respond-compromised-account
$
npx mdskill add dandye/ai-runbooks/respond-compromised-accountContain compromised accounts and restore access using PICERL.
- Detects impossible travel, phishing, and credential stuffing attacks.
- Requires Chronicle editor, SOAR admin, and GTI Standard roles.
- Assesses compromise likelihood before executing containment actions.
- Outputs confirmed accounts, disabled services, and reset passwords.
SKILL.md
.github/skills/respond-compromised-accountView on GitHub ↗
---
name: respond-compromised-account
description: "Respond to a potentially compromised user account. Use when impossible travel, credential stuffing, successful phishing, or suspicious activity indicates account compromise. Investigates activity, contains the account, removes persistence, and restores access."
required_roles:
chronicle: roles/chronicle.editor
soar: roles/chronicle.soarAdmin
gti: GTI Standard
personas: [incident-responder]
---
# Compromised User Account Response Skill
Structured workflow for responding to potentially compromised user accounts using the PICERL model.
## Inputs
- `USER_ID` - Username or email of the potentially compromised user
- `CASE_ID` - SOAR case ID for documentation
- `ALERT_GROUP_IDENTIFIERS` - Alert group identifiers from SOAR
- *(Optional)* `INITIAL_ALERT_DETAILS` - Summary of triggering alert
## Required Outputs
**After completing each phase, you MUST report these outputs:**
### Identification Phase
| Output | Description |
|--------|-------------|
| `AFFECTED_ACCOUNTS` | User accounts confirmed or suspected compromised |
| `SUSPICIOUS_ACTIVITY` | Summary of anomalous activity detected |
| `ACCESS_SCOPE` | Systems/data the account had access to |
| `COMPROMISE_LIKELIHOOD` | Assessment level: `Low`, `Medium`, `High`, `Confirmed` |
### Containment Phase
| Output | Description |
|--------|-------------|
| `DISABLED_ACCOUNTS` | Accounts that were disabled |
| `RESET_PASSWORDS` | Accounts with passwords reset |
| `REVOKED_SESSIONS` | Sessions terminated |
### Eradication Phase
| Output | Description |
|--------|-------------|
| `REMOVED_PERSISTENCE` | Persistence mechanisms removed (forwarding rules, OAuth apps, etc.) |
| `CLEANED_ENDPOINTS` | Associated endpoints verified clean |
### Recovery Phase
| Output | Description |
|--------|-------------|
| `RESTORED_ACCOUNTS` | Accounts re-enabled with new security controls |
| `USER_NOTIFICATIONS` | Users notified of incident and required actions |
## PICERL Phases
### Phase 2: Identification
**Step 2.1: Get Context**
```
secops-soar.get_case_full_details(case_id=CASE_ID)
```
Use `/check-duplicates`.
**Step 2.2: Gather Initial Context**
SIEM entity lookup:
```
secops-mcp.lookup_entity(entity_value=USER_ID)
```
*(If IDP tools available)*:
- Account status
- Recent logins
- MFA configuration
- Password last changed
**Step 2.3: Analyze User Activity**
Search SIEM for last 96 hours:
```
secops-mcp.search_security_events(
text="All activity for USER_ID",
hours_back=96
)
```
Look for:
- **Anomalous logins**: Unusual locations, times, IPs, user agents
- **Suspicious commands**: On associated endpoints
- **Sensitive access**: Files, applications, databases
- **Lateral movement**: Logins to other systems
- **Data exfiltration**: Large transfers, unusual destinations
- **Account changes**: MFA, recovery email, forwarding rules
- **OAuth grants**: New application authorizations
**Step 2.4: Check Related Cases**
Use `/find-relevant-case` with `[USER_ID]`.
**Step 2.5: Assess Compromise Likelihood**
| Level | Indicators |
|-------|------------|
| **Low** | Single anomalous event, user confirms legitimate |
| **Medium** | Multiple anomalies, unverified |
| **High** | Clear malicious activity patterns |
| **Confirmed** | Known credential theft, attacker actions visible |
Document: `COMPROMISE_LIKELIHOOD`
**Step 2.6: Document Identification**
Use `/document-in-case` with findings and assessment.
---
### Phase 3: Containment
**Step 3.1: Confirm Containment Actions**
Based on `COMPROMISE_LIKELIHOOD`, use `/confirm-action`:
**High/Confirmed:**
> "Disable account [USER_ID] immediately?"
**Medium:**
> "Reset password and terminate sessions for [USER_ID]?"
**Low:**
> "Force MFA re-enrollment for [USER_ID]?"
**Step 3.2: Execute Containment**
*(Requires Identity Provider tools)*
Actions by severity:
- **Disable account**: Immediate lockout
- **Reset password**: Force change on next login
- **Terminate sessions**: Invalidate all active sessions
- **Revoke tokens**: OAuth and API tokens
**Step 3.3: Verify Containment**
Monitor for continued activity:
```
secops-mcp.search_security_events(
text="Activity from USER_ID after containment",
hours_back=1
)
```
Use `/document-in-case` with containment status.
---
### Phase 4: Eradication
**Step 4.1: Investigate Attacker Actions**
Thoroughly review what the attacker did while in the account:
```
secops-mcp.search_security_events(
text="All actions by USER_ID during compromise window",
hours_back=96
)
```
Focus on:
- **Emails**: Sent, received, forwarding rules created
- **Data access**: Files downloaded, shared externally
- **Configuration**: Account settings changed
- **OAuth apps**: New authorizations
- **Lateral movement**: Other systems accessed
**Step 4.2: Check for Persistence**
*(Requires email/cloud platform tools)*
Look for:
- Email forwarding rules to external addresses
- Delegate access grants
- Malicious OAuth applications
- Inbox rules that hide attacker activity
- Recovery email/phone changes
**Step 4.3: Remove Persistence**
Delete/revoke all identified persistence:
- Remove forwarding rules
- Revoke OAuth apps
- Remove delegate access
- Reset recovery options
**Step 4.4: Endpoint Investigation**
If account accessed specific endpoints:
Trigger endpoint triage to check for:
- Malware dropped
- Persistence mechanisms
- Credential caching
Use `/document-in-case` with eradication findings.
---
### Phase 5: Recovery
**Step 5.1: Ensure Threat Removed**
Verify:
- All persistence removed
- Associated endpoints clean
- No ongoing attacker access
**Step 5.2: Secure Account**
- Strong password set
- MFA properly configured (hardware key preferred)
- Recovery options secured
- Review account permissions
**Step 5.3: Re-enable Account**
*(If disabled during containment)*
Re-enable with:
- Password change required on first login
- MFA verification required
**Step 5.4: Communicate with User**
Inform the user:
- What happened (appropriate level of detail)
- Actions taken on their account
- Steps they need to take
- Warning signs to watch for
- How to report suspicious activity
**Step 5.5: Monitor Account**
Enhanced monitoring for 30 days:
- Watch for anomalous activity
- Alert on unusual logins
- Track sensitive data access
Use `/document-in-case` with recovery status.
---
### Phase 6: Lessons Learned
Use `/generate-report` with:
- Initial access vector (if determined)
- Attacker actions during compromise
- Data potentially exposed
- Response timeline
- Recommendations
Review:
- How was compromise detected?
- Was MFA bypassed? How?
- What data was at risk?
- What detections should be added/tuned?
---
## Critical Warnings
- **DO NOT execute containment** without analyst confirmation
- **DO NOT re-enable** without checking for persistence
- **MUST document** all findings in SOAR
- **ALWAYS check** for forwarding rules and OAuth apps
## Containment Decision Matrix
| Likelihood | Disable Account | Reset Password | Terminate Sessions |
|------------|-----------------|----------------|-------------------|
| Confirmed | ✅ Immediate | ✅ | ✅ |
| High | ✅ Recommended | ✅ | ✅ |
| Medium | Consider | ✅ | ✅ |
| Low | No | Consider | Consider |
## Common Persistence Mechanisms
| Mechanism | Where to Check |
|-----------|----------------|
| Email forwarding | Mail rules |
| Delegate access | Mailbox permissions |
| OAuth apps | Connected applications |
| Inbox rules | Mail filters |
| Recovery options | Account settings |
| API tokens | Developer settings |
More from dandye/ai-runbooks
- analyze-content-gapsIdentify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
- audit-contentComprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
- check-duplicates"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
- close-case-artifact"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
- cluster-documentsAutomated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
- confirm-action"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
- correlate-ioc"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
- deep-dive-ioc"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
- design-metadata-schemaDesign comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
- document-in-case"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."