remediation

Remediation Playbooks Skill

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "remediation" with this command: npx skills add sherifeldeeb/agentskills/sherifeldeeb-agentskills-remediation

Remediation Playbooks Skill

Comprehensive remediation procedures for removing security threats, restoring systems, and recovering from incidents. Provides structured playbooks for malware removal, credential reset, system rebuild, and data recovery.

Capabilities

  • Malware Remediation: Malware removal, ransomware recovery, rootkit removal, web shell cleanup

  • Access Remediation: Credential reset, backdoor removal, privilege cleanup, golden ticket remediation

  • System Remediation: System rebuild, patch deployment, configuration hardening, log recovery

  • Data Remediation: Data breach response, backup restoration, integrity verification, PII exposure handling

  • Cloud Remediation: Cloud account recovery, IAM cleanup, S3 security fixes, container remediation

  • Business Remediation: BEC recovery, vendor compromise cleanup, supply chain remediation

  • Playbook Execution: Track and document remediation progress

Quick Start

from remediation_utils import ( MalwareRemediation, AccessRemediation, SystemRemediation, DataRemediation, CloudRemediation, BusinessRemediation, RemediationPlaybook )

Create playbook for incident

playbook = RemediationPlaybook('INC-2024-001', 'Ransomware Recovery')

Malware removal

malware = MalwareRemediation() action = malware.remove_malware( hostname='WORKSTATION-15', malware_type='ransomware', malware_artifacts=['/temp/payload.exe', 'HKLM\...\Run\malware'] ) playbook.add_action(action)

System rebuild

system = SystemRemediation() action = system.rebuild_system('WORKSTATION-15', 'windows_11', preserve_data=False) playbook.add_action(action)

Generate remediation report

print(playbook.generate_report())

Usage

Malware Remediation: Remove Malware

Remove malware from infected system.

Example:

from remediation_utils import MalwareRemediation, RemediationPlaybook

playbook = RemediationPlaybook('INC-2024-001', 'Malware Removal') malware = MalwareRemediation()

Define malware artifacts discovered during investigation

artifacts = { 'files': [ 'C:\Users\Public\payload.exe', 'C:\Windows\Temp\dropper.dll', 'C:\ProgramData\backdoor.exe' ], 'registry': [ 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware', 'HKCU\Software\Classes\CLSID\{malicious-guid}' ], 'scheduled_tasks': ['SystemUpdate', 'WindowsDefenderUpdate'], 'services': ['MaliciousService'], 'processes': ['payload.exe', 'backdoor.exe'] }

action = malware.remove_malware( hostname='WORKSTATION-15', malware_type='trojan', malware_artifacts=artifacts, quarantine_before_delete=True, scan_after_removal=True )

playbook.add_action(action) print(f"Removal commands: {action.commands}") print(f"Verification steps: {action.verification_steps}")

Malware Remediation: Ransomware Recovery

Recover from ransomware infection.

Example:

from remediation_utils import MalwareRemediation

malware = MalwareRemediation()

action = malware.ransomware_recovery( hostname='FILESERVER-01', ransomware_family='lockbit', encrypted_extensions=['.lockbit', '.encrypted'], recovery_method='backup', # backup, decryptor, shadow_copies backup_location='\\backup-server\fileserver-01\latest', verify_decryption=True )

print(f"Recovery steps: {action.recovery_steps}") print(f"Data validation: {action.validation_steps}")

Malware Remediation: Rootkit Removal

Remove rootkits and bootkits.

Example:

from remediation_utils import MalwareRemediation

malware = MalwareRemediation()

action = malware.rootkit_removal( hostname='SERVER-01', rootkit_type='kernel', # kernel, bootkit, firmware detection_tool='gmer', offline_scan=True, rebuild_mbr=True )

print(f"Removal procedure: {action.commands}") print(f"Verification: {action.verification_steps}")

Malware Remediation: Web Shell Removal

Remove web shells from compromised servers.

Example:

from remediation_utils import MalwareRemediation

malware = MalwareRemediation()

webshells = [ '/var/www/html/uploads/shell.php', '/var/www/html/images/cmd.php', '/var/www/html/includes/backdoor.php' ]

action = malware.webshell_removal( hostname='WEBSERVER-01', webshell_paths=webshells, web_root='/var/www/html', scan_for_additional=True, patch_upload_vulnerability=True, restore_from_clean=True )

print(f"Files removed: {action.metadata['files_removed']}") print(f"Integrity check: {action.verification_steps}")

Access Remediation: Full Credential Reset

Perform comprehensive credential reset after breach.

Example:

from remediation_utils import AccessRemediation

access = AccessRemediation()

action = access.full_credential_reset( scope='domain', # domain, local, cloud, all users=['jdoe', 'admin', 'svc_backup'], reset_types=['password', 'kerberos', 'certificates'], force_mfa_reenroll=True, expire_all_sessions=True, notify_users=True )

print(f"Reset commands: {action.commands}") print(f"Users affected: {len(action.metadata['users'])}")

Access Remediation: Backdoor Removal

Remove attacker persistence and backdoors.

Example:

from remediation_utils import AccessRemediation

access = AccessRemediation()

backdoors = { 'accounts': ['backdoor_admin', 'support_temp'], 'ssh_keys': ['/root/.ssh/authorized_keys'], 'scheduled_tasks': ['WindowsUpdate2', 'SystemMaintenance'], 'services': ['RemoteSupport', 'WindowsDefenderUpdate'], 'registry': ['HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update'], 'web_shells': ['/var/www/html/admin.php'], 'cron_jobs': ['/etc/cron.d/update'] }

action = access.backdoor_removal( hostname='SERVER-01', backdoors=backdoors, audit_all_persistence=True, compare_to_baseline=True )

print(f"Backdoors removed: {action.metadata['removed_count']}") print(f"Audit results: {action.audit_results}")

Access Remediation: Privilege Escalation Cleanup

Clean up after privilege escalation attack.

Example:

from remediation_utils import AccessRemediation

access = AccessRemediation()

action = access.privilege_cleanup( affected_accounts=['compromised_user'], unauthorized_groups=['Domain Admins', 'Enterprise Admins'], unauthorized_permissions=['SeDebugPrivilege', 'SeTcbPrivilege'], reset_to_baseline=True, audit_privileged_groups=True )

print(f"Groups cleaned: {action.metadata['groups_cleaned']}") print(f"Permissions revoked: {action.metadata['permissions_revoked']}")

Access Remediation: Golden Ticket Remediation

Remediate Kerberos golden ticket attack.

Example:

from remediation_utils import AccessRemediation

access = AccessRemediation()

action = access.golden_ticket_remediation( domain='corp.example.com', reset_krbtgt=True, # Critical: Reset twice reset_interval_hours=10, force_all_ticket_renewal=True, audit_service_accounts=True )

print(f"KRBTGT reset status: {action.metadata['krbtgt_reset']}") print(f"Wait time before second reset: {action.metadata['wait_hours']} hours")

System Remediation: System Rebuild

Rebuild compromised system from scratch.

Example:

from remediation_utils import SystemRemediation

system = SystemRemediation()

action = system.rebuild_system( hostname='WORKSTATION-15', os_version='windows_11_enterprise', image_source='gold_image', preserve_data=False, # Data already backed up join_domain=True, apply_security_baseline=True, install_edr=True )

print(f"Rebuild steps: {action.commands}") print(f"Post-rebuild checklist: {action.verification_steps}")

System Remediation: Emergency Patching

Deploy emergency security patches.

Example:

from remediation_utils import SystemRemediation

system = SystemRemediation()

action = system.emergency_patching( targets=['WEBSERVER-01', 'WEBSERVER-02', 'APPSERVER-01'], patches=['KB5012345', 'CVE-2024-1234'], patch_source='wsus', # wsus, sccm, manual reboot_allowed=True, verify_after_patch=True, rollback_on_failure=True )

print(f"Patching plan: {action.commands}") print(f"Verification: {action.verification_steps}")

System Remediation: Configuration Hardening

Apply security hardening after incident.

Example:

from remediation_utils import SystemRemediation

system = SystemRemediation()

action = system.configuration_hardening( hostname='SERVER-01', baseline='cis_level_1', # cis_level_1, cis_level_2, disa_stig, custom focus_areas=['authentication', 'network', 'logging', 'services'], disable_legacy_protocols=True, enable_advanced_audit=True )

print(f"Hardening steps: {action.commands}") print(f"Compliance score: {action.metadata['compliance_score']}")

System Remediation: Log Recovery

Recover and restore audit logs.

Example:

from remediation_utils import SystemRemediation

system = SystemRemediation()

action = system.log_recovery( hostname='SERVER-01', log_types=['security', 'system', 'application', 'powershell'], recovery_sources=['backup', 'siem', 'shadow_copy'], time_range=('2024-01-10', '2024-01-15'), verify_integrity=True )

print(f"Logs recovered: {action.metadata['logs_recovered']}") print(f"Integrity status: {action.metadata['integrity_verified']}")

Data Remediation: Data Breach Response

Execute data breach response procedures.

Example:

from remediation_utils import DataRemediation

data = DataRemediation()

action = data.breach_response( breach_type='pii_exposure', affected_data_types=['ssn', 'credit_card', 'medical_records'], affected_record_count=50000, notification_required=True, regulatory_requirements=['gdpr', 'hipaa', 'ccpa'], legal_hold=True )

print(f"Response steps: {action.commands}") print(f"Notification timeline: {action.metadata['notification_timeline']}") print(f"Regulatory requirements: {action.metadata['regulatory_actions']}")

Data Remediation: Backup Restoration

Restore data from backups.

Example:

from remediation_utils import DataRemediation

data = DataRemediation()

action = data.backup_restoration( target_system='FILESERVER-01', backup_source='\\backup\fileserver-01\2024-01-14', restore_type='full', # full, incremental, selective restore_paths=['/data/finance', '/data/hr'], verify_after_restore=True, scan_before_restore=True # Scan backup for malware )

print(f"Restoration steps: {action.commands}") print(f"Verification: {action.verification_steps}")

Data Remediation: Integrity Verification

Verify data integrity after incident.

Example:

from remediation_utils import DataRemediation

data = DataRemediation()

action = data.integrity_verification( target_paths=['/data/critical', '/app/config'], baseline_hashes='/security/baselines/file_hashes.json', verification_method='sha256', report_modifications=True, quarantine_suspicious=True )

print(f"Files verified: {action.metadata['files_checked']}") print(f"Modifications found: {action.metadata['modifications']}")

Cloud Remediation: Cloud Account Recovery

Recover compromised cloud account.

Example:

from remediation_utils import CloudRemediation

cloud = CloudRemediation()

action = cloud.account_recovery( cloud_provider='aws', account_id='123456789012', compromised_resources=['iam_users', 'access_keys', 'roles'], reset_all_credentials=True, audit_cloudtrail=True, enable_guardduty=True )

print(f"Recovery steps: {action.commands}") print(f"Resources remediated: {action.metadata['resources_remediated']}")

Cloud Remediation: IAM Policy Remediation

Fix IAM policy misconfigurations.

Example:

from remediation_utils import CloudRemediation

cloud = CloudRemediation()

action = cloud.iam_remediation( cloud_provider='aws', issues=[ {'type': 'overly_permissive', 'resource': 'arn:aws:iam::*:user/admin'}, {'type': 'public_access', 'resource': 'arn:aws:s3:::public-bucket'}, {'type': 'unused_credentials', 'resource': 'AKIA...'} ], apply_least_privilege=True, remove_unused_permissions=True )

print(f"Policies fixed: {action.metadata['policies_fixed']}")

Cloud Remediation: S3 Bucket Remediation

Fix S3 bucket security issues.

Example:

from remediation_utils import CloudRemediation

cloud = CloudRemediation()

action = cloud.s3_remediation( bucket_name='sensitive-data-bucket', issues=['public_access', 'no_encryption', 'no_versioning', 'no_logging'], block_public_access=True, enable_encryption='aws:kms', enable_versioning=True, enable_access_logging=True )

print(f"Remediation applied: {action.metadata['fixes_applied']}")

Cloud Remediation: Container Image Remediation

Remediate compromised container images.

Example:

from remediation_utils import CloudRemediation

cloud = CloudRemediation()

action = cloud.container_remediation( registry='ecr', images=['app-api:latest', 'app-web:latest'], issues=['vulnerability', 'malware', 'misconfig'], rebuild_from_source=True, scan_before_deploy=True, update_base_images=True )

print(f"Images remediated: {action.metadata['images_fixed']}")

Business Remediation: BEC Recovery

Recover from Business Email Compromise.

Example:

from remediation_utils import BusinessRemediation

business = BusinessRemediation()

action = business.bec_recovery( incident_type='invoice_fraud', financial_impact=150000, compromised_accounts=['cfo@company.com', 'ap@company.com'], fraudulent_transactions=['TXN-12345', 'TXN-12346'], bank_notification=True, law_enforcement=True )

print(f"Recovery steps: {action.commands}") print(f"Financial recovery: {action.metadata['recovery_actions']}")

Business Remediation: Vendor Compromise Response

Respond to compromised vendor/third-party.

Example:

from remediation_utils import BusinessRemediation

business = BusinessRemediation()

action = business.vendor_compromise_response( vendor_name='Software Vendor Inc', compromise_type='supply_chain', affected_products=['vendor-sdk-1.2.3'], exposure_assessment=True, revoke_access=True, communication_plan=True )

print(f"Response plan: {action.commands}") print(f"Communication timeline: {action.metadata['communications']}")

Playbook Management

Track and document remediation progress.

Example:

from remediation_utils import RemediationPlaybook

Create playbook

playbook = RemediationPlaybook( incident_id='INC-2024-001', name='Full System Recovery', analyst='senior_analyst' )

Add remediation actions

... (use remediation utilities as shown above)

Track progress

playbook.complete_action(action.id, 'Successfully removed malware') playbook.verify_action(action.id, 'Verified clean via EDR scan')

Generate reports

print(playbook.generate_report()) print(playbook.generate_recovery_certification())

Export for documentation

print(playbook.to_json())

Configuration

Environment Variables

Variable Description Required Default

REMEDIATION_LOG_PATH

Log file path No ./remediation.log

BACKUP_PATH

Default backup location No ./backups

BASELINE_PATH

Security baseline location No ./baselines

Verification Settings

All remediation actions include verification steps:

Get verification status

if action.verification_required: print(action.verification_steps)

Mark verification complete

playbook.verify_action(action.id, 'Verified by EDR scan')

Limitations

  • No Direct Execution: Generates commands/procedures, does not execute directly

  • Requires Clean Media: System rebuilds require verified clean installation media

  • Backup Dependencies: Data restoration requires valid, clean backups

  • Time Requirements: Full remediation may take hours to days

Troubleshooting

Remediation Verification Failed

Problem: Post-remediation verification shows issues

Solution: Re-run targeted remediation:

Identify remaining issues

remaining = action.get_verification_failures() print(f"Remaining issues: {remaining}")

Create follow-up action

follow_up = malware.remove_malware(hostname, remaining_artifacts)

Backup Restoration Failed

Problem: Backup restoration incomplete or corrupt

Solution: Try alternative recovery sources:

action = data.backup_restoration( target_system='SERVER-01', backup_source='alternative_backup', restore_type='incremental', verify_backup_integrity=True )

Related Skills

  • containment: Contain threats before remediation

  • incident-response: Full IR workflow

  • detection: Detect remaining threats

  • grc: Compliance documentation

References

  • Detailed API Reference

  • NIST SP 800-61 Rev. 2

  • CIS Controls

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Automation

email-forensics

No summary provided by upstream source.

Repository SourceNeeds Review
-11
sherifeldeeb
Automation

disk-forensics

No summary provided by upstream source.

Repository SourceNeeds Review
-10
sherifeldeeb
Automation

forensic-reporting

No summary provided by upstream source.

Repository SourceNeeds Review
-9
sherifeldeeb