Merge pull request #101 from digitalsleuth/zimmerman_update

Update Zimmerman Tools installation
teamdfir · Nov 15, 2024 · 026d564 · 026d564
2 parents fd3d781 + 0c5a7de
commit 026d564
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 0 deletions.
diff --git a/sift/packages/dotnet.sls b/sift/packages/dotnet.sls
@@ -0,0 +1,16 @@
+{% if grains['oscodename'] == "focal" %}
+include:
+  - sift.repos.microsoft
+
+dotnet6-install:
+  pkg.installed:
+    - name: dotnet-sdk-6.0
+    - require:
+      - sls: sift.repos.microsoft
+
+{% elif grains['oscodename'] == "jammy" %}
+sift-package-dotnet6:
+  pkg.installed:
+    - name: dotnet-sdk-6.0
+
+{% endif %}
diff --git a/sift/repos/microsoft.sls b/sift/repos/microsoft.sls
@@ -0,0 +1,17 @@
+sift-microsoft-key:
+  file.managed:
+    - name: /usr/share/keyrings/MICROSOFT.asc
+    - source: https://packages.microsoft.com/keys/microsoft.asc
+    - skip_verify: True
+    - makedirs: True
+
+microsoft:
+  pkgrepo.managed:
+    - humanname: Microsoft
+    - name: deb [arch=amd64 signed-by=/usr/share/keyrings/MICROSOFT.asc] https://packages.microsoft.com/ubuntu/{{ grains['lsb_distrib_release'] }}/prod {{ grains['lsb_distrib_codename'] }} main
+    - dist: {{ grains['lsb_distrib_codename'] }}
+    - file: /etc/apt/sources.list.d/microsoft.list
+    - refresh: True
+    - clean_file: True
+    - require:
+      - file: sift-microsoft-key
diff --git a/sift/scripts/init.sls b/sift/scripts/init.sls
@@ -26,6 +26,7 @@ include:
   - sift.scripts.usbdeviceforensics
   - sift.scripts.virustotal-tools
   - sift.scripts.vshot
+  - sift.scripts.zimmerman
 
 sift-scripts:
   test.nop:
@@ -58,3 +59,4 @@ sift-scripts:
       - sls: sift.scripts.usbdeviceforensics
       - sls: sift.scripts.virustotal-tools
       - sls: sift.scripts.vshot
+      - sls: sift.scripts.zimmerman
diff --git a/sift/scripts/zimmerman.sls b/sift/scripts/zimmerman.sls
@@ -0,0 +1,45 @@
+{%- set user = salt['pillar.get']('sift_user', 'sansforensics') -%}
+{%- set all_users = salt['user.list_users']() -%}
+{%- if user == "root" -%}
+  {%- set home = "/root" -%}
+{%- else -%}
+  {%- set home = "/home/" + user -%}
+{%- endif -%}
+
+{% set tools = ['AmcacheParser','AppCompatCacheParser','bstrings','EvtxECmd','iisGeolocate','JLECmd','LECmd','MFTECmd','RBCmd','RecentFileCacheParser','RECmd','rla','SBECmd','SQLECmd','WxTCmd'] %}
+
+include:
+  - sift.packages.dotnet
+  - sift.config.user.user
+
+{% for tool in tools %}
+download-{{ tool }}:
+  file.managed:
+    - name: /tmp/{{ tool }}.zip
+    - source: https://f001.backblazeb2.com/file/EricZimmermanTools/net6/{{ tool }}.zip
+    - skip_verify: True
+    - makedirs: True
+
+extract-{{ tool }}:
+  archive.extracted:
+    - name: /opt/zimmermantools/
+    - source: /tmp/{{ tool }}.zip
+    - enforce_toplevel: false
+
+{{ tool }}-wrapper:
+  file.managed:
+    - names:
+      - /usr/local/bin/{{ tool }}
+      - /usr/local/bin/{{ tool|lower }}
+    - contents: |
+        #!/bin/bash
+        {% if tool|lower == "iisgeolocate" or tool|lower == "recmd" or tool|lower == "sqlecmd" %}
+        dotnet /opt/zimmermantools/{{ tool }}/{{ tool }}.dll ${*}
+        {% elif tool|lower == "evtxecmd" %}
+        dotnet /opt/zimmermantools/EvtxeCmd/{{ tool }}.dll ${*}
+        {% else %}
+        dotnet /opt/zimmermantools/{{ tool }}.dll ${*}
+        {% endif %}
+    - mode: 755
+    - replace: True
+{% endfor %}