All Projects → PaperMtn → Slack Watchman

PaperMtn / Slack Watchman

Licence: gpl-3.0
Monitoring your Slack workspaces for sensitive information

Programming Languages

python
139335 projects - #7 most used programming language

Projects that are alternatives of or similar to Slack Watchman

Gitlab Watchman
Monitoring GitLab for sensitive data shared publicly
Stars: ✭ 127 (-20.13%)
Mutual labels:  monitoring, infosec, cybersecurity, redteam, red-team, blueteam, tools
github-watchman
Monitoring GitHub for sensitive data shared publicly
Stars: ✭ 60 (-62.26%)
Mutual labels:  cybersecurity, infosec, red-team, blueteam, redteam
MurMurHash
This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.
Stars: ✭ 79 (-50.31%)
Mutual labels:  cybersecurity, infosec, blueteam, redteam
Slackpirate
Slack Enumeration and Extraction Tool - extract sensitive information from a Slack Workspace
Stars: ✭ 512 (+222.01%)
Mutual labels:  slack-api, slack, redteam, blueteam
NIST-to-Tech
An open-source listing of cybersecurity technology mapped to the NIST Cybersecurity Framework (CSF)
Stars: ✭ 61 (-61.64%)
Mutual labels:  cybersecurity, infosec, blueteam, redteam
Powershell Red Team
Collection of PowerShell functions a Red Teamer may use to collect data from a machine
Stars: ✭ 155 (-2.52%)
Mutual labels:  cybersecurity, redteam, red-team
dorothy
Dorothy is a tool to test security monitoring and detection for Okta environments
Stars: ✭ 85 (-46.54%)
Mutual labels:  cybersecurity, infosec, red-team
Sherlock
This script is designed to help expedite a web application assessment by automating some of the assessment steps (e.g., running nmap, sublist3r, metasploit, etc.)
Stars: ✭ 36 (-77.36%)
Mutual labels:  cybersecurity, red-team, redteam
Infosec reference
An Information Security Reference That Doesn't Suck; https://rmusser.net/git/admin-2/Infosec_Reference for non-MS Git hosted version.
Stars: ✭ 4,162 (+2517.61%)
Mutual labels:  infosec, red-team, blueteam
Blue-Team-Notes
You didn't think I'd go and leave the blue team out, right?
Stars: ✭ 899 (+465.41%)
Mutual labels:  cybersecurity, infosec, blueteam
ReversePowerShell
Functions that can be used to gain Reverse Shells with PowerShell
Stars: ✭ 48 (-69.81%)
Mutual labels:  cybersecurity, red-team, redteam
Defaultcreds Cheat Sheet
One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️
Stars: ✭ 1,949 (+1125.79%)
Mutual labels:  infosec, cybersecurity, blueteam
pyc2bytecode
A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)
Stars: ✭ 70 (-55.97%)
Mutual labels:  cybersecurity, infosec, blueteam
1earn
ffffffff0x 团队维护的安全知识框架,内容包括不仅限于 web安全、工控安全、取证、应急、蓝队设施部署、后渗透、Linux安全、各类靶机writup
Stars: ✭ 3,715 (+2236.48%)
Mutual labels:  infosec, blueteam, redteam
goblin
一款适用于红蓝对抗中的仿真钓鱼系统
Stars: ✭ 844 (+430.82%)
Mutual labels:  cybersecurity, blueteam, redteam
Nishang
Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
Stars: ✭ 5,943 (+3637.74%)
Mutual labels:  infosec, redteam, red-team
Pidense
🍓📡🍍Monitor illegal wireless network activities. (Fake Access Points), (WiFi Threats: KARMA Attacks, WiFi Pineapple, Similar SSID, OPN Network Density etc.)
Stars: ✭ 358 (+125.16%)
Mutual labels:  monitoring, redteam, blueteam
Snoop
Snoop — инструмент разведки на основе открытых данных (OSINT world)
Stars: ✭ 886 (+457.23%)
Mutual labels:  infosec, redteam, blueteam
dummyDLL
Utility for hunting UAC bypasses or COM/DLL hijacks that alerts on the exported function that was consumed.
Stars: ✭ 35 (-77.99%)
Mutual labels:  infosec, blueteam, redteam
A Red Teamer Diaries
RedTeam/Pentest notes and experiments tested on several infrastructures related to professional engagements.
Stars: ✭ 382 (+140.25%)
Mutual labels:  cybersecurity, redteam, tools

Slack Watchman

Python 2.7 and 3 compatible PyPI version License: MIT

Monitoring your Slack workspaces for sensitive information

About Slack Watchman

Slack Watchman is an application that uses the Slack API to look for potentially sensitive data exposed in your Slack workspaces.

More information about Slack Watchman can be found on my blog.

Features

Slack Watchman looks for:

  • API Keys, Tokens & Service Accounts
    • AWS, Azure, GCP, Google API, Slack (keys & webhooks), Twitter, Facebook, GitHub
    • Generic Private keys
    • Access Tokens, Bearer Tokens, Client Secrets, Private Tokens
  • Files
    • Certificate files
    • Potentially interesting/malicious/sensitive files (.docm, .xlsm, .zip etc.)
    • Executable files
    • Keychain files
    • Config files for popular services (Terraform, Jenkins, OpenVPN and more)
  • Personal Data
    • Leaked passwords
    • Passport numbers, Dates of birth, Social security numbers, National insurance numbers, Drivers licence numbers (UK), Individual Taxpayer Identification Number
  • Financial data
    • Paypal Braintree tokens, Bank card details, IBAN numbers, CUSIP numbers

It also gives the following, which can be used for general auditing:

  • User data
    • All users & all admins
  • Channel data
    • All channels, including externally shared channels

Time based searching

You can run Slack Watchman to look for results going back as far as:

  • 24 hours
  • 7 days
  • 30 days
  • All time

This means after one deep scan, you can schedule Slack Watchman to run regularly and only return results from your chosen timeframe.

Rules

Slack Watchman uses custom YAML rules to detect matches in Slack.

They follow this format:

---
filename:
enabled: [true|false]
meta:
  name:
  author:
  date:
  description: #what the search should find
  severity: #rating out of 100
category: #[files|tokens|financial|pii]
scope:
- #[files|messages]
file_types: #optional list for use with file searching
test_cases:
  match_cases:
  - #test case that should match the regex*
  fail_cases:
  - #test case that should not match the regex*
strings:
- #search query to use in Slack*
pattern: #Regex pattern to filter out false positives*

There are Python tests to ensure rules are formatted properly and that the Regex patterns work in the tests dir

More information about rules, and how you can add your own, is in the file docs/rules.md.

Logging

Slack Watchman gives the following logging options:

  • CSV
  • Log file
  • Stdout
  • TCP stream

When using CSV logging, searches for rules are returned in separate CSV files, for all other methods of logging, results are output in JSON format, perfect for ingesting into a SIEM or other log analysis platform.

For file and TCP stream logging, configuration options need to be passed via .conf file or environment variable. See the file docs/logging.md for instructions on how to set it up.

If no logging option is given, Slack Watchman defaults to CSV logging.

Requirements

Slack API token

To run Slack Watchman, you will need a Slack API OAuth access token. You can do this by creating a simple Slack App.

The app needs to have the following User Token Scopes added:

channels:read
files:read
groups:read
im:read
links:read
mpim:read
remote_files:read
search:read
team:read
users:read
users:read.email

Note: User tokens act on behalf of the user who authorises them, so I would suggest you create this app and authorise it using a service account, otherwise the app will have access to your private channels and chats.

Providing token

Slack Watchman will first try to get the the Slack token from the environment variable SLACK_WATCHMAN_TOKEN, if this fails it will load the token from .conf file (see below).

.conf file

Configuration options can be passed in a file named watchman.conf which must be stored in your home directory. The file should follow the YAML format, and should look like below:

slack_watchman:
  token: xoxp-xxxxxxxx
  logging:
    file_logging:
      path:
    json_tcp:
      host:
      port:

Slack Watchman will look for this file at runtime, and use the configuration options from here. If you are not using the advanced logging features, leave them blank.

If you are having issues with your .conf file, run it through a YAML linter.

An example file is in docs/example.conf

Installation

Install via pip

pip install slack-watchman

Usage

Slack Watchman will be installed as a global command, use as follows:

usage: slack-watchman [-h] --timeframe {d,w,m,a}
                      [--output {csv,file,stdout,stream}] [--version] [--all]
                      [--users] [--channels] [--pii] [--financial] [--tokens]
                      [--files] [--custom CUSTOM]

Monitoring your Slack workspaces for sensitive information

optional arguments:
  -h, --help            show this help message and exit
  --output {csv,file,stdout,stream}
                        Where to send results
  --version             show program's version number and exit
  --all                 Find everything
  --users               Find all users
  --channels            Find all channels
  --pii                 Find personal data: Passwords, DOB, passport details,
                        drivers licence, ITIN, SSN
  --financial           Find financial data: Card details, PayPal Braintree
                        tokens, IBAN numbers, CUSIP numbers
  --tokens              Find tokens: Private keys, AWS, GCP, Google API,
                        Slack, Slack webhooks, Facebook, Twitter, GitHub
  --files               Find files: Certificates, interesting/malicious files
  --custom              Search for user defined custom search queries that you
                        have created rules for

required arguments:
  --timeframe {d,w,m,a}
                        How far back to search: d = 24 hours w = 7 days, m =
                        30 days, a = all time

You can run Slack Watchman to look for everything, and output to default CSV:

slack-watchman --timeframe a --all

Or arguments can be grouped together to search more granularly. This will look for tokens and files for the last 30 days, and output the results to a TCP stream:

slack-watchman --timeframe m --tokens --files --output stream

Other Watchman apps

You may be interested in some of the other apps in the Watchman family:

License

The source code for this project is released under the GNU General Public Licence. This project is not associated with Slack.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].