mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-13 14:44:58 +03:00
mukul975
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
161 lines
6.6 KiB
Python
161 lines
6.6 KiB
Python
#!/usr/bin/env python3
|
|
"""Agent for ransomware attack recovery coordination.
|
|
|
|
Manages recovery workflow: backup verification, system rebuild
|
|
prioritization, credential reset tracking, and post-recovery
|
|
validation checklists with timeline documentation.
|
|
"""
|
|
|
|
import json
|
|
import sys
|
|
from datetime import datetime
|
|
from pathlib import Path
|
|
|
|
|
|
RECOVERY_PRIORITY = [
|
|
("Domain Controllers", "critical", "Rebuild from clean media first"),
|
|
("DNS/DHCP Servers", "critical", "Required for network functionality"),
|
|
("Authentication Services", "critical", "SSO, MFA, RADIUS"),
|
|
("Email Server", "high", "Communication during recovery"),
|
|
("Database Servers", "high", "Restore from verified clean backup"),
|
|
("Application Servers", "high", "Business-critical applications"),
|
|
("File Servers", "medium", "Restore data from backup"),
|
|
("Workstations", "medium", "Reimage, do not file-level restore"),
|
|
("Print Servers", "low", "Rebuild after core services"),
|
|
]
|
|
|
|
|
|
class RansomwareRecoveryAgent:
|
|
"""Coordinates ransomware attack recovery procedures."""
|
|
|
|
def __init__(self, case_id, output_dir="./recovery"):
|
|
self.case_id = case_id
|
|
self.output_dir = Path(output_dir)
|
|
self.output_dir.mkdir(parents=True, exist_ok=True)
|
|
self.recovery = {
|
|
"case_id": case_id, "status": "in_progress",
|
|
"timeline": [], "systems": [], "checklists": {},
|
|
}
|
|
|
|
def log_event(self, event_type, description):
|
|
self.recovery["timeline"].append({
|
|
"timestamp": datetime.utcnow().isoformat(),
|
|
"type": event_type, "description": description,
|
|
})
|
|
|
|
def verify_backup(self, backup_path, backup_type, last_verified=None):
|
|
"""Record backup verification status."""
|
|
status = {
|
|
"path": backup_path, "type": backup_type,
|
|
"verified_date": last_verified or datetime.utcnow().isoformat(),
|
|
"integrity": "pending",
|
|
}
|
|
if Path(backup_path).exists() if not backup_path.startswith("s3://") else True:
|
|
status["integrity"] = "accessible"
|
|
self.recovery.setdefault("backups", []).append(status)
|
|
self.log_event("backup_check", f"Verified {backup_type}: {backup_path}")
|
|
return status
|
|
|
|
def build_recovery_plan(self, clean_backup_available=True):
|
|
"""Generate prioritized system recovery plan."""
|
|
systems = []
|
|
for name, priority, note in RECOVERY_PRIORITY:
|
|
systems.append({
|
|
"system": name, "priority": priority, "note": note,
|
|
"status": "pending", "recovery_method": (
|
|
"Restore from backup" if clean_backup_available
|
|
else "Rebuild from scratch"
|
|
),
|
|
})
|
|
self.recovery["systems"] = systems
|
|
self.log_event("plan_created", f"{len(systems)} systems in recovery plan")
|
|
return systems
|
|
|
|
def update_system_status(self, system_name, status, notes=""):
|
|
for sys_entry in self.recovery["systems"]:
|
|
if sys_entry["system"] == system_name:
|
|
sys_entry["status"] = status
|
|
if notes:
|
|
sys_entry["recovery_notes"] = notes
|
|
self.log_event("system_update",
|
|
f"{system_name}: {status}")
|
|
return sys_entry
|
|
return None
|
|
|
|
def generate_credential_reset_checklist(self):
|
|
"""Generate credential reset checklist for post-recovery."""
|
|
checklist = [
|
|
{"item": "Reset KRBTGT password (twice, 12h apart)", "status": "pending",
|
|
"priority": "critical"},
|
|
{"item": "Reset all Domain Admin passwords", "status": "pending",
|
|
"priority": "critical"},
|
|
{"item": "Reset all service account passwords", "status": "pending",
|
|
"priority": "critical"},
|
|
{"item": "Reset all user passwords", "status": "pending",
|
|
"priority": "high"},
|
|
{"item": "Revoke and reissue all certificates", "status": "pending",
|
|
"priority": "high"},
|
|
{"item": "Rotate all API keys and tokens", "status": "pending",
|
|
"priority": "high"},
|
|
{"item": "Reset cloud IAM credentials", "status": "pending",
|
|
"priority": "high"},
|
|
{"item": "Deploy LAPS for local admin passwords", "status": "pending",
|
|
"priority": "medium"},
|
|
]
|
|
self.recovery["checklists"]["credential_reset"] = checklist
|
|
return checklist
|
|
|
|
def generate_hardening_checklist(self):
|
|
"""Post-recovery hardening recommendations."""
|
|
checklist = [
|
|
{"item": "Enforce MFA on all remote access", "status": "pending"},
|
|
{"item": "Implement 3-2-1-1-0 backup strategy", "status": "pending"},
|
|
{"item": "Deploy EDR on all endpoints", "status": "pending"},
|
|
{"item": "Enable PowerShell Script Block Logging", "status": "pending"},
|
|
{"item": "Implement network segmentation", "status": "pending"},
|
|
{"item": "Block SMB between workstations", "status": "pending"},
|
|
{"item": "Disable NTLM where possible", "status": "pending"},
|
|
{"item": "Deploy application whitelisting on servers", "status": "pending"},
|
|
{"item": "Implement privileged access workstations", "status": "pending"},
|
|
]
|
|
self.recovery["checklists"]["post_hardening"] = checklist
|
|
return checklist
|
|
|
|
def get_recovery_progress(self):
|
|
"""Calculate overall recovery progress."""
|
|
total = len(self.recovery["systems"])
|
|
completed = sum(1 for s in self.recovery["systems"]
|
|
if s["status"] in ("recovered", "verified"))
|
|
return {
|
|
"total_systems": total,
|
|
"recovered": completed,
|
|
"progress_pct": round(completed / max(total, 1) * 100, 1),
|
|
}
|
|
|
|
def generate_report(self):
|
|
self.generate_credential_reset_checklist()
|
|
self.generate_hardening_checklist()
|
|
progress = self.get_recovery_progress()
|
|
|
|
report = {
|
|
**self.recovery,
|
|
"progress": progress,
|
|
"report_date": datetime.utcnow().isoformat(),
|
|
}
|
|
report_path = self.output_dir / f"{self.case_id}_recovery.json"
|
|
with open(report_path, "w") as f:
|
|
json.dump(report, f, indent=2, default=str)
|
|
print(json.dumps(report, indent=2, default=str))
|
|
return report
|
|
|
|
|
|
def main():
|
|
case_id = sys.argv[1] if len(sys.argv) > 1 else "RAN-2025-001"
|
|
agent = RansomwareRecoveryAgent(case_id)
|
|
agent.build_recovery_plan(clean_backup_available=True)
|
|
agent.generate_report()
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|