Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
The main goal of Sooty is to perform as much of the routine checks as possible which allows the analyst more time to spend on deeper analysis.
Features of Sooty SOC Analyst CLI Tool
- Sanitise URL’s to be safe to send in emails
- Perform reverse DNS and DNS lookups
- Perform reputation checks from:
- Check if an IP address is a TOR exit node
- Decode Proofpoint URL’s, UTF-8 encoded URLS, Office SafeLink URL’s and Base64 Strings
- Get file hashes and compare them against VirusTotal (see requirements)
- Perform WhoIs Lookups
- Check Usernames and Emails against HaveIBeenPwned to see if a breach has occurred. (see requirements)
- Simple analysis of emails to retrieve URL’s, emails and header information.
- Extract IP addresses from emails.
- Unshorten URL’s that have been shortened by external services. (Limited to 10 requests per hour)
- Query URLScan.io for reputation reports.
- Analyze email addresses for known malicious activity and report on domain reputation utilising EmailRep.io
- Create dynamic email templates that can be used as a base for phishing triage response.(.msg only, .eml coming in future update)
Installing Sooty SOC Analyst CLI Tool
- Python 3.x
- Install all dependencies from the requirements.txt file.
pip install -r requirements.txt
- To use the Hash comparison with VirusTotal requires an API key, replace the key
VT_API_KEYin the code with your own key. The tool will still function without this key, however this feature will not work.
- To use the Reputation Checker with AbuseIPDB requires an API Key, replace the key
AB_API_KEYin the code with your own key. The tool will still function without this key, however this feature will not work.
- To use the URLScan.io checker function with URLScan requires an API Key, replace the key
URLSCAN_IO_KEYin the code with your own key. The tool will still function without this key, however this feature will not work.
- Use of the HaveIBeenPwned functionality requires an API Key, replace the key
HIBP_API_KEYin the code with your own key. The tool will still function without this key, however this feature will not work.
You can download Sooty here:
Or read more here.
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
Reviews of popular botnets have shown HTTP-based botnets have a set of attributes that make it difficult for them to be detected. On the other hand, the number of studies focusing on the detection of HTTP-based botnets is relatively low (compared to the number of those on IRC-based and P2P botnets) especially in the HTTP-based mobile botnets which operate on the mobile devices and networks.
The main objective behind the creation of UBoat was to aid security researchers and to enhance the understanding of commercial HTTP loader style botnets so effective countermeasures can be developed.
Features of UBoat HTTP Botnet
- Coded in C++ with no dependencies
- Encrypted C&C Communications
- Persistence to prevent your control being lost
- Connection Redundancy (Uses a fallback server address or domain )
- DDoS methods (TCP & UDP Flood)
- Task Creation System ( Altering system HWID,Country,IP,OS.System )
- Remote Commands
- Update and Uninstall other malware
- Download and Execute other malware
- Active as well as Passive Keylogger
- Enable Windows RDP
- Plugin system for easy feature updates
Full Panel setup instructions can be found on the UBoat Github Wiki here.
You can download UBoat here:
Or you can read more here.
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
AWS Lambda is an event-driven, serverless computing platform provided by Amazon Web Services. It is a computing service that runs code in response to events and automatically manages the computing resources required by that code.
LambdaGuard is an AWS Lambda auditing tool designed to create asset visibility and provide actionable results. It provides a meaningful overview in terms of statistical analysis, AWS service dependencies and configuration checks from the security perspective.
There are various common pitfalls in a serverless environment which LambdaGuard the lambda serverless security scanner can scan for and find such as:
- Poorly defined policies (Unrestricted Actions, Unrestricted Principal, Undefined Conditions)
- Public S3 buckets
- Public SQS queues
- Public API Gateway
It can also optionally run static code analysis on function source code (using SonarQube).
It outputs reports in JSON and/or HTML.
How to Install LambdaGuard AWS Lambda Serverless Security Scanner
>pip3 install lambdaguard
git clone https://github.com/Skyscanner/lambdaguard
sudo make install
You can download LambdaGuard here:
Or read more here.
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
This will convert any binary file (*.exe) to a BAT file, the resulting BAT file contains only
echo commands followed by a PowerShell command to re-create the original binary file.
This kind of tool can be useful during a pen-test when you want to trigger a shell without any upload feature. With
echo and PowerShell the auditor is able to upload any binary file to the target system.
This version is modernized from exe2bat to work with current Windows versions as exe2bat had some limitations:
debug.exeavailable on the target computer (16-bit application which was removed in Windows 7 x64 but available in Windows 7 x86)
- Limits input exe size to 64kB
exe2powershell replaces the need of
debug.exe by using a PowerShell command line which is available on all Windows since Windows 7 / 2008 and there is no more limitation in input exe size.
Usage of exe2powershell to Convert EXE to BAT Files
______ ___ _____ _____ _ _ _
| ____| |__ \| __ \ / ____| | | | |
| |__ __ _____ ) | |__) |____ _____ _ _| (___ | |__ ___| | |
| __| \ \/ / _ \ / /| ___/ _ \ \ /\ / / _ \ '__\___ \| '_ \ / _ \ | |
| |____ > < __// /_| | | (_) \ V V / __/ | ____) | | | | __/ | |
|______/_/\_\___|____|_| \___/ \_/\_/ \___|_| |_____/|_| |_|\___|_|_|
[ exe2bat reborn in exe2powershell for modern Windows ]
[ initial author ninar1, based on riftor work, and modernized by ycam ]
[ exe2powershell version 1.0 - keep up2date: asafety.fr / synetis.com ]
[*] Usage : exe2powershell.exe inputfile outputfile
[*] e.g. : exe2powershell.exe nc.exe nc.bat
You can download exe2powershell here:
Or read more here.
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers. It supports custom rules with netfilter (block ports, hidden mode, rootkit functions etc). The motivation is basically another layer of protection, much like a hidden firewall – setting securelevel to 2 on BSD would have a […]
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of nominated strings, filenames, binaries, deprecated functions, staging environment code/credentials etc. It’s main function is to block content based on regular expressions. Anything that can be specified with regular expression syntax, can be sniffed out by Anteater. You tell Anteater exactly what […]