INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Are Local LLMs Useful in Incident Response?
Published: 2023-10-03
Last Updated: 2023-10-03 02:38:16 UTC
by Tom Webb (Version: 1)
LLMs have become very popular recently. I've been running them on my home PC for the past few months in basic scenarios to help out. I like the idea of using them to help with forensics and Incident response, but I also want to avoid sending the data to the public LLMs, so running them locally or in a private cloud is a good option.
I use a 3080 GPU with 10GB of VRAM, which seems best for running the 13 Billion model. The three models I'm using for this test are Llama-2-13B-chat-GPTQ , vicuna-13b-v1.3.0-GPTQ, and Starcoderplus-Guanaco-GPT4-15B-V1.0-GPTQ. I've downloaded this model from huggingface.co/ if you want to play along at home.
Llama2 is the latest Facebook general model. Vicuna is a "Fine Tuned" Llama one model that is supposed to be more efficient and use less RAM. StarCoder is trained on 80+ coding languages and might do better on more technical explanations.
There are a bunch of tutorials to get these up and running, but I'm using oobabooga_windows to get all of this quickly. The best solution if you are going to play with many of these is running docker w/ Nvidia pass-through support.
When thinking about how to use this, the first thing that comes to mind is supplementing knowledge for responders. The second is speeding up technical tasks, and the third is speeding up report writing. These are the three use cases we are going to test.
Read the full entry:
https://isc.sans.edu/diary/Are+Local+LLMs+Useful+in+Incident+Response/30274/
Simple Netcat Backdoor in Python Script
Published: 2023-09-30
Last Updated: 2023-09-30 07:03:16 UTC
by Xavier Mertens (Version: 1)
Why reinvent the wheel? We are all lazy and, if we have a tool that offers some interesting capabilities, why not use it? I spotted a simple malicious Python script targeting Windows hosts. The file is flagged by 16 antivirus products on VirusTotal. Nothing very exciting with the script, it's a bot that uses a Discord channel for C2 communications.
Looking at the capabilities, I found an interesting function that downloads a copy of netcap (from the official website), unzip it and starts a Ncat listener...
Read the full entry:
https://isc.sans.edu/diary/Simple+Netcat+Backdoor+in+Python+Script/30264/
Are You Still Storing Passwords In Plain Text Files?
Published: 2023-09-29
Last Updated: 2023-09-29 07:35:31 UTC
by Xavier Mertens (Version: 1)
"Infostealer" malware have been in the wild for a long time now. Once the computer's victim is infected, the goal is to steal "juicy" information like passwords, cookies, screenshots, keystrokes, and more. Yesterday, I spotted an interesting sample. It's delivered through an FTP connection. The file is unknown on VirusTotal...
The malware behavior is pretty simple: It scans the complete drive for interesting files. Here is an example: "*pass*.txt":
Read the full entry:
https://isc.sans.edu/diary/Are+You+Still+Storing+Passwords+In+Plain+Text+Files/30262/