StoqShell¶
Overview¶
A stoQ Interactive Shell
Examples¶
Instantiate a stoQ Interactive Shell session:
$ stoq shell
.d8888b. 888 .d88888b.
d88P Y88b 888 d88P" "Y88b
Y88b. 888 888 888
"Y888b. 888888 .d88b. 888 888
"Y88b. 888 d88""88b 888 888
"888 888 888 888 888 Y8b 888
Y88b d88P Y88b. Y88..88P Y88b.Y8b88P
"Y8888P" "Y888 "Y88P" "Y888888"
Y8b
Analysis. Simplified.
[stoQ] >
List all available plugins:
[stoQ] > list
Available Plugins:
connectors
- stdout v0.9 Sends content to STDOUT
- file v0.9 Retrieves and saves content to local disk
extractors
- decompress v0.9 Extract content from a multitude of archive formats
- gpg v0.1 Handle GnuPG encrypted content
carvers
- pe v0.9 Carve portable executable files from a data stream
- swf v0.9 Carve and decompress SWF payloads
- ole v0.9 Carve OLE streams within Microsoft Office Documents
- xdp v0.9 Carve and decode streams from XDP documents
- rtf v0.9 Carve hex/binary streams from RTF payloads
readers
- pdftext v0.9 Extract text from a PDF document
- tika v0.1 Upload content to a Tika server for automated text extraction
- iocregex v0.9 Regex routines to extract and normalize IOC's from a payload
sources
- rabbitmq v0.9 Publish and Consume messages from a RabbitMQ Server
- dirmon v0.9 Monitor a directory for newly created files for processing
- filedir v0.9 Ingest a file or directory for processing
workers
- peinfo v0.9 Gather relevant information about an executable using pefile
- exif v0.9 Processes a payload using ExifTool
- publisher v0.9 Publish messages to single or multiple RabbitMQ queues for processing
- trid v0.4 Identify file types from their TrID signature
- xorsearch v0.9 Search a payload for XOR'd strings
- yara v0.9 Process a payload using yara
- iocextract v0.9 Utilizes reader/iocregex plugin to extract indicators of compromise from documents
decoders
- rot47 v0.1 Decode ROT47 encoded content
- bitwise_rotate v0.1 Rotate bits left or right. Defaults to 4 bits right for nibble swapping.
- b64 v0.1 Decode base64 encoded content
- b85 v0.1 Decode base85 encoded content
- xor v0.1 Decode XOR encoded content
Load the yara plugin:
[stoQ] > load worker yara
Conduct a simple scan of a payload using only the yara plugin:
[stoQ] > read /tmp/bad.exe
[*] Read /tmp/bad.exe(510968 bytes)
[*] sha1: 074c5b3707ebcda408a186082e529cf8ae5859ed
[*] sha256: 3cb2eb909ea3cfac42621ed4d024ed9d15a2005cc91a54050ef75fc9bee695b7
[*] sha512: 53fcb7f9087b5f356067f6f2cd288575e97876fdad9e1376231923e414b541b0fdba7f17095daba0899155f2cde11efb5d4fcad1bfd3390e59c5a894d8bc1c1d
[*] md5: 0b40e4e5987e7fb14b7a9b9b9218c703
[*] magic: application/x-dosexec
[stoQ] > run worker yara
[stoQ] > results
{ "hits" : [ {
"matches" : true,
"meta" : {
"author" : "PUNCH Cyber Analytics Group",
"cve" : "N/A",
"description" : "Badness",
"type" : "Suspicious String",
"version" : "1.0",
"weight" : 100
},
"namespace" : "default",
"rule" : "win_api_LoadLibrary",
"strings" : [
[
"23967",
"$LoadLibrary",
"b'LoadLibrary'"
],
],
"tags" : [ ]
} ],
}
Display all available settings:
[stoQ] > set
worker.yara.saveresults = True
worker.yara.max_processes = 1
worker.yara.website = https://github.com/PUNCH-Cyber/stoq-plugins-public
worker.yara.templates = plugins/worker/yara/templates/
worker.yara.carvers = {}
worker.yara.template = False
worker.yara.readers = {}
worker.yara.plugin_path = /usr/local/stoq/plugins/worker/yara
worker.yara.dispatch = False
worker.yara.version = 0.9
worker.yara.description = Process a payload using yara
worker.yara.yararules = plugins/worker/yara/rules/stoq.yar
worker.yara.name = yara
worker.yara.path = False
worker.yara.module = /usr/local/stoq/plugins/worker/yara/yarascan
worker.yara.extractors = {}
worker.yara.archive_connector = False
worker.yara.source_plugin = False
worker.yara.workers = {}
worker.yara.decoders = {}
worker.yara.category = worker
worker.yara.log_level = False
worker.yara.hashpayload = True
worker.yara.is_activated = True
worker.yara.output_connector = stdout
worker.yara.author = Marcus LaFerrera
worker.yara.error_queue = False
worker.yara.sources = {}
stoq.config_file = /usr/local/stoq/stoq.cfg
stoq.default_connector = stdout
stoq.log_dir = /usr/local/stoq/logs
stoq.log_maxbytes = 1500000
stoq.log_path = /usr/local/stoq/logs/stoq.log
stoq.base_dir = /usr/local/stoq
stoq.useragent = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1)
stoq.url_prefix_tuple = http://, https://
stoq.results_dir = /usr/local/stoq/results
stoq.temp_dir = /usr/local/stoq/temp
stoq.dispatch_rules = /usr/local/stoq/dispatcher.yar
stoq.default_source = filedir
stoq.log_level = INFO
stoq.log_backup_count = 5
stoq.source_base_tuple = /usr/local/stoq
stoq.max_recursion = 3
stoq.plugin_dir_list = /usr/local/stoq/plugins
stoq.archive_base = /usr/local/stoq/archive
Update a configuration setting:
[stoQ] > set stoq.log_level DEBUG
stoq.log_level -> DEBUG
Save results, to include any payloads that may have been
carved/extracted/decoded. If mutiple results have been processed, the integer
will be incremented and correspond to the payload id viewable in the
results
command:
[stoQ] > save
[*] Saving content to /usr/local/stoq/results/results-0-bad.exe
Now’s let pass arguments to a plugin. In this instance we want to XOR a payload using a specific XOR key:
[stoQ] > run decoder xor key=2
[*] Run using xor complete. View results with 'results'
List contents of a directory:
[stoQ] > ls /tmp
bad.exe
-
class
stoq.shell.
StoqShell
(stoq)¶ -
do_EOF
(input)¶
-
do_exit
(input)¶
-
do_list
(input)¶ - list
- List available plugins
-
do_load
(input)¶ - load <category> <plugin>
- Load plugin of category
-
do_ls
(input)¶ - ls <path>
- List contents in the specified directory
-
do_payload
(input)¶ - payload <id>
- Switch object to scan to an extracted stream
-
do_read
(input)¶ - read <path to file>
- Open a file at specified path
-
do_results
(input)¶ - results
- Display results of previous plugin run
-
do_run
(input)¶ - run <category> <plugin> [key=value]
- Run an individual plugin against the loaded payload
-
do_save
(input)¶ - save [payload | id]
- Save all results, the current payload, or only a specific results ID to disk
-
do_set
(input)¶ - set <global setting> <new value>
- Set global setting to value
-
do_usage
(input)¶ - usage <category> <plugin>
- Display any documentation available for the specified plugin
-
set_prompt
(msg='')¶
-