The new version 4.0.0 release of Slack Watchman contains some major upgrades and new features:
Centralised signatures
The biggest upgrade, in terms of maintenance, to Slack Watchman is the move to store and pull signatures from a centralised repository GitHub – PaperMtn/watchman-signatures: Signature base for Watchman applications
New signatures are downloaded, and updates to existing signatures are applied, at runtime, meaning Slack Watchman will always be using the most up to date signatures.
These signatures are now standardised between all Watchman applications, allowing me (or anyone else who contributes) to add or update them in one place, instead of needing to release an updated version of each application to add a new signature.
Note: This does mean that the ability to use custom signatures has been removed. If you have a useful signature, why not create a pull request and add it to the signatures repository for everyone to use?
Output options
One piece of feedback I would often receive is that the output from Slack Watchman isn’t easy to read. The previous version of Slack Watchman had output options that were either not used (stream logging) or not viable to maintain (outputting to CSV). Slack Watchman now has two options for terminal output:
- JSON stdout
- New terminal-friendly stdout
JSON
JSON output is still the best option for ingesting logs into a SIEM, or another log analysis tool. There is also now the option to choose between verbose or succinct logging when using JSON output. Verbose includes more fields with information on posts, channels and users. Succinct cuts this down to just the information you need to know.
Terminal-friendly stdout
New in version 4.0.0 is the option for more user-friendly terminal output. This new view aims to include all the information you need as efficiently as possible. If no option is provided with the --output flag, this is selected by default.
Originally, I expected Slack Watchman to be used by blue teams with log analysis workflows, and that JSON would be the best output. As Slack Watchman has been used by more people, however, I’ve found out that it’s also just as popular with red and purple teams. In these cases, not as much information is required, they just want the secret and perhaps enough context around it to be able to use it. Trawling through JSON was too laborious for this task, and it’s not the easiest format to be read by humans.
Cookie authentication
Another new feature is the ability to authenticate using a Slack cookie, instead of providing a user or bot token. I go into more details about Slack cookies and how to use them in my post here, which I recommend you read if you’re unfamiliar with Slack cookies and want to use the cookie authentication option.
Simply provide the value for the Slack d cookie, and the URL of a Slack workspace that cookie has access to, and Slack Watchman will turn this cookie into a Slack user session token, and use this to authenticate to Slack and scan the workspace.
The cookie and URL can either be set via the environment variables SLACK_WATCHMAN_COOKIE and SLACK_WATCHMAN_URL, or in the config file ~/watchman.conf. See the README on GitHub for more information.
There are two main use cases for using cookie authentication:
- Getting programatic access to Slack workspaces where app installation is restricted by Admin policy.
- Using a compromised Slack cookie to enumerate a workspace it has access to.
Enumeration additions
Picking up on the theme of red and purple teams using Slack Watchman, some more options have been added that allow it to work as an enumeration tool, as well as for secrets detection. Slack Watchman can now return:
- Information on the workspace it is running against
- Information on the calling user, such as access rights
- CSV output of all users, their contact details, admin and 2FA status
- CSV output of all conversations/channels that the provided authentication can view
Docker Image
Slack Watchman is now available as a Docker image. Simply pull from Docker Hub docker pull papermountain/slack-watchman:latest
New signatures
As mentioned, signatures are now managed in a centralised repository. Since the last app release, some new signatures have been added that Slack Watchman makes use of. These include additional Slack Tokens/Cookies, more AWS tokens and OpenAI API tokens (AI… it’s so hot right now).
Any new signatures added to the repository will automatically be downloaded when Slack Watchman next runs, so keep an eye out for new ones.
Under the hood changes
I initially released Slack Watchman in May 2020, and while other features have been added along the way, this is the first major overhaul of the codebase. As with anything you revisit after 3 years, you find some embarrassing mistakes.
Other than generally modernising the app, there are also some performance enhancements with more efficient use of API calls to better protect the rate limit, and multiprocessing to do some of the searching in parallel.
