Next Level SOC Automation You Never Thought Of

started um you guys today we're going to talk about next level sock automation that you never thought of who am I I am John Gillis I am a cyber security automation enthusiast and if you want to follow me on Twitter or look up my LinkedIn and or ask me questions there I'm more than happy to oblige So today we're just going to go over three things and it's going to go really fast and I apologize for that get your cameras out if you see something you want to take a picture of go for it but first we're going to be learning about Chrome extensions what are they we're going to be learning about two different features that we can Implement in the Chrome extension that we create uh to better Aid our sock operations so let's go ahead and get started with um this first part which is a repository that I created it's basically a Chrome extension template that you can use now to start playing around with different automations that you want to use but it basically is just a good way to get started and a lot of things we're going to be going over the code that's in this repository so go ahead and feel free to pull it out during the during the presentation [Music] all right Chrome extensions what are they basically they are little programs that sit on your Chrome browser that interact with the web browser and because you can automate what the Chrome extension does or program what it does that opens a huge door for us to start doing a lot of cool things to make our lives a lot easier because I think the majority of us would agree that our touch point with the Internet is through an internet browser and a lot of us use Chrome browser we're not going to be talking about Firefox today unfortunately so what are the ingredients of a Chrome extension what does a Chrome extension have to contain first thing you're going to need is a manifest Json file the man of n we'll go into more detail in just a little bit you're going to need content script and a background script my examples that I'm writing here today are in vanilla JavaScript if you prefer to use typescript it's totally okay there's a link right there for more information on how to use typescript to program a Chrome extension instead of vanilla JavaScript so what is the Manifest Json the Manifest Json file is basically your complete configuration file for your Chrome extension here we're going to declare things like the name the description what version of manifest you're going to be using and permissions so basically this sets the intent of your Chrome extension this is a really useful file to look at if you're even trying to figure out if a Chrome extension or a browser extension in general is malicious because you're going to see a lot of information about what it can do just within this file then we have the background script.js this is basically what does the heavy lifting of our Chrome extension it's going to be able to run in the context of the browser and will have access to all of the Chrome apis that are registered in the Manifest Json but there's a difference between the background JS file and the content script.js file the content script.js file runs in the context of the internet website or the website that you're currently on and a lot of basically what it does is it injects a JavaScript file into the web page so that you can manipulate what we call the Dom or the document object model you might ask what is the Dom a lot of people ask it I'm not even sure at this point I just know I use it a ton but if we were going to describe it it basically Maps out the HTML page that you're looking at and makes it so that we can use JavaScript to interact with it if you want to take a look at what the Dom kind of looks like you can go to any web page press F12 or right click select inspect and then go to the elements page and voila welcome to the Dom or as I like to call it the jungle so that's the boring stuff we kind of know what a Chrome extension is we know what files it needs in order to run we're going to be running it with vanilla JavaScript so why do I care well let's do our first feature which is injecting buttons into a web page a lot of us may look at a lot of different python projects off of pipi.org and if you're looking at these projects you might think to yourself well how do I know if there isn't some really well-known vulnerability with this pie project that I'm looking at and the first thing that we usually would do there's websites for it but I'm guessing that we'd usually try to just Google it you know do the project and then Google you know vulnerabilities for this specific thing the thing is that's a lot of clicks that's a lot of typing I want to automate it so it's quick so let's go ahead and do that the first thing that we're going to want to do with our manifest Json file is we need to declare the tabs permission set you can read more about that but basically that's what we need to put in our manifest Json now our content script this is where things get front because this is where we're injecting the JavaScript into the web page so let's go ahead and create a function and we'll call it you know create VT button where virus or create VT button right here and the first thing that we kind of need to do within this context is we need to make sure that we are running the JavaScript on the correct web page because we don't want to just run this on every single web page that we go to that can create problems and we just generally want to avoid that so we're going to create a variable right there called current URL and that is set equal to windows.location.href which that Returns the URL of the page that we're currently view viewing at that point and then we just write an if statement and say hey if our current URL includes Pi pi.org Project then I want to inject this button or I want to begin the code to inject this button the next line or box that we see below there is a function that says wait for help this is a function that I found on stack Overflow so I'm not going to claim that I made it or anything but basically what it does is it waits for a specific part of the web page to appear before we start doing our next piece of code so we're making sure that first we're on the right web page and then second that the part of our web page that we're waiting for appears for us to see next we want to select the area of the web page that we want to inject our button in this case I'm going to call it like the main menu area I was like it would be really cool to have a button that appears in this general area and so in our code what we do is we create a variable and say okay document.queryselector document says Hey I want the whole entire Dom and then I want to run this function called query selector which essentially says give me an element or give me a class or a selector so I know what you want to select specifically and once we use that now our main menu variable is that section of the web page that we're focusing on and that we can manipulate next we have to create the button out of thin air super hard document.createelement button done all right next we need to give that button attributes the inner HTML is what we're seeing on the web page the ID is basically a part that we can use to call on it later if we wanted to do things to that button and then the style and color pretty self-explanatory we just turned it black so it kind of looks nice right there next we've created the button now we just need to append it to the location that we want it super difficult we call that variable that we did in the very beginning main menu dot append button and voila there it is now we got our check vulnerabilities button that appears right there now the problem is if we try clicking it it's not going to do anything so we have to make it do something when it's clicked the way we do that is we add an event listener with the click function and we're going to tell it to run a function or run a set of actions called click VT button and now the next thing we need to do is we just need to create that function of what happens when we click the actual button so the first thing is we need to go out and grab the project ID or like the product the project name and that name appears in several different places in the website but I could see in the URL that they had the name of the project right there and the URL is the easiest thing to grab at this point because I don't need to wait for anything to appear on the page so we're going to use that same window.location.href to grab that URL but then we add another little thing on the end and it says dot split split basically takes a string and then uses a delimiter to make a list of every object that it pulls out of that string based on the delimiter so to give you guys a visualization right there we have https pipei.org project Pi Bart and I use the delimiter of a forward slash and so what that does is it cuts it up into all those little pieces so if I said I wanted the Zero part or I mean because it's programming we start with zero it's an array then I would get https colon if I said I wanted the item number one I would get nothing because that would be in between those two front uh forward slashes if I said item number two I'd get pipi.org if I did item number three I'd get project but we do item number four which happens to be the project name and so now that we have the project name let's go ahead and craft our Google search and so we're going to be crafting basically a direct URL search for Google um and I'm not going to explain everything but basically what we can see there is uh you know https www.google.com forward slash search and then there's a question mark and then at that part I'm basically putting in my unique search for Google and I have that part of encode URI right there so I can write pretty easily what I want to search and then that encode URI will encode it for the URL so when it's sent it will treat it how it should so the third part of that this is we've created this Google search this URL now if I tried to open up a new tab in the content.js file it would yell at me and not work because of permissions and it's good that we have these permissions in place because it protects our web browsers and so what I need to do is I need to send a message to my background script that heavy lifter that we talked about and so the way that I do that is in that third line right there where it says Chrome dot runtime send message and just to follow it a little bit more we have the Google search that we just created and then we when we send that message you can see Google search underscore search colon Google search that second Google search is actually the URL that we just crafted and then in my background script you can see that I add another event listener or a listener on the other end that's saying hey when I get a message I want you to check to see if the message has anything for Google Search and if it does I want to open a new tab and that open tab is another little function that we created just to quickly open up a tab through the Google Chrome apis but our end product now is this we can be on this project we can click it and it will automatically search Google for vulnerabilities That was supposed to go out that way but it works and we'll get it again so that was how to inject a button into any website and be able to make it do something with it like open up a tab and extremely useful feature number two building a context menu item so the context menu is that thing where you're on the browser and you right click something and it pulls down a menu the Manifest Json permissions we need to set here are the context menus permission sets so we need to do three things it's very similar right we need to craft a URL we need to make the context button and we need to trigger it in some way so that it opens up what page or what page we want so first craft that URL now part of this feature is that we grab what is selected when the user right clicks a selection and so we need to be able to pull that in and through the Chrome API you can just give it the selection name right there and parameters and so that's basically allowing us to pull in whatever the user selects right there and then we can craft our virus total search right there which is just virustotal.com GUI search plus whatever the person has selected there's our crafted URL and the next part is we can just open up a new Chrome tab so chrome.tabs.create and we give it the URL that we just crafted and that index part just basically what it does is it selects the index or the tab that you're on and then goes one over so that way we're not creating tabs on another page or something like that next we need to make the context button and we do that by making sure that we have another listener on our background script that is listening for uninstalled or basically when the Chrome extension gets installed it automatically registers this new Chrome extension button and the ID is what we're going to use to call back on this the title is what you'll see in the in the context menu and then the context is when you see it so in this case when the user has something selected this chrome uh this context menu item will appear next we need to make a trigger for it so next we uh we create another listener and we say hey if the context menus is clicked I want you to start doing something and there we have the the variable of the selection the info info dot selection text so that we know what the user selected and we're pulling that in and then we use a switch and I'll be completely honest anytime I have to make a switch I have to relearn how to make a switch so just uh basically what it is a bunch of else ifs that work a lot better but we give it a case and in this case um I say I want to look at the info.m menu ID and what that is is it's going to be the ID of the context menu that is clicked that VT that we saw before and so I say if it equals VT I want to run that function that we just created up at the top which is to craft that URL and then open it and now that we have that you can now select something go to your virus total button and it will automatically open virustotal with that search really useful for domains hashes all sorts of fun things that we use for virustotal and I don't have the the sound I'm sorry you guys I know you're looking forward to it but so direct URLs can do a lot of cool stuff we used them in two instances with virustotal and Google jiric tickets can be created with direct URLs there's the URL that teaches you how to do that so if you like to make jira tickets um that's awesome but you can automate it so it makes it a lot easier you can also pass parameters into Splunk dashboards elastic dashboards and search a huge number amount of websites with it so what else can we do really the sky is the limit you literally have a web app that you can design to your heart's content but some of the things that we've done is we've generated email templates from detection Pages generate jira tickets from detection Pages pivot to internal tools you grab information from one page pull it into another page it just makes things a lot faster we've also designed like HTML like little web pages that show you how many detections an analyst has or how many are in the queue currently so your users can be up to date on that and just have it in a small tool right there so where can you get more ideas the web store is literally full of thousands of Chrome extensions and you can check them out and get ideas and figure out what you want to do or you can ask chat GPT which seems to be a thing these days so so these are benefits that I personally experienced by implementing a Chrome extension for your team the first and foremost is it's saved time I know when you were watching this you were probably thinking those were just clicks just seconds here and there but you need to understand that clicks are seconds become minutes and minutes matter I stole that from the falcon complete team if they ever ask about it but the thing is in our job use it in a sock those minutes are extremely important and the more that you can solve or automate the little things that go into those minutes the faster that you're going to be able to respond to important events next thing is you can customize the tools that your team uses every day the way that you want them we in a sock usually have a hundred different tools that we have to use and you can use a Chrome extension to start tweaking that tool to the features that are good for your team again saving you that time another huge benefit is knowledge transfer socks tend to be pretty Dynamic we have people coming in and leaving and they're going to bigger and better things sometimes and we have to transfer that knowledge it's a lot easier to transfer knowledge by giving them a tool that already has everything so that they can go through it and start using it than it is to give them a list of like a thousand bookmarks that you use in wikis and above all it really comes to helping analysts follow those processes and in a sock we have a lot of processes and procedures that are important we follow them in a specific way for a reason and being able to use a Chrome extension to automate those processes and help your analysts follow those processes you're going to have less problems and you're going to be a more well oiled and find sock so thank you and that's it if you guys uh have any questions I think we have time I know that was really fast and I apologize for that I only had 25 minutes so what would be some reasons to use typescript instead of JavaScript when you're building the Chrome extension yeah that's a great question so typescript um is a programming language that Microsoft developed and it basically makes your JavaScript way more secure by specifying type of objects that you're using and so it's a lot more well defined and it's harder to create a code that probably has vulnerabilities foreign so the last thing I wanted to say on this is I know that the code might have looked a little bit intimidating I come from a background where I taught myself how to program and I was not good at it for a really long time I promise you that if you just try and use the Repose the GitHub that I post up there and just try to make things the more time that you put into it you will figure it out it's not impossible and there's a lot of resources out there and so don't be don't be scared to try it because you really can do it and then once you see the benefits you're going to get hooked very humbling yeah how easy is this to deploy across like your like yeah so I have the instructions right there on the the GitHub but it's as easy as you just turn on developer mode and then cop like drag a folder into your Chrome browser in in the extensions page so fairly easy all right well thank you guys [Applause]