Skill

containing-active-breach

Executes incident response containment for active breaches: assesses scope, isolates endpoints via EDR, segments networks, revokes credentials to stop lateral movement.

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- A confirmed intrusion is in progress with an active adversary on the network

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Containing Active Breaches

When to Use

A confirmed intrusion is in progress with an active adversary on the network
Malware is spreading laterally across endpoints or servers
A compromised account is being used for unauthorized access to systems
Ransomware encryption has been detected and is actively propagating
An attacker has established command-and-control communications from internal hosts

Do not use for post-incident cleanup when the adversary is no longer active; use eradication procedures instead.

Prerequisites

Confirmed incident classification with P1 or P2 severity from triage
EDR console access with host isolation capabilities (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne)
Network firewall and switch management access for segmentation
Active Directory or identity provider administrative access for credential actions
Pre-approved containment authority documented in the incident response plan
Evidence preservation plan to avoid destroying forensic artifacts during containment

Workflow

Step 1: Assess Containment Scope

Before taking containment actions, map the full scope of compromise to avoid partial containment that alerts the adversary:

Identify all confirmed compromised hosts via EDR telemetry and SIEM correlation
Map lateral movement paths using authentication logs (Windows Event ID 4624 Type 3 and Type 10)
Identify all compromised credentials (check for pass-the-hash, Kerberoasting, DCSync activity)
Determine C2 channels (beacon intervals, domains, IPs, protocols)
Assess whether the adversary has domain admin or equivalent privileges

Containment Scope Assessment:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Compromised Hosts:     5 (WKSTN-042, WKSTN-087, SRV-FILE01, SRV-DC02, WKSTN-103)
Compromised Accounts:  3 (jsmith, svc-backup, admin-tier0)
C2 Channels:           HTTPS beacon to 185.220.x.x every 60s ± 15% jitter
Lateral Movement:      PsExec via svc-backup, RDP via admin-tier0
Adversary Privilege:   Domain Admin (admin-tier0 compromised)
Data at Risk:          Finance share (\\SRV-FILE01\finance$) accessed

Step 2: Execute Short-Term Containment

Implement immediate actions to stop adversary operations without destroying evidence:

Network Containment:

Isolate confirmed compromised endpoints via EDR network containment (maintains agent communication)
Block C2 IP addresses and domains at perimeter firewall and internal DNS
Implement microsegmentation rules to prevent communication between compromised hosts
Sinkhole C2 domains at internal DNS to capture connection attempts from undiscovered implants

Identity Containment:

Disable compromised user accounts in Active Directory (do not delete; preserve audit trail)
Reset passwords for all compromised accounts
Revoke active sessions and tokens (Azure AD: Revoke-AzureADUserAllRefreshToken)
Disable the compromised service account and rotate its credentials
If Domain Admin is compromised: double-reset the KRBTGT password (reset twice, 12 hours apart)

Endpoint Containment:

Use EDR to terminate malicious processes on contained hosts
Block known malicious hashes in EDR prevention policy
Quarantine identified malware samples
Disable remote services (WinRM, RDP, SMB) on critical servers not yet compromised

Step 3: Execute Long-Term Containment

Implement sustainable containment while the investigation continues:

Create network ACLs isolating the compromised VLAN/subnet while allowing business-critical traffic
Deploy temporary jump hosts for administrators to access contained systems for investigation
Implement enhanced monitoring (full packet capture) on network segments adjacent to compromised hosts
Enable advanced audit policies on all domain controllers (4768, 4769, 4771 for Kerberos attacks)
Deploy canary tokens and honeypot accounts to detect adversary attempts to expand from containment

Step 4: Validate Containment Effectiveness

Confirm that containment measures have stopped adversary operations:

Monitor for new C2 callbacks from any internal host to known adversary infrastructure
Check for new lateral movement attempts (failed authentication from disabled accounts)
Verify that contained hosts cannot reach the internet except through the EDR agent
Confirm that compromised credentials produce authentication failures
Review SIEM for any new alerts matching the adversary's known TTPs

Containment Validation Checklist:
[x] C2 beacon traffic ceased from all known compromised hosts
[x] Disabled accounts producing expected 4625 failure events (no new successes)
[x] Contained hosts unreachable via network scan from adjacent subnets
[x] No new hosts exhibiting IOCs from the initial compromise
[x] Honeypot account has not been accessed (adversary may be dormant)
[ ] Full packet capture running on finance VLAN (pending switch config)

Step 5: Preserve Evidence During Containment

Containment must not destroy forensic evidence:

Capture memory dumps from compromised hosts before any remediation (use WinPmem or Magnet RAM Capture)
Collect volatile data: running processes, network connections, logged-on users, scheduled tasks
Export relevant event logs before they rotate (Security, System, PowerShell, Sysmon)
Capture network traffic between compromised hosts and C2 infrastructure
Document all containment actions with timestamps for the incident timeline

Step 6: Communicate Containment Status

Provide structured status updates to incident commander and stakeholders:

Current containment effectiveness (percentage of adversary activity stopped)
Remaining risks (undiscovered implants, persistence mechanisms not yet identified)
Business impact of containment actions (which systems are offline, user impact)
Estimated timeline for eradication phase
Escalation needs (law enforcement notification, external IR retainer activation)

Key Concepts

Term	Definition
Short-Term Containment	Immediate actions to stop active adversary operations; typically network isolation and credential disablement
Long-Term Containment	Sustainable measures allowing continued investigation while preventing adversary re-access
KRBTGT Double Reset	Resetting the KRBTGT password twice to invalidate all existing Kerberos tickets including golden tickets
Network Containment	EDR feature that isolates an endpoint from all network communication except the EDR management channel
Lateral Movement	Adversary technique of moving from one compromised system to another within a network using stolen credentials or exploits
C2 Sinkholing	Redirecting DNS queries for C2 domains to an internal server to prevent adversary communication and detect additional victims
Microsegmentation	Granular network access controls between workloads that limit lateral communication paths

Tools & Systems

CrowdStrike Falcon: Endpoint containment with one-click network isolation preserving agent connectivity
Microsoft Defender for Endpoint: Live response console for remote containment actions and evidence collection
Palo Alto Networks NGFW: Application-aware firewall rules for C2 traffic blocking and microsegmentation
Velociraptor: Open-source endpoint monitoring and response tool for artifact collection during containment
BloodHound: Active Directory attack path mapping to identify potential lateral movement routes the adversary may exploit

Common Scenarios

Scenario: Ransomware Lateral Propagation via SMB

Context: EDR alerts on three file servers showing rapid file encryption. The ransomware is spreading via SMB using a compromised domain service account.

Approach:

Immediately isolate all three file servers via EDR network containment
Disable the compromised service account in Active Directory
Block SMB (TCP 445) between all server VLANs at the network switch layer
Deploy an emergency GPO disabling the SMB server service on non-critical endpoints
Capture memory from one encrypted server before it reboots
Search for the ransomware binary hash across all endpoints using EDR threat hunting

Pitfalls:

Shutting down servers immediately, destroying volatile memory evidence
Only disabling the known compromised account without checking for other persistence mechanisms
Restoring from backup before confirming the adversary's access has been fully revoked

Output Format

CONTAINMENT STATUS REPORT
=========================
Incident:        INC-2025-1547
Status:          CONTAINED (Short-Term)
Timestamp:       2025-11-15T15:47:00Z
Containment Lead: [Name]

ACTIONS TAKEN
Network:
- [x] 5 hosts isolated via CrowdStrike containment
- [x] C2 IP 185.220.x.x blocked at perimeter FW (rule #4521)
- [x] C2 domain evil.example[.]com sinkholed to 10.0.0.99

Identity:
- [x] jsmith account disabled
- [x] svc-backup account disabled, password rotated
- [x] admin-tier0 account disabled
- [x] KRBTGT first reset completed at 15:30 UTC

Endpoint:
- [x] Malicious hash blocked in EDR prevention policy
- [x] Malware processes terminated on all contained hosts

EVIDENCE PRESERVED
- Memory dumps: 3 of 5 hosts completed
- Event logs exported: all 5 hosts
- Network capture: running on finance VLAN

REMAINING RISKS
- Possible undiscovered implants on non-EDR endpoints (15 legacy hosts)
- KRBTGT second reset pending (scheduled 03:30 UTC +1 day)
- Adversary may have exfiltrated data before containment

BUSINESS IMPACT
- Finance file share offline (affects 42 users)
- 3 user workstations isolated (users reassigned to loaners)
- Estimated restoration: pending eradication completion