Including Screenshots for Analysis

I wanted to share a neat API that works really well in InsightConnect, right now I’m accessing it via a REST plugin, but it could easily be converted into a plugin on its own.
https://apiflash.com/ allows you to pass a URL to it and it returns a URL to a jpeg of a screenshot of the website.
This works great with InsightConnect because using the Markdown in an Artifact you can include this image.
It doesn’t follow all the links on the page like a JoeSandbox would, but we are using this to see what the links would look like in a Phishing Workflow.
Having it as an Artifact allows an analyst to quickly tell if a link is trying to look like a login page even if something like VirusTotal comes back clean.
Attached is an example Artifact showing today’s google page, hopefully someone will find this useful.

apiflash

4 Likes

I just noticed there’s a plugin called “Screenshot a URL” that looks like it just went live this week (version 1.0.0 is 8/28/20). I haven’t kicked the tires on it yet, but it looks useful.

Yes, I started playing with it. I put in a note though that I’m not able to include the Base64 in Markdown

1 Like

Brandon, is the format <img64:{{[“get screenshot”].[screenshot]}}/> not working in an artifact card? When I test it against google, it works.

HTML tags work, Thanks!

It’s actually that one tag and it’s not the same as the html version of an in-line b64 encoded image (html is <img src="data:image/png;base64, b64datagoeshere"/>)

That makes sense as to why the markdown version didn’t work

I’m triggering as part of a workflow that’s initially fired by a Slack message. Can you include the artifact in the slack response in some way?

When you say artifact, are you referring to a plain old artifact step (AKA a markdown card) in the workflow? If you want to include the contents of that in your Slack response, you can select the “Artifact Name.content” step variable when configuring your Slack Post Message step. It would look something like this in the Message box:

{{["Artifact Name"].[content]}}

I think the problem is posting a <img64: to Slack or Teams. I tried doing a Markdown to HTML and it wouldn’t convert it to an img to use in the post

Looking into this a little more, the Post Message action does have the Attachments input where you pass in JSON to add more stuff to your message. If you look at their docs they have some example JSON that includes an image, though I haven’t tested it myself.

I have been able to send screenshots to teams using an image url in the markdown syntax !["alt"](url) then converting the markdown to html (like in the screenshot starting this thread). The problem is that this plugin requires the <img64: syntax in the artifact and not the <img src="data:image/png;base64, one that Teams is expecting (like Elijah pointed out)