StoqShell

Overview

A stoQ Interactive Shell

Examples

Instantiate a stoQ Interactive Shell session:

$ stoq shell

 .d8888b.  888             .d88888b.
d88P  Y88b 888            d88P" "Y88b
Y88b.      888            888     888
 "Y888b.   888888 .d88b.  888     888
    "Y88b. 888   d88""88b 888     888
      "888 888   888  888 888 Y8b 888
Y88b  d88P Y88b. Y88..88P Y88b.Y8b88P
 "Y8888P"   "Y888 "Y88P"   "Y888888"
                                 Y8b
        Analysis. Simplified.


[stoQ] >

List all available plugins:

[stoQ] > list
Available Plugins:
connectors
- stdout              v0.9    Sends content to STDOUT
- file                v0.9    Retrieves and saves content to local disk
extractors
- decompress          v0.9    Extract content from a multitude of archive formats
- gpg                 v0.1    Handle GnuPG encrypted content
carvers
- pe                  v0.9    Carve portable executable files from a data stream
- swf                 v0.9    Carve and decompress SWF payloads
- ole                 v0.9    Carve OLE streams within Microsoft Office Documents
- xdp                 v0.9    Carve and decode streams from XDP documents
- rtf                 v0.9    Carve hex/binary streams from RTF payloads
readers
- pdftext             v0.9    Extract text from a PDF document
- tika                v0.1    Upload content to a Tika server for automated text extraction
- iocregex            v0.9    Regex routines to extract and normalize IOC's from a payload
sources
- rabbitmq            v0.9    Publish and Consume messages from a RabbitMQ Server
- dirmon              v0.9    Monitor a directory for newly created files for processing
- filedir             v0.9    Ingest a file or directory for processing
workers
- peinfo              v0.9    Gather relevant information about an executable using pefile
- exif                v0.9    Processes a payload using ExifTool
- publisher           v0.9    Publish messages to single or multiple RabbitMQ queues for processing
- trid                v0.4    Identify file types from their TrID signature
- xorsearch           v0.9    Search a payload for XOR'd strings
- yara                v0.9    Process a payload using yara
- iocextract          v0.9    Utilizes reader/iocregex plugin to extract indicators of compromise from documents
decoders
- rot47               v0.1    Decode ROT47 encoded content
- bitwise_rotate      v0.1    Rotate bits left or right. Defaults to 4 bits right for nibble swapping.
- b64                 v0.1    Decode base64 encoded content
- b85                 v0.1    Decode base85 encoded content
- xor                 v0.1    Decode XOR encoded content

Load the yara plugin:

[stoQ] > load worker yara

Conduct a simple scan of a payload using only the yara plugin:

[stoQ] > read /tmp/bad.exe
[*] Read /tmp/bad.exe(510968 bytes)
[*] sha1: 074c5b3707ebcda408a186082e529cf8ae5859ed
[*] sha256: 3cb2eb909ea3cfac42621ed4d024ed9d15a2005cc91a54050ef75fc9bee695b7
[*] sha512: 53fcb7f9087b5f356067f6f2cd288575e97876fdad9e1376231923e414b541b0fdba7f17095daba0899155f2cde11efb5d4fcad1bfd3390e59c5a894d8bc1c1d
[*] md5: 0b40e4e5987e7fb14b7a9b9b9218c703
[*] magic: application/x-dosexec
[stoQ] > run worker yara
[stoQ] > results
{ "hits" : [ {
        "matches" : true,
        "meta" : {
                "author" : "PUNCH Cyber Analytics Group",
                "cve" : "N/A",
                "description" : "Badness",
                "type" : "Suspicious String",
                "version" : "1.0",
                "weight" : 100
                },
        "namespace" : "default",
        "rule" : "win_api_LoadLibrary",
        "strings" : [
                [
                    "23967",
                    "$LoadLibrary",
                    "b'LoadLibrary'"
                ],
            ],
        "tags" : [  ]
        } ],
    }

Display all available settings:

[stoQ] > set
worker.yara.saveresults = True
worker.yara.max_processes = 1
worker.yara.website = https://github.com/PUNCH-Cyber/stoq-plugins-public
worker.yara.templates = plugins/worker/yara/templates/
worker.yara.carvers = {}
worker.yara.template = False
worker.yara.readers = {}
worker.yara.plugin_path = /usr/local/stoq/plugins/worker/yara
worker.yara.dispatch = False
worker.yara.version = 0.9
worker.yara.description = Process a payload using yara
worker.yara.yararules = plugins/worker/yara/rules/stoq.yar
worker.yara.name = yara
worker.yara.path = False
worker.yara.module = /usr/local/stoq/plugins/worker/yara/yarascan
worker.yara.extractors = {}
worker.yara.archive_connector = False
worker.yara.source_plugin = False
worker.yara.workers = {}
worker.yara.decoders = {}
worker.yara.category = worker
worker.yara.log_level = False
worker.yara.hashpayload = True
worker.yara.is_activated = True
worker.yara.output_connector = stdout
worker.yara.author = Marcus LaFerrera
worker.yara.error_queue = False
worker.yara.sources = {}
stoq.config_file = /usr/local/stoq/stoq.cfg
stoq.default_connector = stdout
stoq.log_dir = /usr/local/stoq/logs
stoq.log_maxbytes = 1500000
stoq.log_path = /usr/local/stoq/logs/stoq.log
stoq.base_dir = /usr/local/stoq
stoq.useragent = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1)
stoq.url_prefix_tuple = http://, https://
stoq.results_dir = /usr/local/stoq/results
stoq.temp_dir = /usr/local/stoq/temp
stoq.dispatch_rules = /usr/local/stoq/dispatcher.yar
stoq.default_source = filedir
stoq.log_level = INFO
stoq.log_backup_count = 5
stoq.source_base_tuple = /usr/local/stoq
stoq.max_recursion = 3
stoq.plugin_dir_list = /usr/local/stoq/plugins
stoq.archive_base = /usr/local/stoq/archive

Update a configuration setting:

[stoQ] > set stoq.log_level DEBUG
stoq.log_level -> DEBUG

Save results, to include any payloads that may have been carved/extracted/decoded. If mutiple results have been processed, the integer will be incremented and correspond to the payload id viewable in the results command:

[stoQ] > save
[*] Saving content to /usr/local/stoq/results/results-0-bad.exe

Now’s let pass arguments to a plugin. In this instance we want to XOR a payload using a specific XOR key:

[stoQ] > run decoder xor key=2
[*] Run using xor complete. View results with 'results'

List contents of a directory:

[stoQ] > ls /tmp
bad.exe
class stoq.shell.StoqShell(stoq)
do_EOF(input)
do_exit(input)
do_list(input)
list
List available plugins
do_load(input)
load <category> <plugin>
Load plugin of category
do_ls(input)
ls <path>
List contents in the specified directory
do_payload(input)
payload <id>
Switch object to scan to an extracted stream
do_read(input)
read <path to file>
Open a file at specified path
do_results(input)
results
Display results of previous plugin run
do_run(input)
run <category> <plugin> [key=value]
Run an individual plugin against the loaded payload
do_save(input)
save [payload | id]
Save all results, the current payload, or only a specific results ID to disk
do_set(input)
set <global setting> <new value>
Set global setting to value
do_usage(input)
usage <category> <plugin>
Display any documentation available for the specified plugin
set_prompt(msg='')