🛡️ Incident Response Suite

⚠️ WARNING: These are defensive cybersecurity tools for incident response. Use only on systems you own or have explicit permission to secure.

📋 Overview

Complete 4-phase incident response automation suite designed to run from operator machine and execute commands remotely via SSH.

✅ New Architecture: These scripts run on your operator machine and connect via SSH to execute commands on the target host. All logs are stored locally on the operator machine for centralized analysis.

🚀 Deployment Workflow

# Step 1: Deploy IR lockdown on target host (creates 'ir' user with SSH access) curl -sSL https://pizzeri.app/ir_lockdown.sh | sudo bash # Step 2: On operator machine, download IR scripts wget https://pizzeri.app/ir/phase1.sh wget https://pizzeri.app/ir/phase2.sh wget https://pizzeri.app/ir/phase3.sh wget https://pizzeri.app/ir/phase4.sh chmod +x phase*.sh # Step 3: Execute phases remotely from operator machine ./phase1.sh target-host.company.com ./phase2.sh target-host.company.com ./phase3.sh target-host.company.com ./phase4.sh target-host.company.com

🌐 For pfSense/FreeBSD Systems

# Use FreeBSD-compatible lockdown script fetch -o - https://pizzeri.app/ir_lockdown_freebsd.sh | sudo sh

📑 IR Phases

Phase 1: Discovery & Assessment

Comprehensive system triage, network discovery, user assessment, and threat hunting executed remotely.

📥 Download phase1.sh

./phase1.sh target-host.company.com

Phase 2: Containment & Eradication

Immediate threat containment, process termination, network isolation, and malware removal executed remotely.

📥 Download phase2.sh

./phase2.sh target-host.company.com

Phase 3: Recovery & Hardening

System recovery, security hardening, service restoration, and configuration updates executed remotely.

📥 Download phase3.sh

./phase3.sh target-host.company.com

Phase 4: Monitoring & Prevention

Continuous monitoring setup, threat detection, alerting, and long-term prevention deployed remotely.

📥 Download phase4.sh

./phase4.sh target-host.company.com

📊 Features

✅ Remote execution from operator machine
✅ SSH-based command execution on target hosts
✅ Local logging on operator machine
✅ Per-host organized logging structure
✅ Comprehensive system baselines
✅ Real-time threat detection
✅ Automated monitoring deployment
✅ Evidence collection and analysis
✅ Detailed reporting and summaries
✅ User confirmation for destructive actions
✅ Backup creation before changes

💡 Log Location: All scripts create detailed logs on the operator machine under ./incident_response/<target-host>/ for centralized audit trails and analysis.

🔧 Quick Download All

# Download all phases to operator machine wget https://pizzeri.app/ir/phase1.sh wget https://pizzeri.app/ir/phase2.sh wget https://pizzeri.app/ir/phase3.sh wget https://pizzeri.app/ir/phase4.sh # Make executable chmod +x phase*.sh # Execute phases remotely ./phase1.sh target-host.example.com

📁 Log Structure (on operator machine)

./incident_response/ └── <target-host>/ ├── phase1-discovery/ │ ├── phase1-discovery_20250805_143021.log │ ├── phase1-discovery_summary_20250805_143021.txt │ └── [evidence files from target] ├── phase2-containment/ ├── phase3-recovery/ └── phase4-monitoring/

🔍 Remote Monitoring

After Phase 4 completion, monitor the target system remotely:

# View security alerts from target ssh ir@target-host 'tail -f /var/log/security_alerts.log' # Run threat hunting on target ssh ir@target-host '/opt/ir_monitor/scripts/threat_hunt.sh' # Check monitoring status ssh ir@target-host '/opt/ir_monitor/scripts/security_monitor.sh'

🎯 Perfect for: SOC analysts, incident responders, and security teams who need to remotely secure and monitor multiple compromised hosts from a central operator workstation.

Generated: $(date) | Version: 2.0 | Architecture: Remote Execution