remediation
1
总安装量
1
周安装量
#47318
全站排名
安装命令
npx skills add https://github.com/sherifeldeeb/agentskills --skill remediation
Agent 安装分布
opencode
1
codex
1
claude-code
1
Skill 文档
Remediation Playbooks Skill
Comprehensive remediation procedures for removing security threats, restoring systems, and recovering from incidents. Provides structured playbooks for malware removal, credential reset, system rebuild, and data recovery.
Capabilities
- Malware Remediation: Malware removal, ransomware recovery, rootkit removal, web shell cleanup
- Access Remediation: Credential reset, backdoor removal, privilege cleanup, golden ticket remediation
- System Remediation: System rebuild, patch deployment, configuration hardening, log recovery
- Data Remediation: Data breach response, backup restoration, integrity verification, PII exposure handling
- Cloud Remediation: Cloud account recovery, IAM cleanup, S3 security fixes, container remediation
- Business Remediation: BEC recovery, vendor compromise cleanup, supply chain remediation
- Playbook Execution: Track and document remediation progress
Quick Start
from remediation_utils import (
MalwareRemediation, AccessRemediation, SystemRemediation,
DataRemediation, CloudRemediation, BusinessRemediation,
RemediationPlaybook
)
# Create playbook for incident
playbook = RemediationPlaybook('INC-2024-001', 'Ransomware Recovery')
# Malware removal
malware = MalwareRemediation()
action = malware.remove_malware(
hostname='WORKSTATION-15',
malware_type='ransomware',
malware_artifacts=['/temp/payload.exe', 'HKLM\\...\\Run\\malware']
)
playbook.add_action(action)
# System rebuild
system = SystemRemediation()
action = system.rebuild_system('WORKSTATION-15', 'windows_11', preserve_data=False)
playbook.add_action(action)
# Generate remediation report
print(playbook.generate_report())
Usage
Malware Remediation: Remove Malware
Remove malware from infected system.
Example:
from remediation_utils import MalwareRemediation, RemediationPlaybook
playbook = RemediationPlaybook('INC-2024-001', 'Malware Removal')
malware = MalwareRemediation()
# Define malware artifacts discovered during investigation
artifacts = {
'files': [
'C:\\Users\\Public\\payload.exe',
'C:\\Windows\\Temp\\dropper.dll',
'C:\\ProgramData\\backdoor.exe'
],
'registry': [
'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\malware',
'HKCU\\Software\\Classes\\CLSID\\{malicious-guid}'
],
'scheduled_tasks': ['SystemUpdate', 'WindowsDefenderUpdate'],
'services': ['MaliciousService'],
'processes': ['payload.exe', 'backdoor.exe']
}
action = malware.remove_malware(
hostname='WORKSTATION-15',
malware_type='trojan',
malware_artifacts=artifacts,
quarantine_before_delete=True,
scan_after_removal=True
)
playbook.add_action(action)
print(f"Removal commands: {action.commands}")
print(f"Verification steps: {action.verification_steps}")
Malware Remediation: Ransomware Recovery
Recover from ransomware infection.
Example:
from remediation_utils import MalwareRemediation
malware = MalwareRemediation()
action = malware.ransomware_recovery(
hostname='FILESERVER-01',
ransomware_family='lockbit',
encrypted_extensions=['.lockbit', '.encrypted'],
recovery_method='backup', # backup, decryptor, shadow_copies
backup_location='\\\\backup-server\\fileserver-01\\latest',
verify_decryption=True
)
print(f"Recovery steps: {action.recovery_steps}")
print(f"Data validation: {action.validation_steps}")
Malware Remediation: Rootkit Removal
Remove rootkits and bootkits.
Example:
from remediation_utils import MalwareRemediation
malware = MalwareRemediation()
action = malware.rootkit_removal(
hostname='SERVER-01',
rootkit_type='kernel', # kernel, bootkit, firmware
detection_tool='gmer',
offline_scan=True,
rebuild_mbr=True
)
print(f"Removal procedure: {action.commands}")
print(f"Verification: {action.verification_steps}")
Malware Remediation: Web Shell Removal
Remove web shells from compromised servers.
Example:
from remediation_utils import MalwareRemediation
malware = MalwareRemediation()
webshells = [
'/var/www/html/uploads/shell.php',
'/var/www/html/images/cmd.php',
'/var/www/html/includes/backdoor.php'
]
action = malware.webshell_removal(
hostname='WEBSERVER-01',
webshell_paths=webshells,
web_root='/var/www/html',
scan_for_additional=True,
patch_upload_vulnerability=True,
restore_from_clean=True
)
print(f"Files removed: {action.metadata['files_removed']}")
print(f"Integrity check: {action.verification_steps}")
Access Remediation: Full Credential Reset
Perform comprehensive credential reset after breach.
Example:
from remediation_utils import AccessRemediation
access = AccessRemediation()
action = access.full_credential_reset(
scope='domain', # domain, local, cloud, all
users=['jdoe', 'admin', 'svc_backup'],
reset_types=['password', 'kerberos', 'certificates'],
force_mfa_reenroll=True,
expire_all_sessions=True,
notify_users=True
)
print(f"Reset commands: {action.commands}")
print(f"Users affected: {len(action.metadata['users'])}")
Access Remediation: Backdoor Removal
Remove attacker persistence and backdoors.
Example:
from remediation_utils import AccessRemediation
access = AccessRemediation()
backdoors = {
'accounts': ['backdoor_admin', 'support_temp'],
'ssh_keys': ['/root/.ssh/authorized_keys'],
'scheduled_tasks': ['WindowsUpdate2', 'SystemMaintenance'],
'services': ['RemoteSupport', 'WindowsDefenderUpdate'],
'registry': ['HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Update'],
'web_shells': ['/var/www/html/admin.php'],
'cron_jobs': ['/etc/cron.d/update']
}
action = access.backdoor_removal(
hostname='SERVER-01',
backdoors=backdoors,
audit_all_persistence=True,
compare_to_baseline=True
)
print(f"Backdoors removed: {action.metadata['removed_count']}")
print(f"Audit results: {action.audit_results}")
Access Remediation: Privilege Escalation Cleanup
Clean up after privilege escalation attack.
Example:
from remediation_utils import AccessRemediation
access = AccessRemediation()
action = access.privilege_cleanup(
affected_accounts=['compromised_user'],
unauthorized_groups=['Domain Admins', 'Enterprise Admins'],
unauthorized_permissions=['SeDebugPrivilege', 'SeTcbPrivilege'],
reset_to_baseline=True,
audit_privileged_groups=True
)
print(f"Groups cleaned: {action.metadata['groups_cleaned']}")
print(f"Permissions revoked: {action.metadata['permissions_revoked']}")
Access Remediation: Golden Ticket Remediation
Remediate Kerberos golden ticket attack.
Example:
from remediation_utils import AccessRemediation
access = AccessRemediation()
action = access.golden_ticket_remediation(
domain='corp.example.com',
reset_krbtgt=True, # Critical: Reset twice
reset_interval_hours=10,
force_all_ticket_renewal=True,
audit_service_accounts=True
)
print(f"KRBTGT reset status: {action.metadata['krbtgt_reset']}")
print(f"Wait time before second reset: {action.metadata['wait_hours']} hours")
System Remediation: System Rebuild
Rebuild compromised system from scratch.
Example:
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.rebuild_system(
hostname='WORKSTATION-15',
os_version='windows_11_enterprise',
image_source='gold_image',
preserve_data=False, # Data already backed up
join_domain=True,
apply_security_baseline=True,
install_edr=True
)
print(f"Rebuild steps: {action.commands}")
print(f"Post-rebuild checklist: {action.verification_steps}")
System Remediation: Emergency Patching
Deploy emergency security patches.
Example:
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.emergency_patching(
targets=['WEBSERVER-01', 'WEBSERVER-02', 'APPSERVER-01'],
patches=['KB5012345', 'CVE-2024-1234'],
patch_source='wsus', # wsus, sccm, manual
reboot_allowed=True,
verify_after_patch=True,
rollback_on_failure=True
)
print(f"Patching plan: {action.commands}")
print(f"Verification: {action.verification_steps}")
System Remediation: Configuration Hardening
Apply security hardening after incident.
Example:
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.configuration_hardening(
hostname='SERVER-01',
baseline='cis_level_1', # cis_level_1, cis_level_2, disa_stig, custom
focus_areas=['authentication', 'network', 'logging', 'services'],
disable_legacy_protocols=True,
enable_advanced_audit=True
)
print(f"Hardening steps: {action.commands}")
print(f"Compliance score: {action.metadata['compliance_score']}")
System Remediation: Log Recovery
Recover and restore audit logs.
Example:
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.log_recovery(
hostname='SERVER-01',
log_types=['security', 'system', 'application', 'powershell'],
recovery_sources=['backup', 'siem', 'shadow_copy'],
time_range=('2024-01-10', '2024-01-15'),
verify_integrity=True
)
print(f"Logs recovered: {action.metadata['logs_recovered']}")
print(f"Integrity status: {action.metadata['integrity_verified']}")
Data Remediation: Data Breach Response
Execute data breach response procedures.
Example:
from remediation_utils import DataRemediation
data = DataRemediation()
action = data.breach_response(
breach_type='pii_exposure',
affected_data_types=['ssn', 'credit_card', 'medical_records'],
affected_record_count=50000,
notification_required=True,
regulatory_requirements=['gdpr', 'hipaa', 'ccpa'],
legal_hold=True
)
print(f"Response steps: {action.commands}")
print(f"Notification timeline: {action.metadata['notification_timeline']}")
print(f"Regulatory requirements: {action.metadata['regulatory_actions']}")
Data Remediation: Backup Restoration
Restore data from backups.
Example:
from remediation_utils import DataRemediation
data = DataRemediation()
action = data.backup_restoration(
target_system='FILESERVER-01',
backup_source='\\\\backup\\fileserver-01\\2024-01-14',
restore_type='full', # full, incremental, selective
restore_paths=['/data/finance', '/data/hr'],
verify_after_restore=True,
scan_before_restore=True # Scan backup for malware
)
print(f"Restoration steps: {action.commands}")
print(f"Verification: {action.verification_steps}")
Data Remediation: Integrity Verification
Verify data integrity after incident.
Example:
from remediation_utils import DataRemediation
data = DataRemediation()
action = data.integrity_verification(
target_paths=['/data/critical', '/app/config'],
baseline_hashes='/security/baselines/file_hashes.json',
verification_method='sha256',
report_modifications=True,
quarantine_suspicious=True
)
print(f"Files verified: {action.metadata['files_checked']}")
print(f"Modifications found: {action.metadata['modifications']}")
Cloud Remediation: Cloud Account Recovery
Recover compromised cloud account.
Example:
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.account_recovery(
cloud_provider='aws',
account_id='123456789012',
compromised_resources=['iam_users', 'access_keys', 'roles'],
reset_all_credentials=True,
audit_cloudtrail=True,
enable_guardduty=True
)
print(f"Recovery steps: {action.commands}")
print(f"Resources remediated: {action.metadata['resources_remediated']}")
Cloud Remediation: IAM Policy Remediation
Fix IAM policy misconfigurations.
Example:
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.iam_remediation(
cloud_provider='aws',
issues=[
{'type': 'overly_permissive', 'resource': 'arn:aws:iam::*:user/admin'},
{'type': 'public_access', 'resource': 'arn:aws:s3:::public-bucket'},
{'type': 'unused_credentials', 'resource': 'AKIA...'}
],
apply_least_privilege=True,
remove_unused_permissions=True
)
print(f"Policies fixed: {action.metadata['policies_fixed']}")
Cloud Remediation: S3 Bucket Remediation
Fix S3 bucket security issues.
Example:
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.s3_remediation(
bucket_name='sensitive-data-bucket',
issues=['public_access', 'no_encryption', 'no_versioning', 'no_logging'],
block_public_access=True,
enable_encryption='aws:kms',
enable_versioning=True,
enable_access_logging=True
)
print(f"Remediation applied: {action.metadata['fixes_applied']}")
Cloud Remediation: Container Image Remediation
Remediate compromised container images.
Example:
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.container_remediation(
registry='ecr',
images=['app-api:latest', 'app-web:latest'],
issues=['vulnerability', 'malware', 'misconfig'],
rebuild_from_source=True,
scan_before_deploy=True,
update_base_images=True
)
print(f"Images remediated: {action.metadata['images_fixed']}")
Business Remediation: BEC Recovery
Recover from Business Email Compromise.
Example:
from remediation_utils import BusinessRemediation
business = BusinessRemediation()
action = business.bec_recovery(
incident_type='invoice_fraud',
financial_impact=150000,
compromised_accounts=['cfo@company.com', 'ap@company.com'],
fraudulent_transactions=['TXN-12345', 'TXN-12346'],
bank_notification=True,
law_enforcement=True
)
print(f"Recovery steps: {action.commands}")
print(f"Financial recovery: {action.metadata['recovery_actions']}")
Business Remediation: Vendor Compromise Response
Respond to compromised vendor/third-party.
Example:
from remediation_utils import BusinessRemediation
business = BusinessRemediation()
action = business.vendor_compromise_response(
vendor_name='Software Vendor Inc',
compromise_type='supply_chain',
affected_products=['vendor-sdk-1.2.3'],
exposure_assessment=True,
revoke_access=True,
communication_plan=True
)
print(f"Response plan: {action.commands}")
print(f"Communication timeline: {action.metadata['communications']}")
Playbook Management
Track and document remediation progress.
Example:
from remediation_utils import RemediationPlaybook
# Create playbook
playbook = RemediationPlaybook(
incident_id='INC-2024-001',
name='Full System Recovery',
analyst='senior_analyst'
)
# Add remediation actions
# ... (use remediation utilities as shown above)
# Track progress
playbook.complete_action(action.id, 'Successfully removed malware')
playbook.verify_action(action.id, 'Verified clean via EDR scan')
# Generate reports
print(playbook.generate_report())
print(playbook.generate_recovery_certification())
# Export for documentation
print(playbook.to_json())
Configuration
Environment Variables
| Variable | Description | Required | Default |
|---|---|---|---|
REMEDIATION_LOG_PATH |
Log file path | No | ./remediation.log |
BACKUP_PATH |
Default backup location | No | ./backups |
BASELINE_PATH |
Security baseline location | No | ./baselines |
Verification Settings
All remediation actions include verification steps:
# Get verification status
if action.verification_required:
print(action.verification_steps)
# Mark verification complete
playbook.verify_action(action.id, 'Verified by EDR scan')
Limitations
- No Direct Execution: Generates commands/procedures, does not execute directly
- Requires Clean Media: System rebuilds require verified clean installation media
- Backup Dependencies: Data restoration requires valid, clean backups
- Time Requirements: Full remediation may take hours to days
Troubleshooting
Remediation Verification Failed
Problem: Post-remediation verification shows issues
Solution: Re-run targeted remediation:
# Identify remaining issues
remaining = action.get_verification_failures()
print(f"Remaining issues: {remaining}")
# Create follow-up action
follow_up = malware.remove_malware(hostname, remaining_artifacts)
Backup Restoration Failed
Problem: Backup restoration incomplete or corrupt
Solution: Try alternative recovery sources:
action = data.backup_restoration(
target_system='SERVER-01',
backup_source='alternative_backup',
restore_type='incremental',
verify_backup_integrity=True
)
Related Skills
- containment: Contain threats before remediation
- incident-response: Full IR workflow
- detection: Detect remaining threats
- grc: Compliance documentation