ReddRadar
Agent skill
performing-endpoint-vulnerability-remediation
Performs vulnerability remediation on endpoints by prioritizing CVEs based on risk scoring, deploying patches, applying configuration changes, and validating fixes. Use when remediating findings from vulnerability scans, responding to critical CVE advisories, or maintaining endpoint compliance with patch management SLAs. Activates for requests involving vulnerability remediation, CVE patching, endpoint vulnerability management, or security fix deployment.
Install this agent skill to your Project
npx add-skill https://github.com/mukul975/Anthropic-Cybersecurity-Skills/tree/main/skills/performing-endpoint-vulnerability-remediation
SKILL.md
Performing Endpoint Vulnerability Remediation
When to Use
Use this skill when:
- Remediating vulnerabilities identified by scanners (Nessus, Qualys, Rapid7)
- Responding to zero-day CVE advisories requiring immediate patching
- Maintaining compliance with patch management SLAs (critical within 14 days, high within 30 days)
- Building a prioritized remediation plan from vulnerability scan results
Do not use this skill for vulnerability scanning itself (use scanning tools) or for application-layer vulnerability remediation (use DevSecOps processes).
Prerequisites
- Vulnerability scan results (Nessus, Qualys, or Rapid7 export in CSV/XML format)
- Patch management platform (WSUS, SCCM, Intune, or third-party like Automox)
- Administrative access to target endpoints or deployment infrastructure
- Change management process for production endpoint patching
- Testing environment for patch validation before production rollout
Workflow
Step 1: Import and Prioritize Vulnerability Findings
Priority scoring combines:
1. CVSS Base Score (0-10)
2. EPSS (Exploit Prediction Scoring System) - probability of exploitation
3. CISA KEV (Known Exploited Vulnerabilities) catalog membership
4. Asset criticality (business impact of affected endpoint)
5. Network exposure (internet-facing vs. internal)
Priority Matrix:
P1 (Critical - 14 days SLA):
- CVSS >= 9.0 OR
- Listed in CISA KEV OR
- Active exploitation in the wild + CVSS >= 7.0
P2 (High - 30 days SLA):
- CVSS 7.0-8.9 AND
- EPSS > 0.5 (50% probability of exploitation)
P3 (Medium - 60 days SLA):
- CVSS 4.0-6.9 OR
- CVSS 7.0-8.9 with EPSS < 0.1
P4 (Low - 90 days SLA):
- CVSS < 4.0 AND
- No known exploit
Step 2: Identify Remediation Actions
For each vulnerability, determine the appropriate remediation:
Remediation Types:
1. Patch: Apply vendor security update (most common)
2. Configuration change: Modify settings to mitigate (registry, GPO)
3. Upgrade: Update to newer software version
4. Workaround: Apply temporary mitigation when patch unavailable
5. Compensating control: Network segmentation, WAF rule, EDR rule
6. Accept risk: Document accepted risk with CISO sign-off
Step 3: Deploy Patches via WSUS/SCCM
# WSUS: Approve patches for deployment
# 1. Open WSUS Console
# 2. Navigate to Updates → Security Updates
# 3. Approve selected KBs for target computer groups
# SCCM: Create Software Update Group
# 1. Software Library → Software Updates → All Software Updates
# 2. Select required KBs → Create Software Update Group
# 3. Deploy to target collection with maintenance window
# Intune: Create Windows Update Ring
# Devices → Windows → Update rings
# Configure: Quality updates deferral = 0 days (for critical)
# Feature updates deferral = per policy
# PowerShell: Force Windows Update check
Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate -KBArticleID "KB5034441" -Install -AcceptAll -AutoReboot
# Verify patch installation
Get-HotFix -Id "KB5034441"
systeminfo | findstr "KB5034441"
Step 4: Apply Configuration-Based Remediations
# Example: Disable SMBv1 (CVE-2017-0144 - EternalBlue)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
# Example: Disable Print Spooler on non-print servers (CVE-2021-34527 - PrintNightmare)
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
# Example: Disable LLMNR (credential theft mitigation)
# Via GPO: Computer Configuration → Admin Templates → Network → DNS Client
# Turn off multicast name resolution: Enabled
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
-Name EnableMulticast -Value 0 -PropertyType DWORD -Force
# Example: Restrict NTLM authentication
# Via GPO: Security Settings → Local Policies → Security Options
# Network security: Restrict NTLM: Audit/Deny
Step 5: Handle Zero-Day Vulnerabilities (No Patch Available)
When vendor patch is not yet available:
1. Check vendor advisory for workarounds
- Microsoft: https://msrc.microsoft.com/update-guide
- Adobe: https://helpx.adobe.com/security.html
- Linux: Distribution security trackers
2. Apply temporary mitigations:
- Disable vulnerable feature/service
- Deploy EDR detection rule for exploitation attempt
- Apply network-level blocking (WAF/firewall rules)
- Restrict access to vulnerable application
3. Monitor for patch release:
- Subscribe to vendor security mailing list
- Monitor CISA KEV additions
- Set calendar reminder for next Patch Tuesday
4. Document workaround with expiration date
Step 6: Validate Remediation
# Re-scan remediated endpoints to confirm vulnerability closure
# Option 1: Targeted vulnerability scan
nessuscli scan --target 192.168.1.0/24 --plugin-id 12345
# Option 2: PowerShell verification
# Check specific KB is installed
$kb = Get-HotFix -Id "KB5034441" -ErrorAction SilentlyContinue
if ($kb) {
Write-Host "PASS: KB5034441 installed on $(hostname)" -ForegroundColor Green
} else {
Write-Host "FAIL: KB5034441 missing on $(hostname)" -ForegroundColor Red
}
# Check service is disabled
$svc = Get-Service -Name Spooler
if ($svc.StartType -eq 'Disabled') {
Write-Host "PASS: Print Spooler disabled" -ForegroundColor Green
}
# Check registry configuration
$val = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
-Name SMB1 -ErrorAction SilentlyContinue
if ($val.SMB1 -eq 0) {
Write-Host "PASS: SMBv1 disabled" -ForegroundColor Green
}
Step 7: Report and Track
Generate remediation status report:
Remediation Metrics:
- Total vulnerabilities: X
- Remediated: Y (Z%)
- Pending (within SLA): A
- Overdue (past SLA): B
- Accepted risk: C
- Mean time to remediate (MTTR): D days
- SLA compliance rate: E%
Key Concepts
| Term | Definition |
|---|---|
| CVSS | Common Vulnerability Scoring System; 0-10 severity scale for vulnerabilities |
| EPSS | Exploit Prediction Scoring System; probability (0-1) that a CVE will be exploited in the wild within 30 days |
| CISA KEV | CISA Known Exploited Vulnerabilities catalog; federal mandate to patch these CVEs within specified timeframes |
| SLA | Service Level Agreement for remediation timelines based on vulnerability severity |
| MTTR | Mean Time To Remediate; average days from vulnerability discovery to confirmed fix |
| Compensating Control | Alternative security measure when direct remediation is not feasible |
Tools & Systems
- Nessus/Tenable.io: Vulnerability scanning and remediation tracking
- Qualys VMDR: Vulnerability management, detection, and response platform
- Rapid7 InsightVM: Vulnerability assessment with live dashboards
- WSUS/SCCM/Intune: Microsoft patch deployment infrastructure
- Automox: Cloud-native patch management for Windows, macOS, Linux
- CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Common Pitfalls
- Patching without testing: Apply patches to a test group first. Some patches cause application compatibility issues or BSOD.
- Ignoring EPSS scores: A CVSS 9.8 vulnerability with EPSS 0.01 may be less urgent than a CVSS 7.5 with EPSS 0.95 (actively exploited).
- Not validating remediation: Deploying a patch does not guarantee installation. Always re-scan to confirm closure.
- Excluding critical servers from patching: Servers that "cannot be rebooted" accumulate critical vulnerabilities. Schedule maintenance windows.
- Treating all CVEs equally: Risk-based prioritization (CVSS + EPSS + asset criticality + exposure) is more effective than patching all criticals first.
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
mukul975/Anthropic-Cybersecurity-Skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
mukul975/Anthropic-Cybersecurity-Skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
mukul975/Anthropic-Cybersecurity-Skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
mukul975/Anthropic-Cybersecurity-Skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
mukul975/Anthropic-Cybersecurity-Skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
mukul975/Anthropic-Cybersecurity-Skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?