AgentSkillsCN

respond-compromised-account

应对可能已被入侵的用户账户。当出现无法正常登录、凭证撞库、成功钓鱼,或可疑活动表明账户可能已被攻陷时,可使用此技能。系统将调查账户活动,实施账户隔离,清除持久化植入物,并恢复账户访问权限。

SKILL.md
--- frontmatter
name: respond-compromised-account
description: "Respond to a potentially compromised user account. Use when impossible travel, credential stuffing, successful phishing, or suspicious activity indicates account compromise. Investigates activity, contains the account, removes persistence, and restores access."
required_roles:
  chronicle: roles/chronicle.editor
  soar: roles/chronicle.soarAdmin
  gti: GTI Standard
personas: [incident-responder]

Compromised User Account Response Skill

Structured workflow for responding to potentially compromised user accounts using the PICERL model.

Inputs

  • USER_ID - Username or email of the potentially compromised user
  • CASE_ID - SOAR case ID for documentation
  • ALERT_GROUP_IDENTIFIERS - Alert group identifiers from SOAR
  • (Optional) INITIAL_ALERT_DETAILS - Summary of triggering alert

Required Outputs

After completing each phase, you MUST report these outputs:

Identification Phase

OutputDescription
AFFECTED_ACCOUNTSUser accounts confirmed or suspected compromised
SUSPICIOUS_ACTIVITYSummary of anomalous activity detected
ACCESS_SCOPESystems/data the account had access to
COMPROMISE_LIKELIHOODAssessment level: Low, Medium, High, Confirmed

Containment Phase

OutputDescription
DISABLED_ACCOUNTSAccounts that were disabled
RESET_PASSWORDSAccounts with passwords reset
REVOKED_SESSIONSSessions terminated

Eradication Phase

OutputDescription
REMOVED_PERSISTENCEPersistence mechanisms removed (forwarding rules, OAuth apps, etc.)
CLEANED_ENDPOINTSAssociated endpoints verified clean

Recovery Phase

OutputDescription
RESTORED_ACCOUNTSAccounts re-enabled with new security controls
USER_NOTIFICATIONSUsers notified of incident and required actions

PICERL Phases

Phase 2: Identification

Step 2.1: Get Context

code
secops-soar.get_case_full_details(case_id=CASE_ID)

Use /check-duplicates.

Step 2.2: Gather Initial Context

SIEM entity lookup:

code
secops-mcp.lookup_entity(entity_value=USER_ID)

(If IDP tools available):

  • Account status
  • Recent logins
  • MFA configuration
  • Password last changed

Step 2.3: Analyze User Activity

Search SIEM for last 96 hours:

code
secops-mcp.search_security_events(
    text="All activity for USER_ID",
    hours_back=96
)

Look for:

  • Anomalous logins: Unusual locations, times, IPs, user agents
  • Suspicious commands: On associated endpoints
  • Sensitive access: Files, applications, databases
  • Lateral movement: Logins to other systems
  • Data exfiltration: Large transfers, unusual destinations
  • Account changes: MFA, recovery email, forwarding rules
  • OAuth grants: New application authorizations

Step 2.4: Check Related Cases

Use /find-relevant-case with [USER_ID].

Step 2.5: Assess Compromise Likelihood

LevelIndicators
LowSingle anomalous event, user confirms legitimate
MediumMultiple anomalies, unverified
HighClear malicious activity patterns
ConfirmedKnown credential theft, attacker actions visible

Document: COMPROMISE_LIKELIHOOD

Step 2.6: Document Identification

Use /document-in-soar with findings and assessment.


Phase 3: Containment

Step 3.1: Confirm Containment Actions

Based on COMPROMISE_LIKELIHOOD, use /confirm-action:

High/Confirmed:

"Disable account [USER_ID] immediately?"

Medium:

"Reset password and terminate sessions for [USER_ID]?"

Low:

"Force MFA re-enrollment for [USER_ID]?"

Step 3.2: Execute Containment

(Requires Identity Provider tools)

Actions by severity:

  • Disable account: Immediate lockout
  • Reset password: Force change on next login
  • Terminate sessions: Invalidate all active sessions
  • Revoke tokens: OAuth and API tokens

Step 3.3: Verify Containment

Monitor for continued activity:

code
secops-mcp.search_security_events(
    text="Activity from USER_ID after containment",
    hours_back=1
)

Use /document-in-soar with containment status.


Phase 4: Eradication

Step 4.1: Investigate Attacker Actions

Thoroughly review what the attacker did while in the account:

code
secops-mcp.search_security_events(
    text="All actions by USER_ID during compromise window",
    hours_back=96
)

Focus on:

  • Emails: Sent, received, forwarding rules created
  • Data access: Files downloaded, shared externally
  • Configuration: Account settings changed
  • OAuth apps: New authorizations
  • Lateral movement: Other systems accessed

Step 4.2: Check for Persistence

(Requires email/cloud platform tools)

Look for:

  • Email forwarding rules to external addresses
  • Delegate access grants
  • Malicious OAuth applications
  • Inbox rules that hide attacker activity
  • Recovery email/phone changes

Step 4.3: Remove Persistence

Delete/revoke all identified persistence:

  • Remove forwarding rules
  • Revoke OAuth apps
  • Remove delegate access
  • Reset recovery options

Step 4.4: Endpoint Investigation

If account accessed specific endpoints:

Trigger endpoint triage to check for:

  • Malware dropped
  • Persistence mechanisms
  • Credential caching

Use /document-in-soar with eradication findings.


Phase 5: Recovery

Step 5.1: Ensure Threat Removed

Verify:

  • All persistence removed
  • Associated endpoints clean
  • No ongoing attacker access

Step 5.2: Secure Account

  • Strong password set
  • MFA properly configured (hardware key preferred)
  • Recovery options secured
  • Review account permissions

Step 5.3: Re-enable Account

(If disabled during containment)

Re-enable with:

  • Password change required on first login
  • MFA verification required

Step 5.4: Communicate with User

Inform the user:

  • What happened (appropriate level of detail)
  • Actions taken on their account
  • Steps they need to take
  • Warning signs to watch for
  • How to report suspicious activity

Step 5.5: Monitor Account

Enhanced monitoring for 30 days:

  • Watch for anomalous activity
  • Alert on unusual logins
  • Track sensitive data access

Use /document-in-soar with recovery status.


Phase 6: Lessons Learned

Use /generate-report with:

  • Initial access vector (if determined)
  • Attacker actions during compromise
  • Data potentially exposed
  • Response timeline
  • Recommendations

Review:

  • How was compromise detected?
  • Was MFA bypassed? How?
  • What data was at risk?
  • What detections should be added/tuned?

Critical Warnings

  • DO NOT execute containment without analyst confirmation
  • DO NOT re-enable without checking for persistence
  • MUST document all findings in SOAR
  • ALWAYS check for forwarding rules and OAuth apps

Containment Decision Matrix

LikelihoodDisable AccountReset PasswordTerminate Sessions
Confirmed✅ Immediate
High✅ Recommended
MediumConsider
LowNoConsiderConsider

Common Persistence Mechanisms

MechanismWhere to Check
Email forwardingMail rules
Delegate accessMailbox permissions
OAuth appsConnected applications
Inbox rulesMail filters
Recovery optionsAccount settings
API tokensDeveloper settings