Remediation Playbooks Skill

Comprehensive remediation procedures for removing security threats, restoring systems, and recovering from incidents. Provides structured playbooks for malware removal, credential reset, system rebuild, and data recovery.

Capabilities

Malware Remediation: Malware removal, ransomware recovery, rootkit removal, web shell cleanup
Access Remediation: Credential reset, backdoor removal, privilege cleanup, golden ticket remediation
System Remediation: System rebuild, patch deployment, configuration hardening, log recovery
Data Remediation: Data breach response, backup restoration, integrity verification, PII exposure handling
Cloud Remediation: Cloud account recovery, IAM cleanup, S3 security fixes, container remediation
Business Remediation: BEC recovery, vendor compromise cleanup, supply chain remediation
Playbook Execution: Track and document remediation progress

Quick Start

python

from remediation_utils import (
    MalwareRemediation, AccessRemediation, SystemRemediation,
    DataRemediation, CloudRemediation, BusinessRemediation,
    RemediationPlaybook
)

# Create playbook for incident
playbook = RemediationPlaybook('INC-2024-001', 'Ransomware Recovery')

# Malware removal
malware = MalwareRemediation()
action = malware.remove_malware(
    hostname='WORKSTATION-15',
    malware_type='ransomware',
    malware_artifacts=['/temp/payload.exe', 'HKLM\\...\\Run\\malware']
)
playbook.add_action(action)

# System rebuild
system = SystemRemediation()
action = system.rebuild_system('WORKSTATION-15', 'windows_11', preserve_data=False)
playbook.add_action(action)

# Generate remediation report
print(playbook.generate_report())

Usage

Malware Remediation: Remove Malware

Remove malware from infected system.

Example:

python

from remediation_utils import MalwareRemediation, RemediationPlaybook

playbook = RemediationPlaybook('INC-2024-001', 'Malware Removal')
malware = MalwareRemediation()

# Define malware artifacts discovered during investigation
artifacts = {
    'files': [
        'C:\\Users\\Public\\payload.exe',
        'C:\\Windows\\Temp\\dropper.dll',
        'C:\\ProgramData\\backdoor.exe'
    ],
    'registry': [
        'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\malware',
        'HKCU\\Software\\Classes\\CLSID\\{malicious-guid}'
    ],
    'scheduled_tasks': ['SystemUpdate', 'WindowsDefenderUpdate'],
    'services': ['MaliciousService'],
    'processes': ['payload.exe', 'backdoor.exe']
}

action = malware.remove_malware(
    hostname='WORKSTATION-15',
    malware_type='trojan',
    malware_artifacts=artifacts,
    quarantine_before_delete=True,
    scan_after_removal=True
)

playbook.add_action(action)
print(f"Removal commands: {action.commands}")
print(f"Verification steps: {action.verification_steps}")

Malware Remediation: Ransomware Recovery

Recover from ransomware infection.

Example:

python

from remediation_utils import MalwareRemediation

malware = MalwareRemediation()

action = malware.ransomware_recovery(
    hostname='FILESERVER-01',
    ransomware_family='lockbit',
    encrypted_extensions=['.lockbit', '.encrypted'],
    recovery_method='backup',  # backup, decryptor, shadow_copies
    backup_location='\\\\backup-server\\fileserver-01\\latest',
    verify_decryption=True
)

print(f"Recovery steps: {action.recovery_steps}")
print(f"Data validation: {action.validation_steps}")

Malware Remediation: Rootkit Removal

Remove rootkits and bootkits.

Example:

python

from remediation_utils import MalwareRemediation

malware = MalwareRemediation()

action = malware.rootkit_removal(
    hostname='SERVER-01',
    rootkit_type='kernel',  # kernel, bootkit, firmware
    detection_tool='gmer',
    offline_scan=True,
    rebuild_mbr=True
)

print(f"Removal procedure: {action.commands}")
print(f"Verification: {action.verification_steps}")

Malware Remediation: Web Shell Removal

Remove web shells from compromised servers.

Example:

python

from remediation_utils import MalwareRemediation

malware = MalwareRemediation()

webshells = [
    '/var/www/html/uploads/shell.php',
    '/var/www/html/images/cmd.php',
    '/var/www/html/includes/backdoor.php'
]

action = malware.webshell_removal(
    hostname='WEBSERVER-01',
    webshell_paths=webshells,
    web_root='/var/www/html',
    scan_for_additional=True,
    patch_upload_vulnerability=True,
    restore_from_clean=True
)

print(f"Files removed: {action.metadata['files_removed']}")
print(f"Integrity check: {action.verification_steps}")

Access Remediation: Full Credential Reset

Perform comprehensive credential reset after breach.

Example:

python

from remediation_utils import AccessRemediation

access = AccessRemediation()

action = access.full_credential_reset(
    scope='domain',  # domain, local, cloud, all
    users=['jdoe', 'admin', 'svc_backup'],
    reset_types=['password', 'kerberos', 'certificates'],
    force_mfa_reenroll=True,
    expire_all_sessions=True,
    notify_users=True
)

print(f"Reset commands: {action.commands}")
print(f"Users affected: {len(action.metadata['users'])}")

Access Remediation: Backdoor Removal

Remove attacker persistence and backdoors.

Example:

python

from remediation_utils import AccessRemediation

access = AccessRemediation()

backdoors = {
    'accounts': ['backdoor_admin', 'support_temp'],
    'ssh_keys': ['/root/.ssh/authorized_keys'],
    'scheduled_tasks': ['WindowsUpdate2', 'SystemMaintenance'],
    'services': ['RemoteSupport', 'WindowsDefenderUpdate'],
    'registry': ['HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Update'],
    'web_shells': ['/var/www/html/admin.php'],
    'cron_jobs': ['/etc/cron.d/update']
}

action = access.backdoor_removal(
    hostname='SERVER-01',
    backdoors=backdoors,
    audit_all_persistence=True,
    compare_to_baseline=True
)

print(f"Backdoors removed: {action.metadata['removed_count']}")
print(f"Audit results: {action.audit_results}")

Access Remediation: Privilege Escalation Cleanup

Clean up after privilege escalation attack.

Example:

python

from remediation_utils import AccessRemediation

access = AccessRemediation()

action = access.privilege_cleanup(
    affected_accounts=['compromised_user'],
    unauthorized_groups=['Domain Admins', 'Enterprise Admins'],
    unauthorized_permissions=['SeDebugPrivilege', 'SeTcbPrivilege'],
    reset_to_baseline=True,
    audit_privileged_groups=True
)

print(f"Groups cleaned: {action.metadata['groups_cleaned']}")
print(f"Permissions revoked: {action.metadata['permissions_revoked']}")

Access Remediation: Golden Ticket Remediation

Remediate Kerberos golden ticket attack.

Example:

python

from remediation_utils import AccessRemediation

access = AccessRemediation()

action = access.golden_ticket_remediation(
    domain='corp.example.com',
    reset_krbtgt=True,  # Critical: Reset twice
    reset_interval_hours=10,
    force_all_ticket_renewal=True,
    audit_service_accounts=True
)

print(f"KRBTGT reset status: {action.metadata['krbtgt_reset']}")
print(f"Wait time before second reset: {action.metadata['wait_hours']} hours")

System Remediation: System Rebuild

Rebuild compromised system from scratch.

Example:

python

from remediation_utils import SystemRemediation

system = SystemRemediation()

action = system.rebuild_system(
    hostname='WORKSTATION-15',
    os_version='windows_11_enterprise',
    image_source='gold_image',
    preserve_data=False,  # Data already backed up
    join_domain=True,
    apply_security_baseline=True,
    install_edr=True
)

print(f"Rebuild steps: {action.commands}")
print(f"Post-rebuild checklist: {action.verification_steps}")

System Remediation: Emergency Patching

Deploy emergency security patches.

Example:

python

from remediation_utils import SystemRemediation

system = SystemRemediation()

action = system.emergency_patching(
    targets=['WEBSERVER-01', 'WEBSERVER-02', 'APPSERVER-01'],
    patches=['KB5012345', 'CVE-2024-1234'],
    patch_source='wsus',  # wsus, sccm, manual
    reboot_allowed=True,
    verify_after_patch=True,
    rollback_on_failure=True
)

print(f"Patching plan: {action.commands}")
print(f"Verification: {action.verification_steps}")

System Remediation: Configuration Hardening

Apply security hardening after incident.

Example:

python

from remediation_utils import SystemRemediation

system = SystemRemediation()

action = system.configuration_hardening(
    hostname='SERVER-01',
    baseline='cis_level_1',  # cis_level_1, cis_level_2, disa_stig, custom
    focus_areas=['authentication', 'network', 'logging', 'services'],
    disable_legacy_protocols=True,
    enable_advanced_audit=True
)

print(f"Hardening steps: {action.commands}")
print(f"Compliance score: {action.metadata['compliance_score']}")

System Remediation: Log Recovery

Recover and restore audit logs.

Example:

python

from remediation_utils import SystemRemediation

system = SystemRemediation()

action = system.log_recovery(
    hostname='SERVER-01',
    log_types=['security', 'system', 'application', 'powershell'],
    recovery_sources=['backup', 'siem', 'shadow_copy'],
    time_range=('2024-01-10', '2024-01-15'),
    verify_integrity=True
)

print(f"Logs recovered: {action.metadata['logs_recovered']}")
print(f"Integrity status: {action.metadata['integrity_verified']}")

Data Remediation: Data Breach Response

Execute data breach response procedures.

Example:

python

from remediation_utils import DataRemediation

data = DataRemediation()

action = data.breach_response(
    breach_type='pii_exposure',
    affected_data_types=['ssn', 'credit_card', 'medical_records'],
    affected_record_count=50000,
    notification_required=True,
    regulatory_requirements=['gdpr', 'hipaa', 'ccpa'],
    legal_hold=True
)

print(f"Response steps: {action.commands}")
print(f"Notification timeline: {action.metadata['notification_timeline']}")
print(f"Regulatory requirements: {action.metadata['regulatory_actions']}")

Data Remediation: Backup Restoration

Restore data from backups.

Example:

python

from remediation_utils import DataRemediation

data = DataRemediation()

action = data.backup_restoration(
    target_system='FILESERVER-01',
    backup_source='\\\\backup\\fileserver-01\\2024-01-14',
    restore_type='full',  # full, incremental, selective
    restore_paths=['/data/finance', '/data/hr'],
    verify_after_restore=True,
    scan_before_restore=True  # Scan backup for malware
)

print(f"Restoration steps: {action.commands}")
print(f"Verification: {action.verification_steps}")

Data Remediation: Integrity Verification

Verify data integrity after incident.

Example:

python

from remediation_utils import DataRemediation

data = DataRemediation()

action = data.integrity_verification(
    target_paths=['/data/critical', '/app/config'],
    baseline_hashes='/security/baselines/file_hashes.json',
    verification_method='sha256',
    report_modifications=True,
    quarantine_suspicious=True
)

print(f"Files verified: {action.metadata['files_checked']}")
print(f"Modifications found: {action.metadata['modifications']}")

Cloud Remediation: Cloud Account Recovery

Recover compromised cloud account.

Example:

python

from remediation_utils import CloudRemediation

cloud = CloudRemediation()

action = cloud.account_recovery(
    cloud_provider='aws',
    account_id='123456789012',
    compromised_resources=['iam_users', 'access_keys', 'roles'],
    reset_all_credentials=True,
    audit_cloudtrail=True,
    enable_guardduty=True
)

print(f"Recovery steps: {action.commands}")
print(f"Resources remediated: {action.metadata['resources_remediated']}")

Cloud Remediation: IAM Policy Remediation

Fix IAM policy misconfigurations.

Example:

python

from remediation_utils import CloudRemediation

cloud = CloudRemediation()

action = cloud.iam_remediation(
    cloud_provider='aws',
    issues=[
        {'type': 'overly_permissive', 'resource': 'arn:aws:iam::*:user/admin'},
        {'type': 'public_access', 'resource': 'arn:aws:s3:::public-bucket'},
        {'type': 'unused_credentials', 'resource': 'AKIA...'}
    ],
    apply_least_privilege=True,
    remove_unused_permissions=True
)

print(f"Policies fixed: {action.metadata['policies_fixed']}")

Cloud Remediation: S3 Bucket Remediation

Fix S3 bucket security issues.

Example:

python

from remediation_utils import CloudRemediation

cloud = CloudRemediation()

action = cloud.s3_remediation(
    bucket_name='sensitive-data-bucket',
    issues=['public_access', 'no_encryption', 'no_versioning', 'no_logging'],
    block_public_access=True,
    enable_encryption='aws:kms',
    enable_versioning=True,
    enable_access_logging=True
)

print(f"Remediation applied: {action.metadata['fixes_applied']}")

Cloud Remediation: Container Image Remediation

Remediate compromised container images.

Example:

python

from remediation_utils import CloudRemediation

cloud = CloudRemediation()

action = cloud.container_remediation(
    registry='ecr',
    images=['app-api:latest', 'app-web:latest'],
    issues=['vulnerability', 'malware', 'misconfig'],
    rebuild_from_source=True,
    scan_before_deploy=True,
    update_base_images=True
)

print(f"Images remediated: {action.metadata['images_fixed']}")

Business Remediation: BEC Recovery

Recover from Business Email Compromise.

Example:

python

from remediation_utils import BusinessRemediation

business = BusinessRemediation()

action = business.bec_recovery(
    incident_type='invoice_fraud',
    financial_impact=150000,
    compromised_accounts=['cfo@company.com', 'ap@company.com'],
    fraudulent_transactions=['TXN-12345', 'TXN-12346'],
    bank_notification=True,
    law_enforcement=True
)

print(f"Recovery steps: {action.commands}")
print(f"Financial recovery: {action.metadata['recovery_actions']}")

Business Remediation: Vendor Compromise Response

Respond to compromised vendor/third-party.

Example:

python

from remediation_utils import BusinessRemediation

business = BusinessRemediation()

action = business.vendor_compromise_response(
    vendor_name='Software Vendor Inc',
    compromise_type='supply_chain',
    affected_products=['vendor-sdk-1.2.3'],
    exposure_assessment=True,
    revoke_access=True,
    communication_plan=True
)

print(f"Response plan: {action.commands}")
print(f"Communication timeline: {action.metadata['communications']}")

Playbook Management

Track and document remediation progress.

Example:

python

from remediation_utils import RemediationPlaybook

# Create playbook
playbook = RemediationPlaybook(
    incident_id='INC-2024-001',
    name='Full System Recovery',
    analyst='senior_analyst'
)

# Add remediation actions
# ... (use remediation utilities as shown above)

# Track progress
playbook.complete_action(action.id, 'Successfully removed malware')
playbook.verify_action(action.id, 'Verified clean via EDR scan')

# Generate reports
print(playbook.generate_report())
print(playbook.generate_recovery_certification())

# Export for documentation
print(playbook.to_json())

Configuration

Environment Variables

Variable	Description	Required	Default
`REMEDIATION_LOG_PATH`	Log file path	No	`./remediation.log`
`BACKUP_PATH`	Default backup location	No	`./backups`
`BASELINE_PATH`	Security baseline location	No	`./baselines`

Verification Settings

All remediation actions include verification steps:

python

# Get verification status
if action.verification_required:
    print(action.verification_steps)

# Mark verification complete
playbook.verify_action(action.id, 'Verified by EDR scan')

Limitations

No Direct Execution: Generates commands/procedures, does not execute directly
Requires Clean Media: System rebuilds require verified clean installation media
Backup Dependencies: Data restoration requires valid, clean backups
Time Requirements: Full remediation may take hours to days

Troubleshooting

Remediation Verification Failed

Problem: Post-remediation verification shows issues

Solution: Re-run targeted remediation:

python

# Identify remaining issues
remaining = action.get_verification_failures()
print(f"Remaining issues: {remaining}")

# Create follow-up action
follow_up = malware.remove_malware(hostname, remaining_artifacts)

Backup Restoration Failed

Problem: Backup restoration incomplete or corrupt

Solution: Try alternative recovery sources:

python

action = data.backup_restoration(
    target_system='SERVER-01',
    backup_source='alternative_backup',
    restore_type='incremental',
    verify_backup_integrity=True
)

Related Skills

containment: Contain threats before remediation
incident-response: Full IR workflow
detection: Detect remaining threats
grc: Compliance documentation

References

Detailed API Reference
NIST SP 800-61 Rev. 2
CIS Controls

remediation

NPX Install

Tags

SKILL.md Content

Remediation Playbooks Skill

Capabilities

Quick Start

Usage

Malware Remediation: Remove Malware

Malware Remediation: Ransomware Recovery

Malware Remediation: Rootkit Removal

Malware Remediation: Web Shell Removal

Access Remediation: Full Credential Reset

Access Remediation: Backdoor Removal

Access Remediation: Privilege Escalation Cleanup

Access Remediation: Golden Ticket Remediation

System Remediation: System Rebuild

System Remediation: Emergency Patching

System Remediation: Configuration Hardening

System Remediation: Log Recovery

Data Remediation: Data Breach Response

Data Remediation: Backup Restoration

Data Remediation: Integrity Verification

Cloud Remediation: Cloud Account Recovery

Cloud Remediation: IAM Policy Remediation

Cloud Remediation: S3 Bucket Remediation

Cloud Remediation: Container Image Remediation

Business Remediation: BEC Recovery

Business Remediation: Vendor Compromise Response

Playbook Management

Configuration

Environment Variables

Verification Settings

Limitations

Troubleshooting

Remediation Verification Failed

Backup Restoration Failed

Related Skills

References