Including Screenshots for Analysis

brandon_mcclure · August 27, 2020, 5:12pm

I wanted to share a neat API that works really well in InsightConnect, right now I’m accessing it via a REST plugin, but it could easily be converted into a plugin on its own.
https://apiflash.com/ allows you to pass a URL to it and it returns a URL to a jpeg of a screenshot of the website.
This works great with InsightConnect because using the Markdown in an Artifact you can include this image.
It doesn’t follow all the links on the page like a JoeSandbox would, but we are using this to see what the links would look like in a Phishing Workflow.
Having it as an Artifact allows an analyst to quickly tell if a link is trying to look like a login page even if something like VirusTotal comes back clean.
Attached is an example Artifact showing today’s google page, hopefully someone will find this useful.

apiflash

david_bouchard · September 1, 2020, 4:31pm

I just noticed there’s a plugin called “Screenshot a URL” that looks like it just went live this week (version 1.0.0 is 8/28/20). I haven’t kicked the tires on it yet, but it looks useful.

brandon_mcclure · September 1, 2020, 5:01pm

Yes, I started playing with it. I put in a note though that I’m not able to include the Base64 in Markdown

elijah_martin-merrill · September 2, 2020, 1:41pm

Brandon, is the format <img64:{{[“get screenshot”].[screenshot]}}/> not working in an artifact card? When I test it against google, it works.

brandon_mcclure · September 2, 2020, 1:58pm

HTML tags work, Thanks!

elijah_martin-merrill · September 2, 2020, 2:10pm

It’s actually that one tag and it’s not the same as the html version of an in-line b64 encoded image (html is <img src="data:image/png;base64, b64datagoeshere"/>)

brandon_mcclure · September 2, 2020, 2:23pm

That makes sense as to why the markdown version didn’t work

shawn_preston · December 1, 2020, 2:25am

I’m triggering as part of a workflow that’s initially fired by a Slack message. Can you include the artifact in the slack response in some way?

holly_wilsey · December 1, 2020, 9:48pm

When you say artifact, are you referring to a plain old artifact step (AKA a markdown card) in the workflow? If you want to include the contents of that in your Slack response, you can select the “Artifact Name.content” step variable when configuring your Slack Post Message step. It would look something like this in the Message box:

{{["Artifact Name"].[content]}}

brandon_mcclure · December 2, 2020, 4:55pm

I think the problem is posting a <img64: to Slack or Teams. I tried doing a Markdown to HTML and it wouldn’t convert it to an img to use in the post

holly_wilsey · December 4, 2020, 7:19pm

Looking into this a little more, the Post Message action does have the Attachments input where you pass in JSON to add more stuff to your message. If you look at their docs they have some example JSON that includes an image, though I haven’t tested it myself.

brandon_mcclure · December 4, 2020, 7:47pm

I have been able to send screenshots to teams using an image url in the markdown syntax !["alt"](url) then converting the markdown to html (like in the screenshot starting this thread). The problem is that this plugin requires the <img64: syntax in the artifact and not the <img src="data:image/png;base64, one that Teams is expecting (like Elijah pointed out)

dome · March 5, 2024, 11:15pm

Sorry if I’m revisiting this old topic, I’m using the “Screenshot a URL” and “Base64” plugins, I’d like to insert an image into a Markdown, but I can’t figure out how to do it.

Please, can you help me? Thank you

brandon_mcclure · March 6, 2024, 2:01pm

<img64:{{[“Screenshot Plugin”].[screenshot]}}/>

dome · March 6, 2024, 4:36pm

Thank you very much, you solved my problem.