About
Slack Watchman is an application I have created to search through Slack workspaces and look for sensitive information posted in public chats/channels. This information is then returned to you in the form of CSV files. You can find the project on GitHub here
With the whole environment moving to remote working almost overnight, it has become more important than ever to monitor communication channels such as Slack for data being leaked and for potentially malicious content. It’s something that has been on my list for a while, but the final motivating factor to create this was an extortionate quote from a third party for something that essentially sat on top of the Slack API. In true Thanos fashion, I thought I’d do this myself.
Slack Watchman is aimed at blue-team operations mainly, but I’m sure red-teamers would also get some use out of it. You’d just need to get hold of a Slack API token, and we know that they’re not left lying around…
How it works
Slack Watchman uses the Slack API to query your workspace for:
- Externally shared channels
- Potential leaked passwords
- AWS Keys
- GCP keys
- Slack API keys
- Private keys
- Bank card details
- Certificate files
- Potentially interesting/malicious files (.docm, .xlsm, .zip etc.)
It also gives the following, which can be used for general auditing:
- All channels
- All users
- All admins
The results are output as CSV files that you can review and action accordingly. Querying is granular, you can look for only the things you are interested in, or can look for everything.
You can run Slack Watchman to look for results going back as far as:
- 24 hours
- 7 days
- 30 days
- All time
The ideal use, in my experience, has been to do one all time scan of the workspace to find anything lurking right at the beginning of its lifetime. Then to schedule scans to run at regular intervals (24 hours or 7 days) and review the results from these scans.
What you need
To run Slack Watchman, you will need a Slack API OAuth access token. You can do this by creating a simple Slack App.
The app needs to have the following User Token Scopes added:
channels:read
files:read
groups:read
im:read
links:read
mpim:read
remote_files:read
search:read
team:read
users:read
users:read.emailNote: User tokens act on behalf of the user who authorises them, so I would suggest you create this app and authorise it using a service account, otherwise the app will have access to your private channels and chats.
Once you have your token, it needs to be stored in a file named slack_watchman.conf which you need to store in your home directory. The file should take the following format:
[auth]
slack_token = xoxp-xxxxxxxxxx-...Slack Watchman will look for this file at runtime, and notify you if it’s not there.
Installation and usage
Installation via pip is simple:
pip install slack-watchman
Sources are also available on the GitHub repo: https://github.com/PaperMtn/slack-watchman/releases
You can run Slack Watchman to look for everything:
slack-watchman --timeframe a --all
Or arguments can be grouped together to search more granularly. This will look for AWS keys, GCP keys and passwords for the last 30 days:
slack-watchman --timeframe m -agP
Future plans and updates
I plan to add more features to Slack Watchman over time, including searching for more data.
I’m happy to discuss potential features, feel free to make a pull request, or shoot me a message: https://twitter.com/_PaperMtn
