Sooty was developed with the intent of helping SOC analysts automate parts of their work flow. Sooty serves to perform the more mundane and routine checks SOC analysts typically undertake with the hope of freeing the analyst to conduct deeper analysis in a more efficient and timely manner.
Download or clone Sooty from its GitHub repository.
Figure 1: Sooty menu
I’ve had the recent pleasure of hunting duties and Sooty went to immediate use for preliminary assessment purposes. An instant IP reputation result is seen in Figure 2.
Figure 2: Sooty IP reputation
Suffice it to say, don’t count that IP on the good guy list.
Figure 3: Sooty email reputation
The email reputation check includes Have I Been Pwned results, you can see the answer to that question is affirmative.
Figure 4: Sooty urlscan
The decoders, DNS, and phishing checks are handy for…you know…decoding, DNS, and phishing checks as follows.
I’m also fond of the hashing functions, particularly Option 3: Check a hash for known malicious activity. As seen in Figure 5, Sooty calls the VirusTotal API, and results are returned very quickly.
Figure 5: Sooty hash check
This is an incredibly handy, convenient tool, it really does deliver as promised, I can vouch for it during real operations, not just toolsmith lab time. I do hope support continues for it. Give it a go and enjoy!
Cheers…until next time.
Oct 23rd 2020
|Thread locked Subscribe||
Oct 23rd 2020
4 months ago