efetch_plugins.yml

###
# Efetch Plugin file
#
# Each item in this file becomes an efetch_server plugin
#
# Below is a simple example, note only the name field is required
#
#   office:
#       name: "Adv. Preview"
#       description: List the strings   # Optional
#       icon: fa-eye                    # Font Awesome 4 icon, default fa-file
#       cache: True                     # Defaults to True, so not necessary
#       popularity: 2                   # Defaults to 6, changes list order, 0 is hidden
#       category: Office                # Defaults to Misc, changes category in analyst view
#       os:                             # Defaults to all, list of supported operating systems (Windows and Linux)
#           - linux
#       mimetypes:                      # Defaults to all, list of supported mimetypes
#			      - application/mspowerpoint
#			      - application/vnd.ms-works
#           ...
#           - text/rtf
#       extensions:                     # Defaults to all, list of supported file extensions
#           - ppt
#           - pptx
#           ...
#           - docx
#       command: "unoconv -f pdf -o '{{ file_cache_path }}.pdf' '{{ file_cache_path }}' "
#		file: "{{ file_cache_path }}.pdf"
#
# Popularity: 9 - Navigate, 5 - Raw, 4 - Strings, 3 - Hex, 1 - Download, 0 - Hidden
#   Therefore file specific plugins should normally be between 6-8
#   And generic/universal plugins should either have a mimetype of none to be searched or 2
#
# The COMMAND and FILE options use JINJA2 templating
#
# There is also a "store" option that takes the variable to store the results to e.g.:
#     store: 'strings'
#
# There is also a "openwith" option that opens the specified "file" with a given plugin
#     openwith: 'directory'
#
# There is also a display option that supports 'raw' or 'xmp' (default)
#
# There is also an inputs option that supports basic form input
#
# If no FILE is specified, the plugin returns the results of the command using <xmp>
###


base64:
  name: Base64
  icon: fa-file-code-o
  category: misc
  mimetypes: [ 'none' ]
  display: noheader
  command: "base64 '{{ file_cache_path }}'"

bmctools:
  name: RDP Cache
  icon: fa-desktop
  category: misc
  extensions: [ 'bmc' ]
  command: "mkdir '{{ file_cache_path }}_bmctools'; python /opt/bmc-tools/bmc-tools.py -s '{{ file_cache_path }}' -d '{{ file_cache_path }}_bmctools' -b"
  file: '{{ file_cache_path }}_bmctools'
  openwith: directory

#clamscan:
#  name: Clam Scan
#  icon: fa-bug
#  command: "clamscan '{{ file_cache_path }}'"

cleanjson:
  name: Clean JSON
  icon: fa-file-text-o
  category: misc
  extensions: [ 'json' ]
  command: "cat '{{ file_cache_path }}' | python -m json.tool"

cleanxml:
  name: Clean XML
  icon: fa-file-code-o
  category: misc
  mimetypes: [ 'application/xml' ]
  command: "cat '{{ file_cache_path }}' | xmllint --format --recover -"

corexml:
  name: Core.xml
  icon: fa-file-code-o
  category: office
  extensions: [ 'pptx', 'xlsx', 'docx' ]
  command: "unzip -qc '{{ file_cache_path }}' docProps/core.xml | xmllint --format  -"

certificate_info:
  name: Cert. Info
  icon: fa-certificate
  category: misc
  popularity: 7
  extensions: [ 'crt' ]
  command: "openssl x509 -in '{{ file_cache_path }}' -noout -text"

certificate_info_private:
  name: Key. Info
  icon: fa-certificate
  category: misc
  popularity: 7
  extensions: [ 'key' ]
  command: "openssl rsa -in '{{ file_cache_path }}' -check"

certificate_info_pkcs12:
  name: PKCS#12 Info
  icon: fa-certificate
  category: misc
  popularity: 7
  extensions: [ 'pfx', 'p12' ]
  inputs:
    h2: Password
    label: Password
    text: password
  command: "openssl pkcs12 -info -in '{{ file_cache_path }}' -password pass:{{ password }}"

entropy:
  name: Entropy
  icon: fa-tachometer
  category: common
  popularity: 1
  mimetypes: [ 'none' ]
  command: "ent '{{ file_cache_path }}'"

evtxinfo:
  name: EVTX Info
  icon: fa-info
  category: misc
  popularity: 7
  extensions: [ 'evtx' ]
  command: "evtxinfo '{{ file_cache_path }}'"

evtxexport:
  name: EVTX Export
  icon: fa-list
  category: misc
  popularity: 6
  extensions: [ 'evtx' ]
  command: "evtxexport '{{ file_cache_path }}'"

ffmpeg:
  name: Video Preview
  icon: fa-file-video-o
  category: multimedia
  popularity: 8
  mimetypes: [ 'video/x-ms-asf', 'video/x-msvideo', 'video/x-ms-wmv', 'video/x-flv' ]
  command: "ffmpeg -y -i '{{ file_cache_path }}' -strict -2 -preset superfast '{{ file_cache_path }}.mp4' -hide_banner"
  file: "{{ file_cache_path }}.mp4"
  openwith: preview

file:
  name: File
  category: common
  mimetypes: [ 'none' ]
  command: "file -b '{{ file_cache_path }}' | tr ',' '\n'"

floss:
  name: FLOSS
  category: executable
  icon: fa-file-code-o
  mimetypes: [ 'application/x-dosexec' ]
  command: "floss '{{ file_cache_path }}'"

foremost:
  name: Foremost
  icon: fa-scissors
  category: common
  mimetypes: [ 'none' ]
  command: "foremost '{{ file_cache_path }}' -o '{{ file_cache_path }}-foremost'"
  file: '{{ file_cache_path }}-foremost' 
  openwith: directory

hash_md5:
  name: MD5 Hash
  icon: fa-hashtag
  category: common
  mimetypes: [ 'none' ]
  command: "md5sum '{{ file_cache_path }}'"

hash_sha1:
  name: SHA1 Hash
  icon: fa-hashtag
  category: common
  mimetypes: [ 'none' ]
  command: "sha1sum '{{ file_cache_path }}'"

hash_sha256:
  name: SHA256 Hash
  icon: fa-hashtag
  category: common
  mimetypes: [ 'none' ]
  command: "sha256sum '{{ file_cache_path }}'"

hash_sha512:
  name: SHA512 Hash
  icon: fa-hashtag
  category: common
  mimetypes: [ 'none' ]
  command: "sha512sum '{{ file_cache_path }}'"

hash_ssdeep:
  name: Ssdeep
  icon: fa-hashtag
  category: common
  mimetypes: [ 'none' ]
  command: "ssdeep '{{ file_cache_path }}'"

htmltopdf:
  name: Safe HTML
  icon: fa-eye-slash
  category: misc
  popularity: 8
  mimetypes: [ 'text/html' ]
  command: "wkhtmltopdf '{{ file_cache_path }}' '{{ file_cache_path }}-htmltopdf.pdf'"
  file: '{{ file_cache_path }}-htmltopdf.pdf'

imagepreview:
  name: Image Preview
  icon: fa-eye
  category: multimedia
  popularity: 8
  mimetypes: [ 'image/tiff', 'image/bmp', 'image/x-ms-bmp' ]
  command: "mogrify -format jpg -write '{{ file_cache_path }}-imagepreview.jpg' '{{ file_cache_path }}'"
  file: '{{ file_cache_path }}-imagepreview.jpg'

lnk:
  name: Parse LNK
  icon: fa-link
  category: misc
  extensions: [ 'lnk' ]
  command: "python /opt/pylnker.py '{{ file_cache_path }}'"

officeparser:
  name: Macro Extract
  icon: fa-file-code-o
  category: office
  extensions: [ 'none' ]
  command: "mkdir '{{ file_cache_path }}-officeparser'; python /opt/officeparser/officeparser.py --extract-macros -o '{{ file_cache_path }}-officeparser' '{{ file_cache_path }}'"
  file: '{{ file_cache_path }}-officeparser'
  openwith: directory

olevba:
  name: Macro Details
  icon: fa-file-code-o
  popularity: 6
  category: office
  extensions: [ 'ppt', 'pptx', 'pptm', 'xls', 'xlsx', 'xlsm', 'doc', 'docx', 'docm' ]
  command: "olevba '{{ file_cache_path }}'"

pdfextract:
  name: PDF Extract
  icon: fa-archive
  category: office
  mimetypes: [ 'application/pdf' ]
  command: "rm -rf '{{ file_cache_path }}-pdfextract'; mkdir '{{ file_cache_path }}-pdfextract'; pdfextract '{{ file_cache_path }}' -d '{{ file_cache_path }}-pdfextract'"
  file: '{{ file_cache_path }}-pdfextract'
  openwith: directory

pdfinfo:
  name: PDF Info
  icon: fa-file-pdf-o
  category: office
  mimetypes: [ 'application/pdf' ]
  command: "pdfinfo -js '{{ file_cache_path }}'"

pdfmetadata:
  name: PDF Metadata
  icon: fa-file-pdf-o
  category: office
  mimetypes: [ 'none' ]
  command: "pdfmetadata '{{ file_cache_path }}'"

#pdfocr:
#  name: PDF OCR
#  icon: fa-file-pdf-o
#  cache: True
#  popularity: 4
#  os: [ 'linux' ]
#  mimetypes: [ 'application/pdf' ]
#  command: "pypdfocr '{{ file_cache_path }}'"
#  file: "{{ file_cache_dir }}*_ocr.pdf"

pdftojpg:
  name: Safe Preview
  icon: fa-eye-slash
  popularity: 8
  category: office
  mimetypes: [ 'application/pdf' ]
  command: "mkdir '{{ file_cache_path }}-pdftojpg'; convert -density 200 '{{ file_cache_path }}' '{{ file_cache_path }}-pdftojpg/{{ file_name }}.jpg'"
  file: '{{ file_cache_path }}-pdftojpg'
  openwith: directory

pdftotext:
  name: PDF to Text
  icon: fa-file-pdf-o
  category: office
  mimetypes: [ 'application/pdf' ]
  command: "pdftotext '{{ file_cache_path }}' -"

psxray:
  name: PS Xray
  icon: fa-file-code-o
  category: misc
  extensions: [ 'ps1' ]
  command: "/usr/bin/python /opt/psxray/psx.py -r --apidb /opt/psxray/apihashes.db --file '{{ file_cache_path }}'"

prefetch:
  name: Prefetch
  icon: fa-windows
  category: misc
  extensions: [ 'pf' ]
  command: "/usr/bin/python /opt/prefetch/prefetch.py -f '{{ file_cache_path }}'"

prefetchw10:
  name: Win10 Prefetch
  icon: fa-windows
  category: misc
  extensions: [ 'pf' ]
  command: "/usr/bin/python /opt/w10pf/w10pf_parse.py -f '{{ file_cache_path }}'"
  display: csv

#readpst:
#  name: Read PST
#  icon: fa-envelope
#  popularity: 4
#  extensions: [ 'pst' ]
#  command: "mkdir {{ file_cache_path }}_readpst; readpst -w -D -S -o '{{ file_cache_path }}_readpst' {{ file_cache_path }}"
#  file: "{{ file_cache_path }}_readpst"
#  openwith: directory

rename:
  name: Rename
  icon: fa-edit
  category: common
  mimetypes: [ 'none' ]
  inputs:
    h2: Rename
    label: New Name
    text: new_name
  command: "cp '{{ file_cache_path }}' '{{ file_cache_dir }}{{ new_name }}'"
  file: '{{ file_cache_dir }}{{ new_name }}'
  openwith: analyze

scalpel:
  name: Scalpel
  icon: fa-scissors
  category: misc
  mimetypes: [ 'none' ]
  command: "scalpel -o '{{ file_cache_path }}-scalpel' '{{ file_cache_path }}'"
  file: '{{ file_cache_path }}-scalpel' 
  openwith: directory

strings_a:
  name: Strings ASCII
  icon: fa-file-text
  category: common
  mimetypes: [ 'none' ]
  command: "strings -a '{{ file_cache_path }}'"

strings_el:
  name: Strings Unicode (el)
  icon: fa-file-text
  category: common
  mimetypes: [ 'none' ]
  command: "strings -a -el '{{ file_cache_path }}'"

unzip:
  name: Cache Unzip
  popularity: 6
  icon:  fa-file-archive-o
  category: misc
  mimetypes: [ 'application/zip' ]
  command: "unzip -u '{{ file_cache_path }}' -d '{{ file_cache_path }}_unzip'"
  file: "{{ file_cache_path }}_unzip"
  openwith: directory

unzip_password:
  name: Password Unzip
  icon:  fa-file-archive-o
  category: misc
  mimetypes: [ 'none' ]
  inputs:
    h2: Password Protected Zip
    label: Password
    text: password
  command: "unzip -P {{ password }} -u '{{ file_cache_path }}' -d '{{ file_cache_path }}_passwordunzip'"
  file: "{{ file_cache_path }}_passwordunzip"
  openwith: directory

7zip_password:
  name: 7zip Password
  icon:  fa-file-archive-o
  category: misc
  extensions: [ '7z' ]
  inputs:
    h2: Password Protected Zip
    label: Password
    text: password
  command: "7z x -y -p'{{ password }}' -o'{{ file_cache_path }}_7zip_password' '{{ file_cache_path }}'"
  file: "{{ file_cache_path }}_7zip_password"
  openwith: directory

7zip:
  name: 7zip
  icon:  fa-file-archive-o
  category: misc
  extensions: [ '7z' ]
  command: "7z x -y -p'{{ password }}' -o'{{ file_cache_path }}_7zip' '{{ file_cache_path }}'"
  file: "{{ file_cache_path }}_7zip"
  openwith: directory

viper_monkey:
  name: ViperMonkey
  popularity: 1
  icon: fa-file-code-o
  category: office
  mimetypes: [ 'none' ]
  command: "vmonkey '{{ file_cache_path }}'"

#virus_total:
#  name: Virus Total
#  icon: fa-bug
#  command: "virustotal-search.py -m '{{ file_cache_path }}'"

#ziplist:
#  name: ZIP List
#  icon: fa-archive
#  mimetypes: [ 'application/zip' ]
#  command: "unzip -l '{{ file_cache_path }}'"