Categories: Kali Linux

Sooty : The SOC Analysts All-In-One CLI Tool To Automate & Speed Up Workflow

Sooty is a tool developed with the task of aiding SOC analysts with automating part of their workflow. One of the goals of Sooty is to perform as much of the routines checks as possible, allowing the analyst more time to spend on deeper analysis within the same time-frame.

Sooty Can Currently

Sanitise URL’s to be safe to send in emails
Perform reverse DNS and DNS lookups
Perform reputation checks from:
Check if an IP address is a TOR exit node
Decode Proofpoint URL’s, UTF-8 encoded URLS, Office SafeLink URL’s, Base64 Strings and Cisco7 Passwords.
Get file hashes and compare them against VirusTotal (see requirements)
Perform WhoIs Lookups
Check Usernames and Emails against HaveIBeenPwned to see if a breach has occurred. (see requirements)
Simple analysis of emails to retrieve URL’s, emails and header information.
Extract IP addresses from emails.
Unshorten URL’s that have been shortened by external services. (Limited to 10 requests per hour)
Query URLScan.io for reputation reports.
Analyze email addresses for known malicious activity and report on domain reputation utilising EmailRep.io
Create dynamic email templates that can be used as a base for phishing triage response.(.msg only, .eml coming in future update)
Perform analysis enrichment on phishing mails using the HaveIBeenPwned database, (Requires API Key).

Also Read – Attack Monitor : Endpoint Detection & Malware Analysis Software

Requirements

Python 3.x
Install all dependencies from the requirements.txt file. pip install -r requirements.txt
Several API Keys are required to have full functionality with Sooty, however it will still function without these keys, just without the added functionality they provide, links are found below:
Replace the corresponding key in the example_config.yaml file, and rename the file to config.yaml, example layout below:

Development

Code Contributions

New features / requests should start by opening an issue. Please use the accompanying template when creating a new issue. This helps track new features and prevent crossover. Attach any additional info that seems relevant if necessary.
If you wish to work on a feature, leave a comment on the issue page and I will assign you to it.
All code modifications, enhancements or additions must be done through a pull request.
Once reviewed and merged, contibutors will be added to the ReadMe

Found a Bug? Show Me!

Bugs and Issues

If an issue / bug is found please open a ticket in the issue tracker and use the bug report template. Fill in this template and include any additional relevant information.
If you wish to work on a known bug, leave a comment on the issue page and open a Pull Request to track progress. I will assign you to it.
If there is an issue with installation or usage, use the supplied template and I will respond asap.

Changelog

Version 1.3 – The Templating Update

Added first iteration of dynamic email templates that generate based on Sooty’s analysis, example below:

Version 1.2 – The Phishing Update

Added first iteration of the Phishing tool.
Able to analyze an email (outlook / .msg only tested at the moment) and retrieve emails, urls (Proofpoint decode if necessary) and extract info from headers.
Extract IP’s from body of email.
Reputation check on sender of email, and provide enriched information.

Version 1.1 – The Reputation Update