Sooty
The SOC Analysts all-in-one CLI tool to automate and speed up workflow.
Feature
- Sanitise URL’s to be safe to send in emails
- Perform reverse DNS and DNS lookups
- Perform reputation checks from:
- VirusTotal
- BadIP’s
- Abuse IPDB
- Check if an IP address is a TOR exit node
- Decode Proofpoint URL’s, UTF-8 encoded URLS, Office SafeLink URL’s and Base64 Strings
- Get file hashes and compare them against VirusTotal (see requirements)
- Perform WhoIs Lookups
- Check Usernames and Emails against HaveIBeenPwned to see if a breach has occurred.
- Simple analysis of emails to retrieve URL’s, emails and header information.
- Extract IP addresses from emails.
- Unshorten URL’s that have been shortened by external services. (Limited to 10 requests per hour)
- Query URLScan.io for reputation reports.
- Analyze email addresses for known malicious activity and report on domain reputation utilizing EmailRep.io
Install
Requirement
- Python 3.x
- Install all dependencies from the requirements.txt file. pip install -r requirements.txt
- To use the Hash comparison with VirusTotal requires an API key, replace the key VT_API_KEY in the code with your own key. The tool will still function without this key, however, this feature will not work.
- To use the Reputation Checker with AbuseIPDB requires an API Key, replace the key AB_API_KEY in the code with your own key. The tool will still function without this key, however, this feature will not work.
- To use the URLScan.io checker function with URLScan requires an API Key, replace the key ‘URLSCAN_IO_KEY’ in the code with your own key. The tool will still function without this key, however, this feature will not work.
Download
git clone https://github.com/TheresAFewConors/Sooty.git
Use
Source: https://github.com/TheresAFewConors/