp", "-an"],
"open_files": ["lsof", "-i", "-P"],
}
for name, cmd in commands.items():
try:
r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
evidence[name] = r.stdout.strip()
except Exception as e:
evidence[name] = f"Error: {e}"
return {
"action": "collect_evidence",
"host": host,
"evidence": evidence,
"timestamp": datetime.utcnow().isoformat() + "Z",
}
def generate_containment_report(incident_id, actions_taken):
"""Generate a structured containment status report."""
return {
"report_type": "CONTAINMENT_STATUS",
"incident_id": incident_id,
"timestamp": datetime.utcnow().isoformat() + "Z",
"status": "CONTAINED",
"actions_taken": actions_taken,
"validation_pending": [
"Confirm C2 beacons ceased",
"Verify disabled accounts produce auth failures",
"Check no new lateral movement attempts",
],
}
if __name__ == "__main__":
action = sys.argv[1] if len(sys.argv) > 1 else "help"
if action == "block-ip" and len(sys.argv) > 2:
print(json.dumps(block_ip_at_firewall(sys.argv[2]), indent=2))
elif action == "disable-account" and len(sys.argv) > 2:
print(json.dumps(disable_ad_account(sys.argv[2]), indent=2))
elif action == "isolate-host" and len(sys.argv) > 2:
mgmt = sys.argv[3] if len(sys.argv) > 3 else None
print(json.dumps(isolate_host_firewall(sys.argv[2], mgmt), indent=2))
elif action == "block-smb":
print(json.dumps(block_smb_lateral_movement(), indent=2))
elif action == "sinkhole" and len(sys.argv) > 2:
print(json.dumps(sinkhole_domain(sys.argv[2]), indent=2))
elif action == "collect-evidence":
print(json.dumps(collect_volatile_evidence(), indent=2))
else:
print("Usage: agent.py [block-ip <ip>|disable-account <user>|isolate-host <ip> [mgmt_ip]|block-smb|sinkhole <domain>|collect-evidence]")