containing-active-breach
Installation
SKILL.md
Containing Active Breaches
When to Use
- A confirmed intrusion is in progress with an active adversary on the network
- Malware is spreading laterally across endpoints or servers
- A compromised account is being used for unauthorized access to systems
- Ransomware encryption has been detected and is actively propagating
- An attacker has established command-and-control communications from internal hosts
Do not use for post-incident cleanup when the adversary is no longer active; use eradication procedures instead.