SpookySOC – A Scarily Good SOC Toolkit
SpookySOC has been in development for a handful of years, since I was a senior in highschool. I always hated how many tabs I had open when I was looking at sketchy websites or possible malware samples. Initially written in Powershell, SpookySOC now only requires Python3 and Python libraries – no external tools are utilized! A responsive and accurate terminal prompt sends you through all the motions, queries (free) external sources, and returns data in a multitude of usable formats. Most organizations require you sanitize data collected before documenting it or sending it to a customer: “defang” IP addresses/domains, anonymize users/workstation names,etc; SpookySOC makes this significantly easier by taking the manual work out of the equation.For later expansion, plaintext email “templates” can be provided in a configuration file and information will be populated into a template accordingly, ready to be copy and pasted into your ticketing system or documentation platform.
This document contains the most recent SIP brief, completed for SIP311.
For a real-time demonstration with more results, please view the Video Pitch above. An example run can be found below, checking solely the IP address.
Video Update – July 8, 2020
This video discusses the progress made during SIP402 and is the primary grading objective for the course.
Relevant documentation for this video:
- GitLab repo: https://gitlab.com/jksn/spookySOC
- Wiki – Getting Started: https://gitlab.com/jksn/spookySOC/-/wikis/Getting-Started
- CHANGELOG – https://gitlab.com/jksn/spookySOC/-/blob/master/CHANGELOG.md