stoQ is a automation framework that helps to simplify the mundane and repetitive tasks an analyst is required to do. It allows analysts and DevSecOps teams the ability to quickly transition between different data sources, databases, decoders/encoders, and numerous other tasks using enriched and consistent data structures. stoQ was designed to be enterprise ready and scalable, while also being lean enough for individual security researchers.
If you're interested in learning more about stoQ, to include how to develop your own plugins, checkout the full documentation.
This git repository contains publicly available plugins that have been created for use with stoQ. The core stoQ repository can be found here.
Details on how to install these plugins can be found here.
Below is a listing of all public stoQ plugins, a description, and their respective plugin class.
| Plugin Name | Description | Plugin Type |
|---|---|---|
| acce | Scan payloads using ACCE | Worker |
| azure_blob | Save results and archive payloads with Azure Blob Storage | Archiver, Connector |
| b64decode | Decode base64 encoded payloads | Worker |
| decompress | Extract content from a multitude of archive formats | Worker |
| dirmon | Monitor a directory for newly created files for processing | Provider |
| entropy | Calculate shannon entropy of a payload | Worker |
| es-search | Saves results to ElasticSearch | Connector |
| exif | Processes a payload using ExifTool | Worker |
| falcon-sandbox | Scan payloads using Falcon Sandbox | Worker |
| filedir | Ingest a file or directory for processing | Provider, Connector, Archiver |
| gcs | Read and write data to Google Cloud Storage | Archiver, Connector |
| hash | Hash content | Worker |
| hash_ssdeep | Generate a ssdeep hash of payloads | Worker |
| iocextract | Regex routines to extract and normalize IOC's from a payload | Worker |
| javaclass | Decodes and extracts information from Java Class files | Worker |
| jinja | Decorate results using a template | Connector, Decorator |
| kafka-queue | Publish and consume messages from a Kafka server | Archiver, Connector, Provider |
| lief | Parse and abstract PE, ELF and MachO files using LIEF | Worker |
| mimetype | Determine mimetype of a payload | Worker |
| mongodb | Save results and archive payloads to/from mongodb | Archiver, Connector |
| mraptor | Port of mraptor3 from oletools | Worker |
| ole | Carve OLE streams within Microsoft Office Documents | Worker |
| opswat | Scan payloads using OPSWAT MetaDefender | Worker |
| pecarve | Carve portable executable files from a data stream | Worker |
| peinfo | Gather relevant information about an executable using pefile | Worker |
| pubsub | Interact with Google Cloud Pub/Sub | Archiver, Connector, Provider |
| redis-queue | Interact with Redis server | Archiver, Connector, Provider |
| rtf | Extract objects from RTF payloads | Worker |
| s3 | Read and write data to Amazon S3 buckets | Archiver, Connector |
| sentinel | Save results to Azure Sentinel | Connector |
| smtp | SMTP Parser Worker | Worker |
| stdout | Sends results to STDOUT | Connector |
| swfcarve | Carve and decompress SWF files from payloads | Worker |
| symhash | Calculate symbol table hashes of a Mach-O executable file | Worker |
| tika | Upload content to a Tika server for automated text extraction | Worker |
| tnef | TNEF File Extractor | Worker |
| trid | Identify file types from their TrID signature | Worker |
| vtmis-filefeed | Process VTMIS File Feed | Provider, Worker |
| vtmis-search | Search VTMIS for sha1 hash of a payload or from results of iocextract plugin |
Worker, Dispatcher |
| xdpcarve | Carve and decode streams from XDP documents | Worker |
| xordecode | Decode XOR encoded payloads | Worker |
| xorsearch | Scan a payload using xorsearch | Worker |
| xyz | Extract Zip file metadata | Worker |
| yara | Process a payload using yara | Worker, Dispatcher |