Containing Active Breaches

When to Use

A confirmed intrusion is in progress with an active adversary on the network
Malware is spreading laterally across endpoints or servers
A compromised account is being used for unauthorized access to systems
Ransomware encryption has been detected and is actively propagating
An attacker has established command-and-control communications from internal hosts

Do not use for post-incident cleanup when the adversary is no longer active; use eradication procedures instead.

Prerequisites

Confirmed incident classification with P1 or P2 severity from triage
EDR console access with host isolation capabilities (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne)
Network firewall and switch management access for segmentation
Active Directory or identity provider administrative access for credential actions
Pre-approved containment authority documented in the incident response plan
Evidence preservation plan to avoid destroying forensic artifacts during containment

Workflow

Step 1: Assess Containment Scope

Before taking containment actions, map the full scope of compromise to avoid partial containment that alerts the adversary:

Identify all confirmed compromised hosts via EDR telemetry and SIEM correlation
Map lateral movement paths using authentication logs (Windows Event ID 4624 Type 3 and Type 10)
Identify all compromised credentials (check for pass-the-hash, Kerberoasting, DCSync activity)
Determine C2 channels (beacon intervals, domains, IPs, protocols)
Assess whether the adversary has domain admin or equivalent privileges

Containment Scope Assessment:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Compromised Hosts:     5 (WKSTN-042, WKSTN-087, SRV-FILE01, SRV-DC02, WKSTN-103)
Compromised Accounts:  3 (jsmith, svc-backup, admin-tier0)
C2 Channels:           HTTPS beacon to 185.220.x.x every 60s ± 15% jitter
Lateral Movement:      PsExec via svc-backup, RDP via admin-tier0
Adversary Privilege:   Domain Admin (admin-tier0 compromised)
Data at Risk:          Finance share (\\SRV-FILE01\finance$) accessed

Step 2: Execute Short-Term Containment

Implement immediate actions to stop adversary operations without destroying evidence:

Network Containment:

Isolate confirmed compromised endpoints via EDR network containment (maintains agent communication)
Block C2 IP addresses and domains at perimeter firewall and internal DNS
Implement microsegmentation rules to prevent communication between compromised hosts
Sinkhole C2 domains at internal DNS to capture connection attempts from undiscovered implants

Identity Containment:

Disable compromised user accounts in Active Directory (do not delete; preserve audit trail)
Reset passwords for all compromised accounts
Revoke active sessions and tokens (Azure AD: Revoke-AzureADUserAllRefreshToken)
Disable the compromised service account and rotate its credentials
If Domain Admin is compromised: double-reset the KRBTGT password (reset twice, 12 hours apart)

Endpoint Containment:

Use EDR to terminate malicious processes on contained hosts
Block known malicious hashes in EDR prevention policy
Quarantine identified malware samples
Disable remote services (WinRM, RDP, SMB) on critical servers not yet compromised

Step 3: Execute Long-Term Containment

Implement sustainable containment while the investigation continues:

Create network ACLs isolating the compromised VLAN/subnet while allowing business-critical traffic
Deploy temporary jump hosts for administrators to access contained systems for investigation
Implement enhanced monitoring (full packet capture) on network segments adjacent to compromised hosts
Enable advanced audit policies on all domain controllers (4768, 4769, 4771 for Kerberos attacks)
Deploy canary tokens and honeypot accounts to detect adversary attempts to expand from containment

Step 4: Validate Containment Effectiveness

Confirm that containment measures have stopped adversary operations:

Monitor for new C2 callbacks from any internal host to known adversary infrastructure
Check for new lateral movement attempts (failed authentication from disabled accounts)
Verify that contained hosts cannot reach the internet except through the EDR agent
Confirm that compromised credentials produce authentication failures
Review SIEM for any new alerts matching the adversary's known TTPs

Containment Validation Checklist:
[x] C2 beacon traffic ceased from all known compromised hosts
[x] Disabled accounts producing expected 4625 failure events (no new successes)
[x] Contained hosts unreachable via network scan from adjacent subnets
[x] No new hosts exhibiting IOCs from the initial compromise
[x] Honeypot account has not been accessed (adversary may be dormant)
[ ] Full packet capture running on finance VLAN (pending switch config)

Step 5: Preserve Evidence During Containment

Containment must not destroy forensic evidence:

Capture memory dumps from compromised hosts before any remediation (use WinPmem or Magnet RAM Capture)
Collect volatile data: running processes, network connections, logged-on users, scheduled tasks
Export relevant event logs before they rotate (Security, System, PowerShell, Sysmon)
Capture network traffic between compromised hosts and C2 infrastructure
Document all containment actions with timestamps for the incident timeline

Step 6: Communicate Containment Status

Provide structured status updates to incident commander and stakeholders:

Current containment effectiveness (percentage of adversary activity stopped)
Remaining risks (undiscovered implants, persistence mechanisms not yet identified)
Business impact of containment actions (which systems are offline, user impact)
Estimated timeline for eradication phase
Escalation needs (law enforcement notification, external IR retainer activation)

Key Concepts

Term	Definition
Short-Term Containment	Immediate actions to stop active adversary operations; typically network isolation and credential disablement
Long-Term Containment	Sustainable measures allowing continued investigation while preventing adversary re-access
KRBTGT Double Reset	Resetting the KRBTGT password twice to invalidate all existing Kerberos tickets including golden tickets
Network Containment	EDR feature that isolates an endpoint from all network communication except the EDR management channel
Lateral Movement	Adversary technique of moving from one compromised system to another within a network using stolen credentials or exploits
C2 Sinkholing	Redirecting DNS queries for C2 domains to an internal server to prevent adversary communication and detect additional victims
Microsegmentation	Granular network access controls between workloads that limit lateral communication paths

Tools & Systems

CrowdStrike Falcon: Endpoint containment with one-click network isolation preserving agent connectivity
Microsoft Defender for Endpoint: Live response console for remote containment actions and evidence collection
Palo Alto Networks NGFW: Application-aware firewall rules for C2 traffic blocking and microsegmentation
Velociraptor: Open-source endpoint monitoring and response tool for artifact collection during containment
BloodHound: Active Directory attack path mapping to identify potential lateral movement routes the adversary may exploit

Common Scenarios

Scenario: Ransomware Lateral Propagation via SMB

Context: EDR alerts on three file servers showing rapid file encryption. The ransomware is spreading via SMB using a compromised domain service account.

Approach:

Immediately isolate all three file servers via EDR network containment
Disable the compromised service account in Active Directory
Block SMB (TCP 445) between all server VLANs at the network switch layer
Deploy an emergency GPO disabling the SMB server service on non-critical endpoints
Capture memory from one encrypted server before it reboots
Search for the ransomware binary hash across all endpoints using EDR threat hunting

Pitfalls:

Shutting down servers immediately, destroying volatile memory evidence
Only disabling the known compromised account without checking for other persistence mechanisms
Restoring from backup before confirming the adversary's access has been fully revoked

Output Format

CONTAINMENT STATUS REPORT
=========================
Incident:        INC-2025-1547
Status:          CONTAINED (Short-Term)
Timestamp:       2025-11-15T15:47:00Z
Containment Lead: [Name]

ACTIONS TAKEN
Network:
- [x] 5 hosts isolated via CrowdStrike containment
- [x] C2 IP 185.220.x.x blocked at perimeter FW (rule #4521)
- [x] C2 domain evil.example[.]com sinkholed to 10.0.0.99

Identity:
- [x] jsmith account disabled
- [x] svc-backup account disabled, password rotated
- [x] admin-tier0 account disabled
- [x] KRBTGT first reset completed at 15:30 UTC

Endpoint:
- [x] Malicious hash blocked in EDR prevention policy
- [x] Malware processes terminated on all contained hosts

EVIDENCE PRESERVED
- Memory dumps: 3 of 5 hosts completed
- Event logs exported: all 5 hosts
- Network capture: running on finance VLAN

REMAINING RISKS
- Possible undiscovered implants on non-EDR endpoints (15 legacy hosts)
- KRBTGT second reset pending (scheduled 03:30 UTC +1 day)
- Adversary may have exfiltrated data before containment

BUSINESS IMPACT
- Finance file share offline (affects 42 users)
- 3 user workstations isolated (users reassigned to loaners)
- Estimated restoration: pending eradication completion

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.3 (Incident Identification), CC7.4 (Incident Response), CC7.5 (Recovery)
ISO 27001: A.16.1 (Security Incident Management)
NIST 800-53: IR-1 through IR-10 (Incident Response Family)
NIST CSF: RS.RP (Response Planning), RS.CO (Communications), RC.RP (Recovery Planning)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add containing-active-breach

# Or load dynamically via MCP
grc.load_skill("containing-active-breach")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Containing Active Breaches

When to Use

A confirmed intrusion is in progress with an active adversary on the network
Malware is spreading laterally across endpoints or servers
A compromised account is being used for unauthorized access to systems
Ransomware encryption has been detected and is actively propagating
An attacker has established command-and-control communications from internal hosts

Do not use for post-incident cleanup when the adversary is no longer active; use eradication procedures instead.

Prerequisites

Confirmed incident classification with P1 or P2 severity from triage
EDR console access with host isolation capabilities (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne)
Network firewall and switch management access for segmentation
Active Directory or identity provider administrative access for credential actions
Pre-approved containment authority documented in the incident response plan
Evidence preservation plan to avoid destroying forensic artifacts during containment

Workflow

Step 1: Assess Containment Scope

Before taking containment actions, map the full scope of compromise to avoid partial containment that alerts the adversary:

Identify all confirmed compromised hosts via EDR telemetry and SIEM correlation
Map lateral movement paths using authentication logs (Windows Event ID 4624 Type 3 and Type 10)
Identify all compromised credentials (check for pass-the-hash, Kerberoasting, DCSync activity)
Determine C2 channels (beacon intervals, domains, IPs, protocols)
Assess whether the adversary has domain admin or equivalent privileges

Containment Scope Assessment:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Compromised Hosts:     5 (WKSTN-042, WKSTN-087, SRV-FILE01, SRV-DC02, WKSTN-103)
Compromised Accounts:  3 (jsmith, svc-backup, admin-tier0)
C2 Channels:           HTTPS beacon to 185.220.x.x every 60s ± 15% jitter
Lateral Movement:      PsExec via svc-backup, RDP via admin-tier0
Adversary Privilege:   Domain Admin (admin-tier0 compromised)
Data at Risk:          Finance share (\\SRV-FILE01\finance$) accessed

Step 2: Execute Short-Term Containment

Implement immediate actions to stop adversary operations without destroying evidence:

Network Containment:

Isolate confirmed compromised endpoints via EDR network containment (maintains agent communication)
Block C2 IP addresses and domains at perimeter firewall and internal DNS
Implement microsegmentation rules to prevent communication between compromised hosts
Sinkhole C2 domains at internal DNS to capture connection attempts from undiscovered implants

Identity Containment:

Disable compromised user accounts in Active Directory (do not delete; preserve audit trail)
Reset passwords for all compromised accounts
Revoke active sessions and tokens (Azure AD: Revoke-AzureADUserAllRefreshToken)
Disable the compromised service account and rotate its credentials
If Domain Admin is compromised: double-reset the KRBTGT password (reset twice, 12 hours apart)

Endpoint Containment:

Use EDR to terminate malicious processes on contained hosts
Block known malicious hashes in EDR prevention policy
Quarantine identified malware samples
Disable remote services (WinRM, RDP, SMB) on critical servers not yet compromised

Step 3: Execute Long-Term Containment

Implement sustainable containment while the investigation continues:

Create network ACLs isolating the compromised VLAN/subnet while allowing business-critical traffic
Deploy temporary jump hosts for administrators to access contained systems for investigation
Implement enhanced monitoring (full packet capture) on network segments adjacent to compromised hosts
Enable advanced audit policies on all domain controllers (4768, 4769, 4771 for Kerberos attacks)
Deploy canary tokens and honeypot accounts to detect adversary attempts to expand from containment

Step 4: Validate Containment Effectiveness

Confirm that containment measures have stopped adversary operations:

Monitor for new C2 callbacks from any internal host to known adversary infrastructure
Check for new lateral movement attempts (failed authentication from disabled accounts)
Verify that contained hosts cannot reach the internet except through the EDR agent
Confirm that compromised credentials produce authentication failures
Review SIEM for any new alerts matching the adversary's known TTPs

Containment Validation Checklist:
[x] C2 beacon traffic ceased from all known compromised hosts
[x] Disabled accounts producing expected 4625 failure events (no new successes)
[x] Contained hosts unreachable via network scan from adjacent subnets
[x] No new hosts exhibiting IOCs from the initial compromise
[x] Honeypot account has not been accessed (adversary may be dormant)
[ ] Full packet capture running on finance VLAN (pending switch config)

Step 5: Preserve Evidence During Containment

Containment must not destroy forensic evidence:

Capture memory dumps from compromised hosts before any remediation (use WinPmem or Magnet RAM Capture)
Collect volatile data: running processes, network connections, logged-on users, scheduled tasks
Export relevant event logs before they rotate (Security, System, PowerShell, Sysmon)
Capture network traffic between compromised hosts and C2 infrastructure
Document all containment actions with timestamps for the incident timeline

Step 6: Communicate Containment Status

Provide structured status updates to incident commander and stakeholders:

Current containment effectiveness (percentage of adversary activity stopped)
Remaining risks (undiscovered implants, persistence mechanisms not yet identified)
Business impact of containment actions (which systems are offline, user impact)
Estimated timeline for eradication phase
Escalation needs (law enforcement notification, external IR retainer activation)

Key Concepts

Term	Definition
Short-Term Containment	Immediate actions to stop active adversary operations; typically network isolation and credential disablement
Long-Term Containment	Sustainable measures allowing continued investigation while preventing adversary re-access
KRBTGT Double Reset	Resetting the KRBTGT password twice to invalidate all existing Kerberos tickets including golden tickets
Network Containment	EDR feature that isolates an endpoint from all network communication except the EDR management channel
Lateral Movement	Adversary technique of moving from one compromised system to another within a network using stolen credentials or exploits
C2 Sinkholing	Redirecting DNS queries for C2 domains to an internal server to prevent adversary communication and detect additional victims
Microsegmentation	Granular network access controls between workloads that limit lateral communication paths

Tools & Systems

CrowdStrike Falcon: Endpoint containment with one-click network isolation preserving agent connectivity
Microsoft Defender for Endpoint: Live response console for remote containment actions and evidence collection
Palo Alto Networks NGFW: Application-aware firewall rules for C2 traffic blocking and microsegmentation
Velociraptor: Open-source endpoint monitoring and response tool for artifact collection during containment
BloodHound: Active Directory attack path mapping to identify potential lateral movement routes the adversary may exploit

Common Scenarios

Scenario: Ransomware Lateral Propagation via SMB

Context: EDR alerts on three file servers showing rapid file encryption. The ransomware is spreading via SMB using a compromised domain service account.

Approach:

Immediately isolate all three file servers via EDR network containment
Disable the compromised service account in Active Directory
Block SMB (TCP 445) between all server VLANs at the network switch layer
Deploy an emergency GPO disabling the SMB server service on non-critical endpoints
Capture memory from one encrypted server before it reboots
Search for the ransomware binary hash across all endpoints using EDR threat hunting

Pitfalls:

Shutting down servers immediately, destroying volatile memory evidence
Only disabling the known compromised account without checking for other persistence mechanisms
Restoring from backup before confirming the adversary's access has been fully revoked

Output Format

CONTAINMENT STATUS REPORT
=========================
Incident:        INC-2025-1547
Status:          CONTAINED (Short-Term)
Timestamp:       2025-11-15T15:47:00Z
Containment Lead: [Name]

ACTIONS TAKEN
Network:
- [x] 5 hosts isolated via CrowdStrike containment
- [x] C2 IP 185.220.x.x blocked at perimeter FW (rule #4521)
- [x] C2 domain evil.example[.]com sinkholed to 10.0.0.99

Identity:
- [x] jsmith account disabled
- [x] svc-backup account disabled, password rotated
- [x] admin-tier0 account disabled
- [x] KRBTGT first reset completed at 15:30 UTC

Endpoint:
- [x] Malicious hash blocked in EDR prevention policy
- [x] Malware processes terminated on all contained hosts

EVIDENCE PRESERVED
- Memory dumps: 3 of 5 hosts completed
- Event logs exported: all 5 hosts
- Network capture: running on finance VLAN

REMAINING RISKS
- Possible undiscovered implants on non-EDR endpoints (15 legacy hosts)
- KRBTGT second reset pending (scheduled 03:30 UTC +1 day)
- Adversary may have exfiltrated data before containment

BUSINESS IMPACT
- Finance file share offline (affects 42 users)
- 3 user workstations isolated (users reassigned to loaners)
- Estimated restoration: pending eradication completion

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.3 (Incident Identification), CC7.4 (Incident Response), CC7.5 (Recovery)
ISO 27001: A.16.1 (Security Incident Management)
NIST 800-53: IR-1 through IR-10 (Incident Response Family)
NIST CSF: RS.RP (Response Planning), RS.CO (Communications), RC.RP (Recovery Planning)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add containing-active-breach

# Or load dynamically via MCP
grc.load_skill("containing-active-breach")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Containing Active Breaches

When to Use

Prerequisites

Workflow

Step 1: Assess Containment Scope

Step 2: Execute Short-Term Containment

Step 3: Execute Long-Term Containment

Step 4: Validate Containment Effectiveness

Step 5: Preserve Evidence During Containment

Step 6: Communicate Containment Status

Key Concepts

Tools & Systems

Common Scenarios

Scenario: Ransomware Lateral Propagation via SMB

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Performing Cloud Incident Containment Procedures

Performing Active Directory Compromise Investigation

Containing Active Security Breach

Analyzing Security Logs with Splunk

Building Incident Response Playbook

Building Incident Timeline with Timesketch

Prerequisites

Containing Active Breaches

When to Use

Prerequisites

Workflow

Step 1: Assess Containment Scope

Step 2: Execute Short-Term Containment

Step 3: Execute Long-Term Containment

Step 4: Validate Containment Effectiveness

Step 5: Preserve Evidence During Containment

Step 6: Communicate Containment Status

Key Concepts

Tools & Systems

Common Scenarios

Scenario: Ransomware Lateral Propagation via SMB

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Performing Cloud Incident Containment Procedures

Performing Active Directory Compromise Investigation

Containing Active Security Breach

Analyzing Security Logs with Splunk

Building Incident Response Playbook

Building Incident Timeline with Timesketch