remediation
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseRemediation Playbooks Skill
Remediation Playbooks Skill
Comprehensive remediation procedures for removing security threats, restoring systems, and recovering from incidents. Provides structured playbooks for malware removal, credential reset, system rebuild, and data recovery.
本技能提供清除安全威胁、恢复系统及从事件中复原的全面补救流程,包含恶意软件清除、凭据重置、系统重建和数据恢复的结构化剧本。
Capabilities
功能特性
- Malware Remediation: Malware removal, ransomware recovery, rootkit removal, web shell cleanup
- Access Remediation: Credential reset, backdoor removal, privilege cleanup, golden ticket remediation
- System Remediation: System rebuild, patch deployment, configuration hardening, log recovery
- Data Remediation: Data breach response, backup restoration, integrity verification, PII exposure handling
- Cloud Remediation: Cloud account recovery, IAM cleanup, S3 security fixes, container remediation
- Business Remediation: BEC recovery, vendor compromise cleanup, supply chain remediation
- Playbook Execution: Track and document remediation progress
- Malware Remediation: 恶意软件清除、勒索软件恢复、Rootkit清除、Web Shell清理
- Access Remediation: 凭据重置、后门清除、权限清理、黄金票据补救
- System Remediation: 系统重建、补丁部署、配置加固、日志恢复
- Data Remediation: 数据泄露响应、备份恢复、完整性验证、PII泄露处理
- Cloud Remediation: 云账号恢复、IAM清理、S3安全修复、容器补救
- Business Remediation: BEC恢复、供应商入侵清理、供应链补救
- Playbook Execution: 跟踪并记录补救进度
Quick Start
快速开始
python
from remediation_utils import (
MalwareRemediation, AccessRemediation, SystemRemediation,
DataRemediation, CloudRemediation, BusinessRemediation,
RemediationPlaybook
)python
from remediation_utils import (
MalwareRemediation, AccessRemediation, SystemRemediation,
DataRemediation, CloudRemediation, BusinessRemediation,
RemediationPlaybook
)Create playbook for incident
Create playbook for incident
playbook = RemediationPlaybook('INC-2024-001', 'Ransomware Recovery')
playbook = RemediationPlaybook('INC-2024-001', 'Ransomware Recovery')
Malware removal
Malware removal
malware = MalwareRemediation()
action = malware.remove_malware(
hostname='WORKSTATION-15',
malware_type='ransomware',
malware_artifacts=['/temp/payload.exe', 'HKLM\...\Run\malware']
)
playbook.add_action(action)
malware = MalwareRemediation()
action = malware.remove_malware(
hostname='WORKSTATION-15',
malware_type='ransomware',
malware_artifacts=['/temp/payload.exe', 'HKLM\...\Run\malware']
)
playbook.add_action(action)
System rebuild
System rebuild
system = SystemRemediation()
action = system.rebuild_system('WORKSTATION-15', 'windows_11', preserve_data=False)
playbook.add_action(action)
system = SystemRemediation()
action = system.rebuild_system('WORKSTATION-15', 'windows_11', preserve_data=False)
playbook.add_action(action)
Generate remediation report
Generate remediation report
print(playbook.generate_report())
undefinedprint(playbook.generate_report())
undefinedUsage
使用方法
Malware Remediation: Remove Malware
Malware Remediation: 清除恶意软件
Remove malware from infected system.
Example:
python
from remediation_utils import MalwareRemediation, RemediationPlaybook
playbook = RemediationPlaybook('INC-2024-001', 'Malware Removal')
malware = MalwareRemediation()清除受感染系统中的恶意软件。
示例:
python
from remediation_utils import MalwareRemediation, RemediationPlaybook
playbook = RemediationPlaybook('INC-2024-001', 'Malware Removal')
malware = MalwareRemediation()Define malware artifacts discovered during investigation
Define malware artifacts discovered during investigation
artifacts = {
'files': [
'C:\Users\Public\payload.exe',
'C:\Windows\Temp\dropper.dll',
'C:\ProgramData\backdoor.exe'
],
'registry': [
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware',
'HKCU\Software\Classes\CLSID\{malicious-guid}'
],
'scheduled_tasks': ['SystemUpdate', 'WindowsDefenderUpdate'],
'services': ['MaliciousService'],
'processes': ['payload.exe', 'backdoor.exe']
}
action = malware.remove_malware(
hostname='WORKSTATION-15',
malware_type='trojan',
malware_artifacts=artifacts,
quarantine_before_delete=True,
scan_after_removal=True
)
playbook.add_action(action)
print(f"Removal commands: {action.commands}")
print(f"Verification steps: {action.verification_steps}")
undefinedartifacts = {
'files': [
'C:\Users\Public\payload.exe',
'C:\Windows\Temp\dropper.dll',
'C:\ProgramData\backdoor.exe'
],
'registry': [
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware',
'HKCU\Software\Classes\CLSID\{malicious-guid}'
],
'scheduled_tasks': ['SystemUpdate', 'WindowsDefenderUpdate'],
'services': ['MaliciousService'],
'processes': ['payload.exe', 'backdoor.exe']
}
action = malware.remove_malware(
hostname='WORKSTATION-15',
malware_type='trojan',
malware_artifacts=artifacts,
quarantine_before_delete=True,
scan_after_removal=True
)
playbook.add_action(action)
print(f"Removal commands: {action.commands}")
print(f"Verification steps: {action.verification_steps}")
undefinedMalware Remediation: Ransomware Recovery
Malware Remediation: 勒索软件恢复
Recover from ransomware infection.
Example:
python
from remediation_utils import MalwareRemediation
malware = MalwareRemediation()
action = malware.ransomware_recovery(
hostname='FILESERVER-01',
ransomware_family='lockbit',
encrypted_extensions=['.lockbit', '.encrypted'],
recovery_method='backup', # backup, decryptor, shadow_copies
backup_location='\\\\backup-server\\fileserver-01\\latest',
verify_decryption=True
)
print(f"Recovery steps: {action.recovery_steps}")
print(f"Data validation: {action.validation_steps}")从勒索软件感染中恢复。
示例:
python
from remediation_utils import MalwareRemediation
malware = MalwareRemediation()
action = malware.ransomware_recovery(
hostname='FILESERVER-01',
ransomware_family='lockbit',
encrypted_extensions=['.lockbit', '.encrypted'],
recovery_method='backup', # backup, decryptor, shadow_copies
backup_location='\\\\backup-server\\fileserver-01\\latest',
verify_decryption=True
)
print(f"Recovery steps: {action.recovery_steps}")
print(f"Data validation: {action.validation_steps}")Malware Remediation: Rootkit Removal
Malware Remediation: Rootkit清除
Remove rootkits and bootkits.
Example:
python
from remediation_utils import MalwareRemediation
malware = MalwareRemediation()
action = malware.rootkit_removal(
hostname='SERVER-01',
rootkit_type='kernel', # kernel, bootkit, firmware
detection_tool='gmer',
offline_scan=True,
rebuild_mbr=True
)
print(f"Removal procedure: {action.commands}")
print(f"Verification: {action.verification_steps}")清除Rootkit和Bootkit。
示例:
python
from remediation_utils import MalwareRemediation
malware = MalwareRemediation()
action = malware.rootkit_removal(
hostname='SERVER-01',
rootkit_type='kernel', # kernel, bootkit, firmware
detection_tool='gmer',
offline_scan=True,
rebuild_mbr=True
)
print(f"Removal procedure: {action.commands}")
print(f"Verification: {action.verification_steps}")Malware Remediation: Web Shell Removal
Malware Remediation: Web Shell清除
Remove web shells from compromised servers.
Example:
python
from remediation_utils import MalwareRemediation
malware = MalwareRemediation()
webshells = [
'/var/www/html/uploads/shell.php',
'/var/www/html/images/cmd.php',
'/var/www/html/includes/backdoor.php'
]
action = malware.webshell_removal(
hostname='WEBSERVER-01',
webshell_paths=webshells,
web_root='/var/www/html',
scan_for_additional=True,
patch_upload_vulnerability=True,
restore_from_clean=True
)
print(f"Files removed: {action.metadata['files_removed']}")
print(f"Integrity check: {action.verification_steps}")从受入侵服务器中清除Web Shell。
示例:
python
from remediation_utils import MalwareRemediation
malware = MalwareRemediation()
webshells = [
'/var/www/html/uploads/shell.php',
'/var/www/html/images/cmd.php',
'/var/www/html/includes/backdoor.php'
]
action = malware.webshell_removal(
hostname='WEBSERVER-01',
webshell_paths=webshells,
web_root='/var/www/html',
scan_for_additional=True,
patch_upload_vulnerability=True,
restore_from_clean=True
)
print(f"Files removed: {action.metadata['files_removed']}")
print(f"Integrity check: {action.verification_steps}")Access Remediation: Full Credential Reset
Access Remediation: 全面凭据重置
Perform comprehensive credential reset after breach.
Example:
python
from remediation_utils import AccessRemediation
access = AccessRemediation()
action = access.full_credential_reset(
scope='domain', # domain, local, cloud, all
users=['jdoe', 'admin', 'svc_backup'],
reset_types=['password', 'kerberos', 'certificates'],
force_mfa_reenroll=True,
expire_all_sessions=True,
notify_users=True
)
print(f"Reset commands: {action.commands}")
print(f"Users affected: {len(action.metadata['users'])}")在数据泄露后执行全面的凭据重置。
示例:
python
from remediation_utils import AccessRemediation
access = AccessRemediation()
action = access.full_credential_reset(
scope='domain', # domain, local, cloud, all
users=['jdoe', 'admin', 'svc_backup'],
reset_types=['password', 'kerberos', 'certificates'],
force_mfa_reenroll=True,
expire_all_sessions=True,
notify_users=True
)
print(f"Reset commands: {action.commands}")
print(f"Users affected: {len(action.metadata['users'])}")Access Remediation: Backdoor Removal
Access Remediation: 后门清除
Remove attacker persistence and backdoors.
Example:
python
from remediation_utils import AccessRemediation
access = AccessRemediation()
backdoors = {
'accounts': ['backdoor_admin', 'support_temp'],
'ssh_keys': ['/root/.ssh/authorized_keys'],
'scheduled_tasks': ['WindowsUpdate2', 'SystemMaintenance'],
'services': ['RemoteSupport', 'WindowsDefenderUpdate'],
'registry': ['HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Update'],
'web_shells': ['/var/www/html/admin.php'],
'cron_jobs': ['/etc/cron.d/update']
}
action = access.backdoor_removal(
hostname='SERVER-01',
backdoors=backdoors,
audit_all_persistence=True,
compare_to_baseline=True
)
print(f"Backdoors removed: {action.metadata['removed_count']}")
print(f"Audit results: {action.audit_results}")清除攻击者的持久化访问和后门。
示例:
python
from remediation_utils import AccessRemediation
access = AccessRemediation()
backdoors = {
'accounts': ['backdoor_admin', 'support_temp'],
'ssh_keys': ['/root/.ssh/authorized_keys'],
'scheduled_tasks': ['WindowsUpdate2', 'SystemMaintenance'],
'services': ['RemoteSupport', 'WindowsDefenderUpdate'],
'registry': ['HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Update'],
'web_shells': ['/var/www/html/admin.php'],
'cron_jobs': ['/etc/cron.d/update']
}
action = access.backdoor_removal(
hostname='SERVER-01',
backdoors=backdoors,
audit_all_persistence=True,
compare_to_baseline=True
)
print(f"Backdoors removed: {action.metadata['removed_count']}")
print(f"Audit results: {action.audit_results}")Access Remediation: Privilege Escalation Cleanup
Access Remediation: 权限提升清理
Clean up after privilege escalation attack.
Example:
python
from remediation_utils import AccessRemediation
access = AccessRemediation()
action = access.privilege_cleanup(
affected_accounts=['compromised_user'],
unauthorized_groups=['Domain Admins', 'Enterprise Admins'],
unauthorized_permissions=['SeDebugPrivilege', 'SeTcbPrivilege'],
reset_to_baseline=True,
audit_privileged_groups=True
)
print(f"Groups cleaned: {action.metadata['groups_cleaned']}")
print(f"Permissions revoked: {action.metadata['permissions_revoked']}")清理权限提升攻击后的痕迹。
示例:
python
from remediation_utils import AccessRemediation
access = AccessRemediation()
action = access.privilege_cleanup(
affected_accounts=['compromised_user'],
unauthorized_groups=['Domain Admins', 'Enterprise Admins'],
unauthorized_permissions=['SeDebugPrivilege', 'SeTcbPrivilege'],
reset_to_baseline=True,
audit_privileged_groups=True
)
print(f"Groups cleaned: {action.metadata['groups_cleaned']}")
print(f"Permissions revoked: {action.metadata['permissions_revoked']}")Access Remediation: Golden Ticket Remediation
Access Remediation: 黄金票据补救
Remediate Kerberos golden ticket attack.
Example:
python
from remediation_utils import AccessRemediation
access = AccessRemediation()
action = access.golden_ticket_remediation(
domain='corp.example.com',
reset_krbtgt=True, # Critical: Reset twice
reset_interval_hours=10,
force_all_ticket_renewal=True,
audit_service_accounts=True
)
print(f"KRBTGT reset status: {action.metadata['krbtgt_reset']}")
print(f"Wait time before second reset: {action.metadata['wait_hours']} hours")修复Kerberos黄金票据攻击。
示例:
python
from remediation_utils import AccessRemediation
access = AccessRemediation()
action = access.golden_ticket_remediation(
domain='corp.example.com',
reset_krbtgt=True, # Critical: Reset twice
reset_interval_hours=10,
force_all_ticket_renewal=True,
audit_service_accounts=True
)
print(f"KRBTGT reset status: {action.metadata['krbtgt_reset']}")
print(f"Wait time before second reset: {action.metadata['wait_hours']} hours")System Remediation: System Rebuild
System Remediation: 系统重建
Rebuild compromised system from scratch.
Example:
python
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.rebuild_system(
hostname='WORKSTATION-15',
os_version='windows_11_enterprise',
image_source='gold_image',
preserve_data=False, # Data already backed up
join_domain=True,
apply_security_baseline=True,
install_edr=True
)
print(f"Rebuild steps: {action.commands}")
print(f"Post-rebuild checklist: {action.verification_steps}")从头重建受入侵的系统。
示例:
python
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.rebuild_system(
hostname='WORKSTATION-15',
os_version='windows_11_enterprise',
image_source='gold_image',
preserve_data=False, # Data already backed up
join_domain=True,
apply_security_baseline=True,
install_edr=True
)
print(f"Rebuild steps: {action.commands}")
print(f"Post-rebuild checklist: {action.verification_steps}")System Remediation: Emergency Patching
System Remediation: 紧急补丁部署
Deploy emergency security patches.
Example:
python
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.emergency_patching(
targets=['WEBSERVER-01', 'WEBSERVER-02', 'APPSERVER-01'],
patches=['KB5012345', 'CVE-2024-1234'],
patch_source='wsus', # wsus, sccm, manual
reboot_allowed=True,
verify_after_patch=True,
rollback_on_failure=True
)
print(f"Patching plan: {action.commands}")
print(f"Verification: {action.verification_steps}")部署紧急安全补丁。
示例:
python
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.emergency_patching(
targets=['WEBSERVER-01', 'WEBSERVER-02', 'APPSERVER-01'],
patches=['KB5012345', 'CVE-2024-1234'],
patch_source='wsus', # wsus, sccm, manual
reboot_allowed=True,
verify_after_patch=True,
rollback_on_failure=True
)
print(f"Patching plan: {action.commands}")
print(f"Verification: {action.verification_steps}")System Remediation: Configuration Hardening
System Remediation: 配置加固
Apply security hardening after incident.
Example:
python
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.configuration_hardening(
hostname='SERVER-01',
baseline='cis_level_1', # cis_level_1, cis_level_2, disa_stig, custom
focus_areas=['authentication', 'network', 'logging', 'services'],
disable_legacy_protocols=True,
enable_advanced_audit=True
)
print(f"Hardening steps: {action.commands}")
print(f"Compliance score: {action.metadata['compliance_score']}")事件发生后应用安全加固配置。
示例:
python
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.configuration_hardening(
hostname='SERVER-01',
baseline='cis_level_1', # cis_level_1, cis_level_2, disa_stig, custom
focus_areas=['authentication', 'network', 'logging', 'services'],
disable_legacy_protocols=True,
enable_advanced_audit=True
)
print(f"Hardening steps: {action.commands}")
print(f"Compliance score: {action.metadata['compliance_score']}")System Remediation: Log Recovery
System Remediation: 日志恢复
Recover and restore audit logs.
Example:
python
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.log_recovery(
hostname='SERVER-01',
log_types=['security', 'system', 'application', 'powershell'],
recovery_sources=['backup', 'siem', 'shadow_copy'],
time_range=('2024-01-10', '2024-01-15'),
verify_integrity=True
)
print(f"Logs recovered: {action.metadata['logs_recovered']}")
print(f"Integrity status: {action.metadata['integrity_verified']}")恢复并还原审计日志。
示例:
python
from remediation_utils import SystemRemediation
system = SystemRemediation()
action = system.log_recovery(
hostname='SERVER-01',
log_types=['security', 'system', 'application', 'powershell'],
recovery_sources=['backup', 'siem', 'shadow_copy'],
time_range=('2024-01-10', '2024-01-15'),
verify_integrity=True
)
print(f"Logs recovered: {action.metadata['logs_recovered']}")
print(f"Integrity status: {action.metadata['integrity_verified']}")Data Remediation: Data Breach Response
Data Remediation: 数据泄露响应
Execute data breach response procedures.
Example:
python
from remediation_utils import DataRemediation
data = DataRemediation()
action = data.breach_response(
breach_type='pii_exposure',
affected_data_types=['ssn', 'credit_card', 'medical_records'],
affected_record_count=50000,
notification_required=True,
regulatory_requirements=['gdpr', 'hipaa', 'ccpa'],
legal_hold=True
)
print(f"Response steps: {action.commands}")
print(f"Notification timeline: {action.metadata['notification_timeline']}")
print(f"Regulatory requirements: {action.metadata['regulatory_actions']}")执行数据泄露响应流程。
示例:
python
from remediation_utils import DataRemediation
data = DataRemediation()
action = data.breach_response(
breach_type='pii_exposure',
affected_data_types=['ssn', 'credit_card', 'medical_records'],
affected_record_count=50000,
notification_required=True,
regulatory_requirements=['gdpr', 'hipaa', 'ccpa'],
legal_hold=True
)
print(f"Response steps: {action.commands}")
print(f"Notification timeline: {action.metadata['notification_timeline']}")
print(f"Regulatory requirements: {action.metadata['regulatory_actions']}")Data Remediation: Backup Restoration
Data Remediation: 备份恢复
Restore data from backups.
Example:
python
from remediation_utils import DataRemediation
data = DataRemediation()
action = data.backup_restoration(
target_system='FILESERVER-01',
backup_source='\\\\backup\\fileserver-01\\2024-01-14',
restore_type='full', # full, incremental, selective
restore_paths=['/data/finance', '/data/hr'],
verify_after_restore=True,
scan_before_restore=True # Scan backup for malware
)
print(f"Restoration steps: {action.commands}")
print(f"Verification: {action.verification_steps}")从备份中恢复数据。
示例:
python
from remediation_utils import DataRemediation
data = DataRemediation()
action = data.backup_restoration(
target_system='FILESERVER-01',
backup_source='\\\\backup\\fileserver-01\\2024-01-14',
restore_type='full', # full, incremental, selective
restore_paths=['/data/finance', '/data/hr'],
verify_after_restore=True,
scan_before_restore=True # Scan backup for malware
)
print(f"Restoration steps: {action.commands}")
print(f"Verification: {action.verification_steps}")Data Remediation: Integrity Verification
Data Remediation: 完整性验证
Verify data integrity after incident.
Example:
python
from remediation_utils import DataRemediation
data = DataRemediation()
action = data.integrity_verification(
target_paths=['/data/critical', '/app/config'],
baseline_hashes='/security/baselines/file_hashes.json',
verification_method='sha256',
report_modifications=True,
quarantine_suspicious=True
)
print(f"Files verified: {action.metadata['files_checked']}")
print(f"Modifications found: {action.metadata['modifications']}")事件发生后验证数据完整性。
示例:
python
from remediation_utils import DataRemediation
data = DataRemediation()
action = data.integrity_verification(
target_paths=['/data/critical', '/app/config'],
baseline_hashes='/security/baselines/file_hashes.json',
verification_method='sha256',
report_modifications=True,
quarantine_suspicious=True
)
print(f"Files verified: {action.metadata['files_checked']}")
print(f"Modifications found: {action.metadata['modifications']}")Cloud Remediation: Cloud Account Recovery
Cloud Remediation: 云账号恢复
Recover compromised cloud account.
Example:
python
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.account_recovery(
cloud_provider='aws',
account_id='123456789012',
compromised_resources=['iam_users', 'access_keys', 'roles'],
reset_all_credentials=True,
audit_cloudtrail=True,
enable_guardduty=True
)
print(f"Recovery steps: {action.commands}")
print(f"Resources remediated: {action.metadata['resources_remediated']}")恢复受入侵的云账号。
示例:
python
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.account_recovery(
cloud_provider='aws',
account_id='123456789012',
compromised_resources=['iam_users', 'access_keys', 'roles'],
reset_all_credentials=True,
audit_cloudtrail=True,
enable_guardduty=True
)
print(f"Recovery steps: {action.commands}")
print(f"Resources remediated: {action.metadata['resources_remediated']}")Cloud Remediation: IAM Policy Remediation
Cloud Remediation: IAM策略修复
Fix IAM policy misconfigurations.
Example:
python
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.iam_remediation(
cloud_provider='aws',
issues=[
{'type': 'overly_permissive', 'resource': 'arn:aws:iam::*:user/admin'},
{'type': 'public_access', 'resource': 'arn:aws:s3:::public-bucket'},
{'type': 'unused_credentials', 'resource': 'AKIA...'}
],
apply_least_privilege=True,
remove_unused_permissions=True
)
print(f"Policies fixed: {action.metadata['policies_fixed']}")修复IAM策略配置错误。
示例:
python
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.iam_remediation(
cloud_provider='aws',
issues=[
{'type': 'overly_permissive', 'resource': 'arn:aws:iam::*:user/admin'},
{'type': 'public_access', 'resource': 'arn:aws:s3:::public-bucket'},
{'type': 'unused_credentials', 'resource': 'AKIA...'}
],
apply_least_privilege=True,
remove_unused_permissions=True
)
print(f"Policies fixed: {action.metadata['policies_fixed']}")Cloud Remediation: S3 Bucket Remediation
Cloud Remediation: S3存储桶修复
Fix S3 bucket security issues.
Example:
python
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.s3_remediation(
bucket_name='sensitive-data-bucket',
issues=['public_access', 'no_encryption', 'no_versioning', 'no_logging'],
block_public_access=True,
enable_encryption='aws:kms',
enable_versioning=True,
enable_access_logging=True
)
print(f"Remediation applied: {action.metadata['fixes_applied']}")修复S3存储桶的安全问题。
示例:
python
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.s3_remediation(
bucket_name='sensitive-data-bucket',
issues=['public_access', 'no_encryption', 'no_versioning', 'no_logging'],
block_public_access=True,
enable_encryption='aws:kms',
enable_versioning=True,
enable_access_logging=True
)
print(f"Remediation applied: {action.metadata['fixes_applied']}")Cloud Remediation: Container Image Remediation
Cloud Remediation: 容器镜像修复
Remediate compromised container images.
Example:
python
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.container_remediation(
registry='ecr',
images=['app-api:latest', 'app-web:latest'],
issues=['vulnerability', 'malware', 'misconfig'],
rebuild_from_source=True,
scan_before_deploy=True,
update_base_images=True
)
print(f"Images remediated: {action.metadata['images_fixed']}")修复受入侵的容器镜像。
示例:
python
from remediation_utils import CloudRemediation
cloud = CloudRemediation()
action = cloud.container_remediation(
registry='ecr',
images=['app-api:latest', 'app-web:latest'],
issues=['vulnerability', 'malware', 'misconfig'],
rebuild_from_source=True,
scan_before_deploy=True,
update_base_images=True
)
print(f"Images remediated: {action.metadata['images_fixed']}")Business Remediation: BEC Recovery
Business Remediation: BEC恢复
Recover from Business Email Compromise.
Example:
python
from remediation_utils import BusinessRemediation
business = BusinessRemediation()
action = business.bec_recovery(
incident_type='invoice_fraud',
financial_impact=150000,
compromised_accounts=['cfo@company.com', 'ap@company.com'],
fraudulent_transactions=['TXN-12345', 'TXN-12346'],
bank_notification=True,
law_enforcement=True
)
print(f"Recovery steps: {action.commands}")
print(f"Financial recovery: {action.metadata['recovery_actions']}")从企业邮箱诈骗(BEC)中恢复。
示例:
python
from remediation_utils import BusinessRemediation
business = BusinessRemediation()
action = business.bec_recovery(
incident_type='invoice_fraud',
financial_impact=150000,
compromised_accounts=['cfo@company.com', 'ap@company.com'],
fraudulent_transactions=['TXN-12345', 'TXN-12346'],
bank_notification=True,
law_enforcement=True
)
print(f"Recovery steps: {action.commands}")
print(f"Financial recovery: {action.metadata['recovery_actions']}")Business Remediation: Vendor Compromise Response
Business Remediation: 供应商入侵响应
Respond to compromised vendor/third-party.
Example:
python
from remediation_utils import BusinessRemediation
business = BusinessRemediation()
action = business.vendor_compromise_response(
vendor_name='Software Vendor Inc',
compromise_type='supply_chain',
affected_products=['vendor-sdk-1.2.3'],
exposure_assessment=True,
revoke_access=True,
communication_plan=True
)
print(f"Response plan: {action.commands}")
print(f"Communication timeline: {action.metadata['communications']}")响应受入侵的供应商/第三方事件。
示例:
python
from remediation_utils import BusinessRemediation
business = BusinessRemediation()
action = business.vendor_compromise_response(
vendor_name='Software Vendor Inc',
compromise_type='supply_chain',
affected_products=['vendor-sdk-1.2.3'],
exposure_assessment=True,
revoke_access=True,
communication_plan=True
)
print(f"Response plan: {action.commands}")
print(f"Communication timeline: {action.metadata['communications']}")Playbook Management
剧本管理
Track and document remediation progress.
Example:
python
from remediation_utils import RemediationPlaybook跟踪并记录补救进度。
示例:
python
from remediation_utils import RemediationPlaybookCreate playbook
Create playbook
playbook = RemediationPlaybook(
incident_id='INC-2024-001',
name='Full System Recovery',
analyst='senior_analyst'
)
playbook = RemediationPlaybook(
incident_id='INC-2024-001',
name='Full System Recovery',
analyst='senior_analyst'
)
Add remediation actions
Add remediation actions
... (use remediation utilities as shown above)
... (use remediation utilities as shown above)
Track progress
Track progress
playbook.complete_action(action.id, 'Successfully removed malware')
playbook.verify_action(action.id, 'Verified clean via EDR scan')
playbook.complete_action(action.id, 'Successfully removed malware')
playbook.verify_action(action.id, 'Verified clean via EDR scan')
Generate reports
Generate reports
print(playbook.generate_report())
print(playbook.generate_recovery_certification())
print(playbook.generate_report())
print(playbook.generate_recovery_certification())
Export for documentation
Export for documentation
print(playbook.to_json())
undefinedprint(playbook.to_json())
undefinedConfiguration
配置
Environment Variables
环境变量
| Variable | Description | Required | Default |
|---|---|---|---|
| Log file path | No | |
| Default backup location | No | |
| Security baseline location | No | |
| 变量名 | 描述 | 是否必填 | 默认值 |
|---|---|---|---|
| 日志文件路径 | 否 | |
| 默认备份位置 | 否 | |
| 安全基线位置 | 否 | |
Verification Settings
验证设置
All remediation actions include verification steps:
python
undefined所有补救操作均包含验证步骤:
python
undefinedGet verification status
Get verification status
if action.verification_required:
print(action.verification_steps)
if action.verification_required:
print(action.verification_steps)
Mark verification complete
Mark verification complete
playbook.verify_action(action.id, 'Verified by EDR scan')
undefinedplaybook.verify_action(action.id, 'Verified by EDR scan')
undefinedLimitations
局限性
- No Direct Execution: Generates commands/procedures, does not execute directly
- Requires Clean Media: System rebuilds require verified clean installation media
- Backup Dependencies: Data restoration requires valid, clean backups
- Time Requirements: Full remediation may take hours to days
- 无直接执行功能:生成命令/流程,不直接执行
- 需要干净介质:系统重建需要经过验证的干净安装介质
- 依赖备份:数据恢复需要有效、干净的备份
- 时间成本高:完整补救可能需要数小时至数天
Troubleshooting
故障排除
Remediation Verification Failed
补救验证失败
Problem: Post-remediation verification shows issues
Solution: Re-run targeted remediation:
python
undefined问题:补救后验证发现问题
解决方案:重新运行针对性补救:
python
undefinedIdentify remaining issues
Identify remaining issues
remaining = action.get_verification_failures()
print(f"Remaining issues: {remaining}")
remaining = action.get_verification_failures()
print(f"Remaining issues: {remaining}")
Create follow-up action
Create follow-up action
follow_up = malware.remove_malware(hostname, remaining_artifacts)
undefinedfollow_up = malware.remove_malware(hostname, remaining_artifacts)
undefinedBackup Restoration Failed
备份恢复失败
Problem: Backup restoration incomplete or corrupt
Solution: Try alternative recovery sources:
python
action = data.backup_restoration(
target_system='SERVER-01',
backup_source='alternative_backup',
restore_type='incremental',
verify_backup_integrity=True
)问题:备份恢复不完整或损坏
解决方案:尝试替代恢复源:
python
action = data.backup_restoration(
target_system='SERVER-01',
backup_source='alternative_backup',
restore_type='incremental',
verify_backup_integrity=True
)Related Skills
相关技能
- containment: Contain threats before remediation
- incident-response: Full IR workflow
- detection: Detect remaining threats
- grc: Compliance documentation
- containment: 补救前遏制威胁
- incident-response: 完整事件响应工作流
- detection: 检测残留威胁
- grc: 合规文档
References
参考资料
- Detailed API Reference
- NIST SP 800-61 Rev. 2
- CIS Controls
- 详细API参考
- NIST SP 800-61 Rev. 2
- CIS Controls