Wes wesinator

## normcore-llm.md

      
              1 file
            
          
              218 forks
            
          
              38 comments
            
          
              2781 stars
            
          
                veekaybee
                / normcore-llm.md
            
            
              Last active
              July 21, 2024 13:28
            
              
                Normcore LLM Reads
              
          
    Anti-hype LLM reading list

Goals: Add links that are reasonable and good explanations of how stuff works. No hype and no vendor content if possible. Practical first-hand accounts of models in prod eagerly sought.
Foundational Concepts


Pre-Transformer Models


## test_linters.py
# Copyright 2022 Malwarology LLC
#
# Use of this source code is governed by an MIT-style
# license that can be found in the LICENSE file or at
# https://opensource.org/licenses/MIT.
"""Unit test module for linting the project modules and the unit test modules."""
import contextlib
import io
import pathlib
import unittest

## MITRE_Attack_WindowsAppControl.csv

          
            ID
            Name
            MitigatedByAppControl
            Notes

            
              T1001
              Data Obfuscation
              Not Applicable
              Relevant sub-techniques addressed below

            
              T1001.001
              Junk Data
              No
              Technique is not necessarily related to the execution of arbitrary code on an endpoint.

            
              T1001.002
              Steganography
              Limited
              If custom attacker code were necessary to perform this technique, it would be prevented.

            
              T1001.003
              Protocol Impersonation
              Limited
              If custom attacker code were necessary to perform this technique, it would be prevented.

            
              T1003
              OS Credential Dumping
              Not Applicable
              Relevant sub-techniques addressed below

            
              T1003.001
              LSASS Memory
              Limited
              Built-in utilities exist to perform this technique. They would have to be explicitly blocked.

            
              T1003.002
              Security Account Manager
              Limited
              Built-in utilities exist to perform this technique. They would have to be explicitly blocked.

            
              T1003.003
              NTDS
              Limited
              Built-in utilities exist to perform this technique. They would have to be explicitly blocked.

            
              T1003.004
              LSA Secrets
              Limited
              Built-in utilities exist to perform this technique.

## script.ps1

$ISOFile = "C:\Users\DELL\Downloads\17763.737.190906-2324.rs5_release_svc_refresh_SERVERHYPERCORE_OEM_x64FRE_en-us_1.iso"
$USBDrive = Get-Disk | Where FriendlyName -eq " USB Flash Memory"
$USBDrive | Clear-Disk -RemoveData -Confirm:$true -PassThru
$USBDrive | Set-Disk -PartitionStyle GPT
$Volume = $USBDrive | New-Partition -UseMaximumSize -AssignDriveLetter | Format-Volume -FileSystem FAT32 -NewFileSystemLabel WS2019
$ISOMounted = Mount-DiskImage -ImagePath $ISOFile -StorageType ISO -PassThru
$ISODriveLetter = ($ISOMounted | Get-Volume).DriveLetter
Copy-Item -Path ($ISODriveLetter +":\*") -Destination ($Volume.DriveLetter + ":\") -Recurse

## rich.py
#!/usr/bin/env python3
#
# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html
# and from https://gist.github.com/skochinsky/07c8e95e33d9429d81a75622b5d24c8b
import sys
import struct

# I'm trying not to bury the magic number...
CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD)
RICH_TEXT = b'Rich'

## extract-prodids.py
#!/usr/bin/env python3
#
# Extracts prodid enumeration from a given binary file
# Example usage:
# extract-prodids.py -f msobj140-msvcrt.lib
#
import re, argparse, struct

# Note: care must be taken of a format of RE string as following works only
# with msobj140-msvcrt.lib for certain

## snort_setup.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              2 stars
            
          
                gryan11
                / snort_setup.md
            
            
              Last active
              July 3, 2024 09:25
            
          
    Snort install on mac


install homebrew first if not installed

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"\
  < /dev/null 2> /dev/null


install snort
brew install snort


make bpf readable for snort


## Kill-Ransomware.ps1
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
    # Kill all parent processes from detected vssadmin process
    $p = $EventArgs.NewEvent.TargetInstance
    while ($p) {
       $ppid = $p.ParentProcessID
        $pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
        Write-Host $p.ProcessID

## getUrlScanGreatCannonHits.py
'''
 Gets possible Great Cannon injections from UrlScan
'''


import requests
import json

# Insert your urlscan API Key
api_key = ''

## upload_to_pypi.sh
#!/usr/bin/env bash

# just to be safe: wipe the dist folder of previous builds
rm -r dist/*

# ensure you hav the latest versions of twine, setuptools, and wheel
python3 -m pip install --user --upgrade twine setuptools wheel

# build the package
python3 setup.py sdist bdist_wheel
	# Copyright 2022 Malwarology LLC
	#
	# Use of this source code is governed by an MIT-style
	# license that can be found in the LICENSE file or at
	# https://opensource.org/licenses/MIT.
	"""Unit test module for linting the project modules and the unit test modules."""
	import contextlib
	import io
	import pathlib
	import unittest
ID	Name	MitigatedByAppControl	Notes
T1001	Data Obfuscation	Not Applicable	Relevant sub-techniques addressed below
T1001.001	Junk Data	No	Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1001.002	Steganography	Limited	If custom attacker code were necessary to perform this technique, it would be prevented.
T1001.003	Protocol Impersonation	Limited	If custom attacker code were necessary to perform this technique, it would be prevented.
T1003	OS Credential Dumping	Not Applicable	Relevant sub-techniques addressed below
T1003.001	LSASS Memory	Limited	Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.002	Security Account Manager	Limited	Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.003	NTDS	Limited	Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.004	LSA Secrets	Limited	Built-in utilities exist to perform this technique.

	$ISOFile = "C:\Users\DELL\Downloads\17763.737.190906-2324.rs5_release_svc_refresh_SERVERHYPERCORE_OEM_x64FRE_en-us_1.iso"
	$USBDrive = Get-Disk \| Where FriendlyName -eq " USB Flash Memory"
	$USBDrive \| Clear-Disk -RemoveData -Confirm:$true -PassThru
	$USBDrive \| Set-Disk -PartitionStyle GPT
	$Volume = $USBDrive \| New-Partition -UseMaximumSize -AssignDriveLetter \| Format-Volume -FileSystem FAT32 -NewFileSystemLabel WS2019
	$ISOMounted = Mount-DiskImage -ImagePath $ISOFile -StorageType ISO -PassThru
	$ISODriveLetter = ($ISOMounted \| Get-Volume).DriveLetter
	Copy-Item -Path ($ISODriveLetter +":\*") -Destination ($Volume.DriveLetter + ":\") -Recurse
	#!/usr/bin/env python3
	#
	# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html
	# and from https://gist.github.com/skochinsky/07c8e95e33d9429d81a75622b5d24c8b
	import sys
	import struct

	# I'm trying not to bury the magic number...
	CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD)
	RICH_TEXT = b'Rich'
	#!/usr/bin/env python3
	#
	# Extracts prodid enumeration from a given binary file
	# Example usage:
	# extract-prodids.py -f msobj140-msvcrt.lib
	#
	import re, argparse, struct

	# Note: care must be taken of a format of RE string as following works only
	# with msobj140-msvcrt.lib for certain
	# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
	# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
	# IMPORTANT: This must run with Administrator privileges!
	Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
	# Kill all parent processes from detected vssadmin process
	$p = $EventArgs.NewEvent.TargetInstance
	while ($p) {
	$ppid = $p.ParentProcessID
	$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
	Write-Host $p.ProcessID
	'''
	Gets possible Great Cannon injections from UrlScan
	'''


	import requests
	import json

	# Insert your urlscan API Key
	api_key = ''
	#!/usr/bin/env bash

	# just to be safe: wipe the dist folder of previous builds
	rm -r dist/*

	# ensure you hav the latest versions of twine, setuptools, and wheel
	python3 -m pip install --user --upgrade twine setuptools wheel

	# build the package
	python3 setup.py sdist bdist_wheel