GitHub - NVISOsecurity/cyber-security-llm-agents: A collection of agents that use Large Language Models (LLMs) to perform tasks common on our day to day jobs in cyber security. (original) (raw)

A collection of agents that use Large Language Models (LLMs) to perform tasks common on our day to day jobs in cyber security. Built on top of AutoGen.

Released as part of our talks at RSAC2024:
From Chatbot to Destroyer of Endpoints: Can ChatGPT Automate EDR Bypasses?
The Always-On Purple Team: An Automated CI/CD for Detection Engineering

Detecting EDR

Detecting the EDR running on a Windows system based on live data extracted from https://github.com/tsale/EDR-Telemetry.

Key Features

Getting Started

Caution

Running LLM-generated source code and commands poses a security risk to your host environment! Be careful and only run this in a virtual or test environment.

Step 1 - Install requirements

pip install -r requirements

Step 2 - Configure OpenAI API Information

Then add your LLM API information and other parameters to the .env.

Step 3 - Start HTTP and FTP server (Optional)

Only required if you want to host a simple HTTP and FTP server to interact with using your agents. This is useful for demos, where you might want to showcase exfiltration or downloading of payloads onto an implant.

Step 3 - Hello, Agents

Run a very basic scenario to confirm everything is configured correctly.

python run_agents.py HELLO_AGENTS

The output should show the agent doing its best at being funny. If you see the below (or an even better) joke, you are all set!

python run_agents.py HELLO_AGENTS

********************************************************************************
Starting a new chat....

********************************************************************************
task_coordinator_agent (to text_analyst_agent):

Tell me a cyber security joke

--------------------------------------------------------------------------------
text_analyst_agent (to task_coordinator_agent):

Why was the computer cold? It left its Windows open. 

TERMINATE

Building Scenarios

All scenarios are defined in actions/agent_actions.py. You can use that file to modify and create new scenarios. Once a new scenario has been added to the dictionary, you can run it:

python run_agents.py <scenario-name>

Development

Jupyter notebooks

You can launch jupyter notebooks on your network interface by choice. This allows you run the notebooks within a VM and expose them to different system - interesting for demos!

Static analysis and code quality

We ignore E501 (line too long) as this triggers on long agent and action strings. We ignore W503 (line break before binary operator) and we are opinionated about this being OK.

flake8 --exclude=.venv --ignore=E501,W503 .

Conributions

We welcome contributions from the community!

If you have ideas for new agents, tasks, or improvements, please feel free to fork our repository, make your changes, and submit a pull request.

License

Released under the GNU GENERAL PUBLIC LICENSE v3 (GPL-3).

Disclaimer

Please note that the software contained in this repository is in its early stages of development. As such, it is considered to be an early release and may contain components that are not fully stable, potentially leading to breaking changes. Users should exercise caution when using this software.

We are committed to improving and extending the software's capabilities over the coming months, and we welcome any feedback that can help us enhance its performance and functionality.

Acknowledgements

We are grateful for the support received byINNOVIRIS and the Brussels region in funding our Research & Development activities.