Performs cloud-native incident containment in AWS, Azure, and GCP: isolates compromised resources, revokes credentials, preserves forensic evidence, applies security groups to prevent lateral movement.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
云事件遏制需要采用与传统本地响应截然不同的云原生方法。遏制程序必须利用平台特定的控制措施,包括安全组、IAM 策略、网络 ACL 和服务级隔离,以限制受攻陷资源同时保全取证证据。2025 年 Unit 42 全球事件响应报告指出,响应云事件需要理解共享责任模型、短暂基础设施和 API 驱动的操作。有效的遏制包括凭据撤销、资源隔离、证据快照创建以及自动化响应 Playbook 执行。
Executes cloud incident containment across AWS, Azure, GCP: isolates compromised resources, revokes credentials, preserves forensic evidence, applies security group restrictions.
Executes cloud incident containment on AWS, Azure, GCP: isolates resources, revokes credentials, preserves evidence, applies security restrictions. For cloud security incidents and response testing.
Responds to security incidents in AWS, Azure, GCP clouds via identity-based containment, native log analysis, resource isolation, and forensic evidence collection for ephemeral infrastructure. Useful for cloud IR scenarios.
Share bugs, ideas, or general feedback.
云事件遏制需要采用与传统本地响应截然不同的云原生方法。遏制程序必须利用平台特定的控制措施,包括安全组、IAM 策略、网络 ACL 和服务级隔离,以限制受攻陷资源同时保全取证证据。2025 年 Unit 42 全球事件响应报告指出,响应云事件需要理解共享责任模型、短暂基础设施和 API 驱动的操作。有效的遏制包括凭据撤销、资源隔离、证据快照创建以及自动化响应 Playbook 执行。
# 禁用受攻陷 IAM 用户的访问密钥
aws iam update-access-key --user-name compromised-user \
--access-key-id AKIA... --status Inactive
# 列出并禁用用户的所有访问密钥
aws iam list-access-keys --user-name compromised-user
aws iam delete-access-key --user-name compromised-user --access-key-id AKIA...
# 向受攻陷用户附加拒绝所有策略
aws iam put-user-policy --user-name compromised-user \
--policy-name DenyAll \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}]
}'
# 撤销 IAM 角色的所有活跃会话
aws iam put-role-policy --role-name compromised-role \
--policy-name RevokeOldSessions \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"DateLessThan": {"aws:TokenIssueTime": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"}
}
}]
}'
# 通过更新角色信任策略使临时凭据失效
aws iam update-assume-role-policy --role-name compromised-role \
--policy-document '{"Version":"2012-10-17","Statement":[]}'
# 创建隔离安全组(无入站、无出站)
aws ec2 create-security-group --group-name quarantine-sg \
--description "Quarantine - No traffic allowed" --vpc-id vpc-xxxxx
# 删除隔离 SG 的所有规则(默认允许出站)
aws ec2 revoke-security-group-egress --group-id sg-quarantine \
--ip-permissions '[{"IpProtocol":"-1","FromPort":-1,"ToPort":-1,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]}]'
# 遏制前先创建取证快照
aws ec2 create-snapshot --volume-id vol-xxxxx \
--description "Forensic snapshot - IR Case 2025-001" \
--tag-specifications 'ResourceType=snapshot,Tags=[{Key=IR-Case,Value=2025-001}]'
# 将隔离安全组应用到受攻陷实例
aws ec2 modify-instance-attribute --instance-id i-xxxxx \
--groups sg-quarantine
# 将实例标记为已攻陷
aws ec2 create-tags --resources i-xxxxx \
--tags Key=IR-Status,Value=Contained Key=IR-Case,Value=2025-001
# 采集内存(如果 SSM Agent 可用)
aws ssm send-command --instance-ids i-xxxxx \
--document-name "AWS-RunShellScript" \
--parameters 'commands=["dd if=/dev/mem of=/tmp/memory.dump bs=1M"]'
# 阻断所有公共访问
aws s3api put-public-access-block --bucket compromised-bucket \
--public-access-block-configuration \
BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
# 应用拒绝策略到存储桶
aws s3api put-bucket-policy --bucket compromised-bucket \
--policy '{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyAllExceptForensics",
"Effect": "Deny",
"NotPrincipal": {"AWS": "arn:aws:iam::ACCOUNT:role/IR-Forensics"},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::compromised-bucket","arn:aws:s3:::compromised-bucket/*"]
}]
}'
# 启用版本控制以保全证据
aws s3api put-bucket-versioning --bucket compromised-bucket \
--versioning-configuration Status=Enabled
# 为证据保全启用对象锁定
aws s3api put-object-lock-configuration --bucket evidence-bucket \
--object-lock-configuration '{
"ObjectLockEnabled": "Enabled",
"Rule": {"DefaultRetention": {"Mode": "COMPLIANCE", "Days": 365}}
}'
# 将预留并发设置为 0(停止所有调用)
aws lambda put-function-concurrency --function-name compromised-function \
--reserved-concurrent-executions 0
# 删除所有事件源映射
aws lambda list-event-source-mappings --function-name compromised-function
aws lambda delete-event-source-mapping --uuid mapping-uuid
# 撤销所有用户会话
Revoke-AzureADUserAllRefreshToken -ObjectId "user-object-id"
# 禁用用户账号
Set-AzureADUser -ObjectId "user-object-id" -AccountEnabled $false
# 重置用户密码
Set-AzureADUserPassword -ObjectId "user-object-id" -Password (
ConvertTo-SecureString "TempP@ss!" -AsPlainText -Force
) -ForceChangePasswordNextLogin $true
# 通过条件访问阻断登录(紧急策略)
# 创建策略阻止用户访问所有云应用
# 撤销 Azure AD 应用授权
Remove-AzureADServiceAppRoleAssignment -ObjectId "sp-object-id" \
-AppRoleAssignmentId "assignment-id"
# 创建带拒绝所有规则的网络安全组
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName "rg" -Location "eastus" `
-Name "quarantine-nsg" `
-SecurityRules @(
New-AzNetworkSecurityRuleConfig -Name "DenyAllInbound" -Protocol * `
-Direction Inbound -Priority 100 -SourceAddressPrefix * `
-SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange * -Access Deny,
New-AzNetworkSecurityRuleConfig -Name "DenyAllOutbound" -Protocol * `
-Direction Outbound -Priority 100 -SourceAddressPrefix * `
-SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange * -Access Deny
)
# 创建取证磁盘快照
$vm = Get-AzVM -ResourceGroupName "rg" -Name "compromised-vm"
$snapshotConfig = New-AzSnapshotConfig -SourceUri $vm.StorageProfile.OsDisk.ManagedDisk.Id `
-Location "eastus" -CreateOption Copy
New-AzSnapshot -ResourceGroupName "rg" -SnapshotName "forensic-snap" -Snapshot $snapshotConfig
# 将隔离 NSG 应用到 VM NIC
$nic = Get-AzNetworkInterface -ResourceGroupName "rg" -Name "compromised-nic"
$nic.NetworkSecurityGroup = $nsg
Set-AzNetworkInterface -NetworkInterface $nic
# 删除网络访问
Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "rg" `
-Name "storageaccount" -DefaultAction Deny
# 重新生成访问密钥
New-AzStorageAccountKey -ResourceGroupName "rg" -Name "storageaccount" -KeyName key1
New-AzStorageAccountKey -ResourceGroupName "rg" -Name "storageaccount" -KeyName key2
# 通过轮换密钥撤销所有 SAS 令牌
# 为证据保全启用不可变性
# 删除受攻陷服务账号的所有 IAM 绑定
gcloud projects get-iam-policy PROJECT_ID --format=json > policy.json
# 编辑 policy.json 删除受攻陷账号的绑定
gcloud projects set-iam-policy PROJECT_ID policy.json
# 禁用服务账号
gcloud iam service-accounts disable SA_EMAIL
# 删除服务账号密钥
gcloud iam service-accounts keys list --iam-account SA_EMAIL
gcloud iam service-accounts keys delete KEY_ID --iam-account SA_EMAIL
# 创建取证快照
gcloud compute disks snapshot compromised-disk \
--snapshot-names forensic-snap-$(date +%Y%m%d) \
--zone us-central1-a
# 应用防火墙规则拒绝所有流量
gcloud compute firewall-rules create quarantine-deny-all \
--network default --action DENY --rules all \
--target-tags quarantine --priority 0
# 标记受攻陷实例
gcloud compute instances add-tags compromised-instance \
--tags quarantine --zone us-central1-a
# 删除外部 IP
gcloud compute instances delete-access-config compromised-instance \
--access-config-name "External NAT" --zone us-central1-a
| 技术 | 遏制措施 |
|---|---|
| T1078 - 有效账号 | 禁用账号、撤销令牌 |
| T1530 - 云存储数据 | 锁定存储桶/存储策略 |
| T1537 - 转移到云账号 | 阻断跨账号访问 |
| T1578 - 修改云计算 | 隔离实例、快照磁盘 |
| T1552 - 不安全凭据 | 轮换所有访问密钥和 Secret |