SOCMaster

Get info on OS Commands, IPs, Domains, URLs, Hashes, Windows Events and Registry keys, Strings, and Files with one click.

SOCMaster là gì?

SOCMaster là một tiện ích mở rộng Chrome được phát triển bởi Marcus Capistrano, và tính năng chính của nó là "Get info on OS Commands, IPs, Domains, URLs, Hashes, Windows Events and Registry keys, Strings, and Files with one click.".

Ảnh Chụp Màn Hình của Tiện Ích Mở Rộng

screenshot
screenshot
screenshot
screenshot
screenshot

Tải xuống tệp CRX của tiện ích mở rộng SOCMaster

Tải xuống các tệp mở rộng SOCMaster dưới định dạng crx, cài đặt các tiện ích mở rộng Chrome bằng tay trong trình duyệt hoặc chia sẻ các tệp crx với bạn bè để dễ dàng cài đặt các tiện ích mở rộng Chrome.

Hướng Dẫn Sử Dụng Tiện Ích Mở Rộng

                        Author contact: https://www.linkedin.com/in/marcusmcapistrano/

Highlight a group of IP addresses, Domains, URLs, File Hashes, File Names and scan them all with one click, just separate each entry in space or newline!

Swiftly transform data into actionable intelligence by enabling threat hunters, SOC/cybersecurity analysts, system administrators, or incident responders to quickly display an artifact's reputation, context, and documentation from the browser tab of the SIEM, EDR, or any other webpage. 

Searchable artifacts include IP addresses, Domains, URLs, File Hashes, Operating System commands and Binaries, File Names, Windows Event IDs, Registry Keys, and any string of characters. 

This tool aims to increase the productivity and efficiency of threat hunting activities, reduce alert triage time, improve investigation quality by allowing analysts to quickly enrich context to events, and to automate commonly searched items by SOC teams.

==============================
USAGE
==============================
Single lookup

1. From the web browser, select or highlight an artifact and right-click
2. Select "SOCMaster"
3. Click one of the options available
4. Menu will appear on lower right side containing information on the artifacts

Bulk lookup

1. From the web browser, gather a list of either IP addresses, Domains, URLs, File Hashes, File Names. Each entry separated by new line or spaces
For example:
8.8.8.8
7.7.7.7
6.6.6.6
2. Highlight all of the objects to be scanned, right-click, and select "SOCMaster"
3. Click one of the options available (IP/Domain/URL/Hash scan using vendor API keys or Get file (Linux/Windows) information)
4. Menu will appear on lower right side containing information on each object. Reputation of artifact from threat intel vendors will also show.

===============================
MAIN FEATURES
===============================

1. IP/Domain/Hash using vendor API keys:

     - Uses Threat intelligence vendors such as AbuseIPDB, VirusTotal, AlienVaultOTX, HybridAnalysis and others to obtain the reputation and information on an IP address, Domain, Hash. Data available is dependent on the vendor. Requires API key from Vendor.

2. URL scan using vendor API keys:

     - Submits URLs to URLscan.io, VirusTotal, AlienVault, HybridAnalysis and others for analysis using API keys.

     - Click the Vendor link to view the URL scan result.

3. Get OS command information (PowerShell, Windows, Linux OSX):

     - Get information on over 3,300 Powershell cmdlets from Powershell modules, almost all Linux commands (Man Sections 1-8), Windows commands, and OSX commands.

     - Shows information on Operating System binaries and commands. For example, Windows commands such as "ipconfig" or "tasklist", "Set-ExecutionPolicy" for Powershell, and "rm" for Linux. 

4. Get file (Linux/Windows) or Registry key (Windows) information:

     - Retrieve information on known files such as "kernel32.dll" for Windows or "passwd" for Linux.

    -  Get information on Windows Registry keys such as "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce".
     
5. Get event ID Information (Windows):

     - Show documentation on a Windows Event Log using its Event ID

6. String search (Twitter, Google):

     - Display results from Twitter or Google search results using a string of characters

==============================
API KEY CONFIGURATION
==============================

To query IP, Domain, and Hash using vendor API keys, the API key is required. Follow the steps:

1. Click Extensions icon in Google Chrome's upper right menu
2. Click the "SOCMaster" icon > Settings
3. On the settings page, on the upper right corner click "Add API key"
4. On intel source selection, select API key vendor
5. Paste Vendor API key on the API key field
6. Click save
7. API key now added, IP/Domain/Hash scan using vendor API keys can now be used

For Twitter API, bearer token is entered as the API key like the above API key configuration steps. Bearer token can be obtained by signing up for a Twitter developer account. More info here: https://developer.twitter.com/en/docs/authentication/oauth-1-0a/api-key-and-secret.

For VirusTotal, AlienVault, AbuseIPDB, an account is required for an API key.

==============================
DISABLING LOOKUPS FOR A VENDOR
==============================

In certain cases when the vendor API endpoint has availability issues which are slowing down queries, it may be necessary to disable queries to a specific vendor. To do so, follow the steps:

1. Click Extensions icon in Google Chrome's upper right menu
2. Click the "SOCMaster" icon > Settings

Mark the "Disabled" checkbox for the vendor on the settings page. API queries to that specific vendor is now disabled.

==============================
SAMPLE USE CASE
==============================

1. Suspicious PowerShell logs show:
Set-MpPreference -ExclusionPath "C:\users\public\documents\sucmra"

A user can highlight the above command and select the "Find command information" option and will be able to view the syntax and parameters of the command.

2. Suspicious IP address from the firewall logs:
x.x.x.x

A user can highlight the IP and select the "IP scan using vendor API keys" option and will be able to view IP reputation and data from vendors.

3. Suspicious linux command show:
wget http://malicious_url -O

A user can highlight the above command and select the "Find command information" option and will be able to view the syntax and parameters of the command.

4. Windows Event IDs on the SIEM show:
 eventID 4624

A user can highlight the event ID number and select the "Get event ID information" option and will be able to view the fields and description of the Windows event

==============================
CREDITS
==============================

This chrome extension uses following websites as reference data:

netify.ai
lotsproject
lolbas-project.github.io
gtfobins.github.io
ss64.com
man7.org
linux.die.net
www.file.net
learn.microsoft.com
www.google.com
strontic.github.io

Michael Hingpit for help with UI
json-view

Supports the following vendors:
VirusTotal
AbuseIPDB
AlienVaultOTX
Twitter
URLscan
HybridAnalysis
GoogleSearch
Pulsedive                    

Thông Tin Cơ Bản về Tiện Ích Mở Rộng

Tên SOCMaster SOCMaster
ID mgodnpglndjnfpddlamphecaheodnafc
URL Chính Thức https://chromewebstore.google.com/detail/socmaster/mgodnpglndjnfpddlamphecaheodnafc
Mô tả Get info on OS Commands, IPs, Domains, URLs, Hashes, Windows Events and Registry keys, Strings, and Files with one click.
Kích Thước Tệp 493 KB
Số Lần Cài Đặt 167
Phiên Bản Hiện Tại 0.5.9
Cập Nhật Lần Cuối 2023-10-16
Ngày Phát Hành 2023-01-12
Đánh Giá 5.00/5 Tổng số 2 Đánh Giá
Nhà Phát Triển Marcus Capistrano
Email [email protected]
Loại Thanh Toán free
Trang Web Mở Rộng https://github.com/marcus081c/SOCMaster
URL Trang Trợ Giúp https://github.com/marcus081c/SOCMaster
URL Trang Chính Sách Bảo Mật https://github.com/marcus081c/SOCMaster/wiki/Privacy-policy
Ngôn Ngữ Được Hỗ Trợ en
manifest.json
{
    "update_url": "https:\/\/clients2.google.com\/service\/update2\/crx",
    "manifest_version": 3,
    "name": "SOCMaster",
    "version": "0.5.9",
    "description": "Get info on OS Commands, IPs, Domains, URLs, Hashes, Windows Events and Registry keys, Strings, and Files with one click.",
    "permissions": [
        "contextMenus",
        "storage",
        "activeTab",
        "scripting"
    ],
    "host_permissions": [
        "https:\/\/*\/*",
        "http:\/\/*\/*"
    ],
    "web_accessible_resources": [
        {
            "resources": [
                "\/scripts\/html_references\/*",
                "\/images\/menu_logo.PNG",
                "\/css\/*"
            ],
            "matches": [
                ""
            ]
        }
    ],
    "background": {
        "service_worker": "\/scripts\/background.js",
        "type": "module"
    },
    "action": {
        "default_popup": "popup.html"
    },
    "icons": {
        "16": "\/images\/icon.png",
        "48": "\/images\/icon.png",
        "128": "\/images\/icon.png"
    }
}