diff --git a/.cast.yml b/.cast.yml index 82edbf35..3a0ae35a 100644 --- a/.cast.yml +++ b/.cast.yml @@ -21,10 +21,10 @@ manifest: deprecated: true replacement: desktop supported_os: - - id: ubuntu - release: 20.04 - id: ubuntu release: 22.04 + - id: ubuntu + release: 24.04 saltstack: pillars: sift_user_template: "{{ .User }}" diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 038e0145..d961057d 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -4,9 +4,12 @@ on: push: branches: - master + - main + - next pull_request: branches: - master + - main - next jobs: @@ -29,18 +32,18 @@ jobs: if: ${{ needs.changed_states.outputs.matrix != '[]' }} strategy: matrix: - salt: [3006, 3007] - os: [20.04, 22.04] + salt: [3007, 3006] + os: [22.04, 24.04] state: ${{ fromJson(needs.changed_states.outputs.matrix) }} include: - - os: 20.04 - code: focal + - os: 24.04 + code: noble - os: 22.04 code: jammy container: - image: docker://ghcr.io/ekristen/cast-tools/saltstack-tester:${{ matrix.code }}-${{ matrix.salt }} + image: docker://ghcr.io/ekristen/cast-tools/saltstack-tester:${{ matrix.os }}-${{ matrix.salt }} steps: - uses: actions/checkout@v4 - name: test-state run: | - salt-call -l info --file-root . --local --retcode-passthrough --state-output=mixed state.sls ${{ matrix.state }} pillar="{sift_user: root}" + salt-call --local -l info --file-root . --retcode-passthrough --state-output=mixed state.sls ${{ matrix.state }} pillar="{sift_user: root}" diff --git a/sift/config/init.sls b/sift/config/init.sls index f7aa6f7a..1ae8ec86 100644 --- a/sift/config/init.sls +++ b/sift/config/init.sls @@ -3,7 +3,6 @@ include: - sift.config.user - sift.config.timezone - sift.config.folders - - sift.config.salt-minion - sift.config.samba - sift.config.tools @@ -15,7 +14,6 @@ sift-config: - sls: sift.config.user - sls: sift.config.timezone - sls: sift.config.folders - - sls: sift.config.salt-minion - sls: sift.config.samba - sls: sift.config.tools diff --git a/sift/config/salt-minion.sls b/sift/config/salt-minion.sls deleted file mode 100644 index 6de651d0..00000000 --- a/sift/config/salt-minion.sls +++ /dev/null @@ -1,4 +0,0 @@ -salt-minion: - service.dead: - - name: salt-minion - - enable: False diff --git a/sift/files/amcache/amcache.py b/sift/files/amcache/amcache.py new file mode 100644 index 00000000..a14f24f2 --- /dev/null +++ b/sift/files/amcache/amcache.py @@ -0,0 +1,226 @@ +#!/usr/bin/env python3 +# This file is part of python-registry. +# +# Copyright 2015 Will Ballenthin +# while at Mandiant Exe +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import sys +import logging +import datetime +from collections import namedtuple + +import argparse +import csv +from Registry import Registry +from Registry.RegistryParse import parse_windows_timestamp as _parse_windows_timestamp + + +g_logger = logging.getLogger("amcache") +Field = namedtuple("Field", ["name", "getter"]) + + +def make_value_getter(value_name): + """ return a function that fetches the value from the registry key """ + def _value_getter(key): + try: + return key.value(value_name).value() + except Registry.RegistryValueNotFoundException: + return None + return _value_getter + + +def make_windows_timestamp_value_getter(value_name): + """ + return a function that fetches the value from the registry key + as a Windows timestamp. + """ + f = make_value_getter(value_name) + def _value_getter(key): + try: + return parse_windows_timestamp(f(key) or 0) + except ValueError: + return datetime.datetime.min + return _value_getter + + +def parse_unix_timestamp(qword): + return datetime.datetime.fromtimestamp(qword) + + +def parse_windows_timestamp(qword): + try: + return _parse_windows_timestamp(qword) + except ValueError: + return datetime.datetime.min + + +def make_unix_timestamp_value_getter(value_name): + """ + return a function that fetches the value from the registry key + as a UNIX timestamp. + """ + f = make_value_getter(value_name) + def _value_getter(key): + try: + return parse_unix_timestamp(f(key) or 0) + except ValueError: + return datetime.datetime.min + return _value_getter + + +UNIX_TIMESTAMP_ZERO = parse_unix_timestamp(0) +WINDOWS_TIMESTAMP_ZERO = parse_windows_timestamp(0) + + +# via: http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html +#Product Name UNICODE string +#============================================================================== +#0 Product Name UNICODE string +#1 Company Name UNICODE string +#2 File version number only UNICODE string +#3 Language code (1033 for en-US) DWORD +#4 SwitchBackContext QWORD +#5 File Version UNICODE string +#6 File Size (in bytes) DWORD +#7 PE Header field - SizeOfImage DWORD +#8 Hash of PE Header (unknown algorithm) UNICODE string +#9 PE Header field - Checksum DWORD +#a Unknown QWORD +#b Unknown QWORD +#c File Description UNICODE string +#d Unknown, maybe Major & Minor OS version DWORD +#f Linker (Compile time) Timestamp DWORD - Unix time +#10 Unknown DWORD +#11 Last Modified Timestamp FILETIME +#12 Created Timestamp FILETIME +#15 Full path to file UNICODE string +#16 Unknown DWORD +#17 Last Modified Timestamp 2 FILETIME +#100 Program ID UNICODE string +#101 SHA1 hash of file + + +# note: order here implicitly orders CSV column ordering cause I'm lazy +FIELDS = [ + Field("path", make_value_getter("15")), + Field("sha1", make_value_getter("101")), + Field("size", make_value_getter("6")), + Field("file_description", make_value_getter("c")), + Field("source_key_timestamp", lambda key: key.timestamp()), + Field("created_timestamp", make_windows_timestamp_value_getter("12")), + Field("modified_timestamp", make_windows_timestamp_value_getter("11")), + Field("modified_timestamp2", make_windows_timestamp_value_getter("17")), + Field("linker_timestamp", make_unix_timestamp_value_getter("f")), + Field("product", make_value_getter("0")), + Field("company", make_value_getter("1")), + Field("pe_sizeofimage", make_value_getter("7")), + Field("version_number", make_value_getter("2")), + Field("version", make_value_getter("5")), + Field("language", make_value_getter("3")), + Field("header_hash", make_value_getter("8")), + Field("pe_checksum", make_value_getter("9")), + Field("id", make_value_getter("100")), + Field("switchbackcontext", make_value_getter("4")), +] + + +ExecutionEntry = namedtuple("ExecutionEntry", map(lambda e: e.name, FIELDS)) + + +def parse_execution_entry(key): + return ExecutionEntry(**dict((e.name, e.getter(key)) for e in FIELDS)) + + + +class NotAnAmcacheHive(Exception): + pass + + +def parse_execution_entries(registry): + try: + volumes = registry.open("Root\\File") + except Registry.RegistryKeyNotFoundException: + raise NotAnAmcacheHive() + ret = [] + for volumekey in volumes.subkeys(): + for filekey in volumekey.subkeys(): + ret.append(parse_execution_entry(filekey)) + return ret + + +TimelineEntry = namedtuple("TimelineEntry", ["timestamp", "type", "entry"]) + + +def main(): + + parser = argparse.ArgumentParser( + description="Parse program execution entries from the Amcache.hve Registry hive") + parser.add_argument("registry_hive", type=str, + help="Path to the Amcache.hve hive to process") + parser.add_argument("-v", action="store_true", dest="verbose", + help="Enable verbose output") + parser.add_argument("-t", action="store_true", dest="do_timeline", + help="Output in simple timeline format") + + if len(sys.argv[1:]) == 0: + parser.print_help() + parser.exit() + + args = parser.parse_args() + + if args.verbose: + logging.basicConfig(level=logging.DEBUG) + else: + logging.basicConfig(level=logging.INFO) + + if sys.platform == "win32": + import os, msvcrt + msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY) + + r = Registry.Registry(args.registry_hive) + + try: + ee = parse_execution_entries(r) + except NotAnAmcacheHive: + g_logger.error("doesn't appear to be an Amcache.hve hive") + return + + if args.do_timeline: + entries = [] + for e in ee: + for t in ["source_key_timestamp", "created_timestamp", "modified_timestamp", + "modified_timestamp2", "linker_timestamp"]: + ts = getattr(e, t) + if ts == UNIX_TIMESTAMP_ZERO: + continue + if ts == WINDOWS_TIMESTAMP_ZERO: + continue + if ts == datetime.datetime.min: + continue + + entries.append(TimelineEntry(ts, t, e)) + w = csv.writer(sys.stdout, delimiter="|", quotechar="\"", quoting=csv.QUOTE_MINIMAL) + w.writerow(["timestamp", "timestamp_type", "path", "sha1"]) + for e in sorted(entries, key=lambda e: e.timestamp): + w.writerow([e.timestamp, e.type, e.entry.path, e.entry.sha1]) + else: + w = csv.writer(sys.stdout, delimiter="|", quotechar="\"", quoting=csv.QUOTE_MINIMAL) + w.writerow(map(lambda e: e.name, FIELDS)) + for e in ee: + w.writerow(map(lambda i: getattr(e, i.name), FIELDS)) + + +if __name__ == "__main__": + main() diff --git a/sift/packages/bless.sls b/sift/packages/bless.sls index 32b71a94..ed566c56 100644 --- a/sift/packages/bless.sls +++ b/sift/packages/bless.sls @@ -5,6 +5,12 @@ # Author: Alexandros Frantzis # License: GNU General Public License v2.0 (https://github.com/afrantzis/bless/blob/master/COPYING) # Notes: bless +# TODO: fix when package is available +{% if grains['oscodename'] != 'noble' %} bless: pkg.installed +{% else %} +Bless is not available on Noble: + test.nop +{% endif %} diff --git a/sift/packages/cryptcat.sls b/sift/packages/cryptcat.sls index 8d40dc9f..a9223217 100644 --- a/sift/packages/cryptcat.sls +++ b/sift/packages/cryptcat.sls @@ -5,6 +5,12 @@ # Author: http://cryptcat.sourceforge.net/credits.php # License: GNU General Public License v2.0 # Notes: +# TODO: fix when package available +{% if grains['oscodename'] != 'noble' %} cryptcat: pkg.installed +{% else %} +Cryptcat is not available in Noble: + test.nop +{% endif %} diff --git a/sift/packages/dotnet.sls b/sift/packages/dotnet.sls index c39d5602..bb697d54 100644 --- a/sift/packages/dotnet.sls +++ b/sift/packages/dotnet.sls @@ -1,16 +1,8 @@ -{% if grains['oscodename'] == "focal" %} include: - - sift.repos.microsoft + - sift.repos.dotnet-backports -dotnet6-install: +sift-package-dotnet9: pkg.installed: - - name: dotnet-sdk-6.0 + - name: dotnet-sdk-9.0 - require: - - sls: sift.repos.microsoft - -{% elif grains['oscodename'] == "jammy" %} -sift-package-dotnet6: - pkg.installed: - - name: dotnet-sdk-6.0 - -{% endif %} + - sls: sift.repos.dotnet-backports diff --git a/sift/packages/exfat-extras.sls b/sift/packages/exfat-extras.sls index a5b27222..dfb798c7 100644 --- a/sift/packages/exfat-extras.sls +++ b/sift/packages/exfat-extras.sls @@ -1,8 +1,10 @@ -include: - - sift.packages.exfat-extras_{{ grains['oscodename'] }} +# Name: exfat-utils +# Website: https://github.com/relan/exfat +# Description: Free exFAT File System Implementation +# Category: +# Author: Relan +# License: GNU General Public License v2 (https://github.com/relan/exfat/blob/master/COPYING) +# Notes: -sift-package-exfat-extras-distro: - test.nop: - - name: sift-package-exfat-extras-distro - - require: - - sls: sift.packages.exfat-extras_{{ grains['oscodename'] }} \ No newline at end of file +exfatprogs: + pkg.installed diff --git a/sift/packages/exfat-extras_focal.sls b/sift/packages/exfat-extras_focal.sls deleted file mode 100644 index a4bda9eb..00000000 --- a/sift/packages/exfat-extras_focal.sls +++ /dev/null @@ -1,10 +0,0 @@ -# Name: exfat-utils -# Website: https://github.com/relan/exfat -# Description: Free exFAT File System Implementation -# Category: -# Author: Relan -# License: GNU General Public License v2 (https://github.com/relan/exfat/blob/master/COPYING) -# Notes: - -exfat-utils: - pkg.installed diff --git a/sift/packages/exfat-extras_jammy.sls b/sift/packages/exfat-extras_jammy.sls deleted file mode 100644 index dfb798c7..00000000 --- a/sift/packages/exfat-extras_jammy.sls +++ /dev/null @@ -1,10 +0,0 @@ -# Name: exfat-utils -# Website: https://github.com/relan/exfat -# Description: Free exFAT File System Implementation -# Category: -# Author: Relan -# License: GNU General Public License v2 (https://github.com/relan/exfat/blob/master/COPYING) -# Notes: - -exfatprogs: - pkg.installed diff --git a/sift/packages/flasm.sls b/sift/packages/flasm.sls deleted file mode 100644 index bb2c0f47..00000000 --- a/sift/packages/flasm.sls +++ /dev/null @@ -1,19 +0,0 @@ -# Name: flasm -# Website: https://www.nowrap.de/flasm.html -# Description: SWF dissassembler -# Category: -# Author: Igor Kogan -# License: BSD License (https://www.nowrap.de/flasm.html#useterms) -# Notes: flasm - -{% if grains['oscodename'] != "jammy" %} - -flasm: - pkg.installed - -{% else %} - -flasm-not-in-jammy: - test.nop - -{% endif %} diff --git a/sift/packages/init.sls b/sift/packages/init.sls index f72df38e..262ae175 100644 --- a/sift/packages/init.sls +++ b/sift/packages/init.sls @@ -40,7 +40,6 @@ include: - sift.packages.extundelete - sift.packages.fdupes - sift.packages.feh - - sift.packages.flasm - sift.packages.flex - sift.packages.foremost - sift.packages.g++ @@ -62,7 +61,6 @@ include: - sift.packages.ipython3 - sift.packages.jq - sift.packages.kdiff3 - - sift.packages.knocker - sift.packages.kpartx - sift.packages.lft - sift.packages.libafflib-dev @@ -246,7 +244,6 @@ sift-packages: - sls: sift.packages.extundelete - sls: sift.packages.fdupes - sls: sift.packages.feh - - sls: sift.packages.flasm - sls: sift.packages.flex - sls: sift.packages.foremost - sls: sift.packages.g++ @@ -268,7 +265,6 @@ sift-packages: - sls: sift.packages.ipython3 - sls: sift.packages.jq - sls: sift.packages.kdiff3 - - sls: sift.packages.knocker - sls: sift.packages.kpartx - sls: sift.packages.lft - sls: sift.packages.libafflib-dev diff --git a/sift/packages/knocker.sls b/sift/packages/knocker.sls deleted file mode 100644 index 76616e89..00000000 --- a/sift/packages/knocker.sls +++ /dev/null @@ -1,11 +0,0 @@ -{% if grains['oscodename'] != "jammy" %} - -knocker: - pkg.installed - -{% else %} - -knocker-not-in-jammy: - test.nop - -{% endif %} diff --git a/sift/packages/libafflib-dev.sls b/sift/packages/libafflib-dev.sls index 3254cb9f..f35364f7 100644 --- a/sift/packages/libafflib-dev.sls +++ b/sift/packages/libafflib-dev.sls @@ -1,2 +1,10 @@ +# Name: AFFLIBv3 +# Website: https://github.com/sshock/AFFLIBv3 +# Description: Development file for AFFLIB +# Category: +# Author: Simson L. Garfinkel / Phillip Hellewell et al (https://github.com/sshock/AFFLIBv3/blob/master/AUTHORS) +# License: Multiple Licenses (https://github.com/sshock/AFFLIBv3/blob/master/COPYING) +# Notes: + libafflib-dev: - pkg.installed \ No newline at end of file + pkg.installed diff --git a/sift/packages/libafflib.sls b/sift/packages/libafflib.sls index e6c810c5..3a598dc9 100644 --- a/sift/packages/libafflib.sls +++ b/sift/packages/libafflib.sls @@ -1,3 +1,17 @@ -libafflib: +# Name: AFFLIBv3 +# Website: https://github.com/sshock/AFFLIBv3 +# Description: AFF is an open and extensible file format to store disk images +# Category: +# Author: Simson L. Garfinkel / Phillip Hellewell et al (https://github.com/sshock/AFFLIBv3/blob/master/AUTHORS) +# License: Multiple Licenses (https://github.com/sshock/AFFLIBv3/blob/master/COPYING) +# Notes: + +{% if grains['oscodename'] == 'jammy' %} + {% set package = 'libafflib0v5' %} +{% elif grains['oscodename'] == 'noble' %} + {% set package = 'libafflib0t64' %} +{% endif %} + +sift-package-libafflib: pkg.installed: - - name: libafflib0v5 + - name: {{ package }} diff --git a/sift/packages/libbz2-dev.sls b/sift/packages/libbz2-dev.sls new file mode 100644 index 00000000..af7d9fe5 --- /dev/null +++ b/sift/packages/libbz2-dev.sls @@ -0,0 +1,3 @@ +sift-package-libbz2-dev: + pkg.installed: + - name: libbz2-dev diff --git a/sift/packages/libext2fs2.sls b/sift/packages/libext2fs2.sls index bdef2318..73938ad3 100644 --- a/sift/packages/libext2fs2.sls +++ b/sift/packages/libext2fs2.sls @@ -1,2 +1,18 @@ -libext2fs2: - pkg.installed +# Name: libext2fs2 (e2fsprogs) +# Website: https://e2fsprogs.sourceforge.net/ +# Description: File system utilities for use with the ext2 file system +# Category: +# Author: Theodore Ts'o (https://thunk.org/tytso/) +# License: GNU General Public License v2 and GNU Library General Public License v2 (https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/tree/NOTICE) +# Notes: + +{% if grains['oscodename'] == 'jammy' %} + {% set package = 'libext2fs2' %} +{% elif grains['oscodename'] == 'noble' %} + {% set package = 'libext2fs2t64' %} +{% endif %} + +sift-package-libext2fs2: + pkg.installed: + - name: {{ package }} + diff --git a/sift/packages/libicu.sls b/sift/packages/libicu.sls index 04ab6fae..44e2a810 100644 --- a/sift/packages/libicu.sls +++ b/sift/packages/libicu.sls @@ -1,7 +1,8 @@ -{% if grains['oscodename'] == 'focal' %} -libicu66: - pkg.installed -{% elif grains['oscodename'] == 'jammy' %} -libicu70: - pkg.installed +{% if grains['oscodename'] == 'jammy' %} + {% set package = 'libicu70' %} +{% elif grains['oscodename'] == 'noble' %} + {% set package = 'libicu74' %} {% endif %} +sift-package-libicu: + pkg.installed: + - name: {{ package }} diff --git a/sift/packages/libncurses.sls b/sift/packages/libncurses.sls index 334e93bb..bef9e47a 100644 --- a/sift/packages/libncurses.sls +++ b/sift/packages/libncurses.sls @@ -1,3 +1,3 @@ -libncurses: +sift-package-libncurses: pkg.installed: - - name: libncurses5-dev + - name: libncurses-dev diff --git a/sift/packages/libpff-dev.sls b/sift/packages/libpff-dev.sls index 97b10e6e..3c632d66 100644 --- a/sift/packages/libpff-dev.sls +++ b/sift/packages/libpff-dev.sls @@ -1,2 +1,11 @@ -libpff-dev: - pkg.installed +# Name: libpff-dev +# Website: https://github.com/libyal/libpff +# Description: Development files for the libpff library +# Category: +# Author: Joachim Metz et al (https://github.com/libyal/libpff/blob/main/AUTHORS) +# License: GNU and GNU Lesser General Public License v3 (https://github.com/libyal/libpff/blob/main/COPYING) +# Notes: + +sift-package-libpff-dev: + pkg.installed: + - name: libpff-dev diff --git a/sift/packages/libpff-tools.sls b/sift/packages/libpff-tools.sls deleted file mode 100644 index 33533226..00000000 --- a/sift/packages/libpff-tools.sls +++ /dev/null @@ -1,2 +0,0 @@ -pff-tools: - pkg.installed diff --git a/sift/packages/libpff.sls b/sift/packages/libpff.sls index 22f0663b..0cca7323 100644 --- a/sift/packages/libpff.sls +++ b/sift/packages/libpff.sls @@ -1,2 +1,18 @@ -libpff1: - pkg.installed +# Name: libpff +# Website: https://github.com/libyal/libpff +# Description: Library to access the Personal and Offline File Folder formats (PST / OST) +# Category: +# Author: Joachim Metz et al (https://github.com/libyal/libpff/blob/main/AUTHORS) +# License: GNU and GNU Lesser General Public License v3 (https://github.com/libyal/libpff/blob/main/COPYING) +# Notes: + +{% if grains['oscodename'] == 'jammy' %} + {% set package = 'libpff1' %} +{% elif grains['oscodename'] == 'noble' %} + {% set package = 'libpff1t64' %} +{% endif %} + +sift-package-libpff1: + pkg.installed: + - name: {{ package }} + diff --git a/sift/packages/netcat.sls b/sift/packages/netcat.sls index 3d6058e1..9036fa74 100644 --- a/sift/packages/netcat.sls +++ b/sift/packages/netcat.sls @@ -1,2 +1,11 @@ -netcat: - pkg.installed +# Name: netcat-openbsd +# Website: https://github.com/openbsd/src/tree/master/usr.bin/nc +# Description: OpenBSD rewrite of the original netcat +# Category: +# Author: OpenBSD (see License for individual names) +# License: Multiple (https://git.launchpad.net/ubuntu/+source/netcat-openbsd/tree/debian/copyright) +# Notes: nc + +sift-package-netcat-openbsd: + pkg.installed: + - name: netcat-openbsd diff --git a/sift/packages/pff-tools.sls b/sift/packages/pff-tools.sls index 33533226..6fde4395 100644 --- a/sift/packages/pff-tools.sls +++ b/sift/packages/pff-tools.sls @@ -1,2 +1,11 @@ -pff-tools: - pkg.installed +# Name: pff-tools +# Website: https://github.com/libyal/libpff +# Description: Library to access the Personal and Offline File Folder formats (PST / OST) +# Category: +# Author: Joachim Metz et al (https://github.com/libyal/libpff/blob/main/AUTHORS) +# License: GNU and GNU Lesser General Public License v3 (https://github.com/libyal/libpff/blob/main/COPYING) +# Notes: pffexport, pffinfo + +sift-package-pff-tools: + pkg.installed: + - name: pff-tools diff --git a/sift/packages/powershell.sls b/sift/packages/powershell.sls index 089f41c2..e7bbffa3 100644 --- a/sift/packages/powershell.sls +++ b/sift/packages/powershell.sls @@ -1,24 +1,32 @@ +# Name: PowerShell +# Website: https://microsoft.com/powershell +# Description: Linux package for PowerShell +# Category: +# Author: Microsoft +# License: MIT License (https://github.com/PowerShell/PowerShell/blob/master/LICENSE.txt) +# Notes: + {# renovate: datasource=github-release-attachments depName=Powershell/Powershell #} -{%- set version = "7.4.1" -%} -{%- set hash = "625B7EE0B71147421723CB6022A41B5D8FC0D6E19DF25B1240008EE491BF6997" -%} +{%- set version = "7.4.6" -%} +{%- set hash = "79642721f0bc9baf07dafaab68ece1cbd822f86722492acf9b4031d41029a735" -%} {%- set filename = "powershell_" ~ version ~ "-1.deb_amd64.deb" -%} {%- set base_url = "https://github.com/Powershell/Powershell/releases/download/v" -%} include: - sift.packages.libicu -sift-powershell-source: +sift-package-powershell-source: file.managed: - name: /var/cache/sift/archives/{{ filename }} - source: "{{ base_url }}{{ version }}/{{ filename }}" - source_hash: sha256={{ hash }} - makedirs: True -sift-powershell: +sift-package-powershell: pkg.installed: - sources: - powershell: /var/cache/sift/archives/{{ filename }} - watch: - - file: sift-powershell-source + - file: sift-package-powershell-source - require: - sls: sift.packages.libicu diff --git a/sift/packages/python3-magic.sls b/sift/packages/python3-magic.sls new file mode 100644 index 00000000..da279b2b --- /dev/null +++ b/sift/packages/python3-magic.sls @@ -0,0 +1,3 @@ +sift-package-python3-magic: + pkg.installed: + - name: python3-magic diff --git a/sift/packages/python3-pypff.sls b/sift/packages/python3-pypff.sls index 1a05a3cb..5a33910c 100644 --- a/sift/packages/python3-pypff.sls +++ b/sift/packages/python3-pypff.sls @@ -1,2 +1,11 @@ -python3-pypff: - pkg.installed +# Name: python3-pypff +# Website: https://github.com/libyal/libpff +# Description: Python3 bindings for the libpff library +# Category: +# Author: Joachim Metz et al (https://github.com/libyal/libpff/blob/main/AUTHORS) +# License: GNU and GNU Lesser General Public License v3 (https://github.com/libyal/libpff/blob/main/COPYING) +# Notes: + +sift-package-python3-pypff: + pkg.installed: + - name: python3-pypff diff --git a/sift/packages/qemu.sls b/sift/packages/qemu.sls index ff7c687a..4da27bcd 100644 --- a/sift/packages/qemu.sls +++ b/sift/packages/qemu.sls @@ -1,2 +1,11 @@ -qemu: - pkg.installed \ No newline at end of file +# Name: qemu +# Website: https://www.qemu.org +# Description: A generic and open source machine emulator and virtualizer +# Category: +# Author: Multiple (https://gitlab.com/qemu-project/qemu/-/blob/master/MAINTAINERS) +# License: GNU General Public License v2 (https://gitlab.com/qemu-project/qemu/-/blob/master/LICENSE) +# Notes: + +sift-package-qemu-system: + pkg.installed: + - name: qemu-system diff --git a/sift/packages/zlib1g-dev.sls b/sift/packages/zlib1g-dev.sls new file mode 100644 index 00000000..a89aedc1 --- /dev/null +++ b/sift/packages/zlib1g-dev.sls @@ -0,0 +1,3 @@ +sift-package-zlib1g-dev: + pkg.installed: + - name: zlib1g-dev diff --git a/sift/python-packages/analyzemft.sls b/sift/python-packages/analyzemft.sls deleted file mode 100644 index 0f6cd22b..00000000 --- a/sift/python-packages/analyzemft.sls +++ /dev/null @@ -1,14 +0,0 @@ -{%- set commit="64c71d7c8905a119b7abdf9813e6ef5f11d3ccf1" -%} -include: - - sift.packages.git - - sift.packages.python3-pip - - sift.packages.python2-pip - -analyzemft: - pip.installed: - - name: git+https://github.com/dkovar/analyzeMFT.git@{{ commit }} - - bin_env: /usr/bin/python2 - - upgrade: True - - require: - - sls: sift.packages.git - - sls: sift.packages.python2-pip diff --git a/sift/python-packages/init.sls b/sift/python-packages/init.sls index 6bd0298e..b7acdc9b 100644 --- a/sift/python-packages/init.sls +++ b/sift/python-packages/init.sls @@ -1,5 +1,4 @@ include: - - sift.python-packages.analyzemft - sift.python-packages.appcompatprocessor - sift.python-packages.argparse - sift.python-packages.bitstring @@ -9,7 +8,6 @@ include: - sift.python-packages.docopt - sift.python-packages.geoip2 - sift.python-packages.indxparse - - sift.python-packages.ioc_writer - sift.python-packages.lxml - sift.python-packages.ntdsxtract - sift.python-packages.pefile @@ -23,16 +21,13 @@ include: - sift.python-packages.shellbags - sift.python-packages.six - sift.python-packages.unicodecsv - - sift.python-packages.usnparser - sift.python-packages.volatility - sift.python-packages.wheel - - sift.python-packages.windowsprefetch sift-python-packages: test.nop: - name: sift-python-packages - require: - - sls: sift.python-packages.analyzemft - sls: sift.python-packages.appcompatprocessor - sls: sift.python-packages.argparse - sls: sift.python-packages.bitstring @@ -42,7 +37,6 @@ sift-python-packages: - sls: sift.python-packages.docopt - sls: sift.python-packages.geoip2 - sls: sift.python-packages.indxparse - - sls: sift.python-packages.ioc_writer - sls: sift.python-packages.lxml - sls: sift.python-packages.ntdsxtract - sls: sift.python-packages.pefile @@ -56,7 +50,5 @@ sift-python-packages: - sls: sift.python-packages.shellbags - sls: sift.python-packages.six - sls: sift.python-packages.unicodecsv - - sls: sift.python-packages.usnparser - sls: sift.python-packages.volatility - sls: sift.python-packages.wheel - - sls: sift.python-packages.windowsprefetch diff --git a/sift/python-packages/ioc_writer.sls b/sift/python-packages/ioc_writer.sls deleted file mode 100644 index 076521eb..00000000 --- a/sift/python-packages/ioc_writer.sls +++ /dev/null @@ -1,14 +0,0 @@ -include: - - sift.packages.python3-pip - - sift.packages.python2-pip - - sift.python-packages.lxml - -sift-python-packages-ioc-writer: - pip.installed: - - name: ioc_writer - - bin_env: /usr/bin/python2 - - upgrade: True - - require: - - sls: sift.packages.python2-pip - - sls: sift.python-packages.lxml - diff --git a/sift/python-packages/usnparser.sls b/sift/python-packages/usnparser.sls deleted file mode 100644 index 9fbe5ea7..00000000 --- a/sift/python-packages/usnparser.sls +++ /dev/null @@ -1,11 +0,0 @@ -include: - - sift.packages.python3-pip - - sift.packages.python2-pip - -sift-python-packages-usnparser: - pip.installed: - - name: usnparser - - bin_env: /usr/bin/python2 - - upgrade: True - - require: - - sls: sift.packages.python2-pip diff --git a/sift/python-packages/windowsprefetch.sls b/sift/python-packages/windowsprefetch.sls deleted file mode 100644 index 02beb15d..00000000 --- a/sift/python-packages/windowsprefetch.sls +++ /dev/null @@ -1,11 +0,0 @@ -include: - - sift.packages.python3-pip - - sift.packages.python2-pip - -sift-python-packages-windowsprefetch: - pip.installed: - - name: windowsprefetch - - bin_env: /usr/bin/python2 - - upgrade: True - - require: - - sls: sift.packages.python2-pip diff --git a/sift/python3-packages/analyzemft.sls b/sift/python3-packages/analyzemft.sls new file mode 100644 index 00000000..33c7a477 --- /dev/null +++ b/sift/python3-packages/analyzemft.sls @@ -0,0 +1,41 @@ +# Name: analyzeMFT +# Website: https://github.com/rowingdude/analyzeMFT +# Description: NTFS MFT File Parser +# Category: +# Author: Benjamin Cance +# License: MIT License (https://github.com/rowingdude/analyzeMFT/blob/master/LICENSE.txt) +# Notes: analyzemft + +{% set commit = 'b1d0e6a0aa58d42000bfdb8e6588513bd62eaeab' %} + +include: + - sift.packages.python3-virtualenv + - sift.packages.git + +sift-python3-package-analyzemft-virtualenv: + virtualenv.managed: + - name: /opt/analyzemft + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-analyzemft: + pip.installed: + - name: git+https://github.com/rowingdude/analyzemft.git@{{ commit }} + - bin_env: /opt/analyzemft/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-analyzemft-virtualenv + - sls: sift.packages.git + +sift-python3-package-analyzemft-symlink: + file.symlink: + - name: /usr/local/bin/analyzemft + - target: /opt/analyzemft/bin/analyzemft + - makedirs: False + - require: + - pip: sift-python3-package-analyzemft diff --git a/sift/python3-packages/defang.sls b/sift/python3-packages/defang.sls index d1bf3c66..62237d61 100644 --- a/sift/python3-packages/defang.sls +++ b/sift/python3-packages/defang.sls @@ -1,11 +1,37 @@ -# WEBSITE: https://github.com/HurricaneLabs/machinae -# LICENSE: MIT +# Name: defang +# Website: https://bitbucket.org/johannestaas/defang/src/master/ +# Description: Defangs and refangs malicious URLs +# Category: +# Author: Johan Nestaas +# License: GNU General Public License v2+ (https://bitbucket.org/johannestaas/defang/src/master/LICENSE) +# Notes: + include: - - sift.python3-packages.pip + - sift.packages.python3-virtualenv + +sift-python3-package-defang-venv: + virtualenv.managed: + - name: /opt/defang + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv -sift-python3-packages-defang: +sift-python3-package-defang: pip.installed: - - name: defang==0.5.2 - - bin_env: /usr/bin/python3 + - name: defang + - bin_env: /opt/defang/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-defang-venv + +sift-python3-package-defang-symlink: + file.symlink: + - name: /usr/local/bin/defang + - target: /opt/defang/bin/defang + - makedirs: False - require: - - sls: sift.python3-packages.pip + - pip: sift-python3-package-defang diff --git a/sift/python3-packages/hindsight.sls b/sift/python3-packages/hindsight.sls new file mode 100644 index 00000000..d7f21a94 --- /dev/null +++ b/sift/python3-packages/hindsight.sls @@ -0,0 +1,51 @@ +# Name: hindsight +# Website: https://github.com/obsidianforensics/hindsight +# Description: Web browser forensics for Google Chrome / Chromium +# Category: +# Author: Ryan Benson (obsidianforensics) +# License: Apache License v2 (https://github.com/obsidianforensics/hindsight/blob/main/LICENSE.md) +# Notes: hindsight.py, hindsight_gui.py + +{% set files = ['hindsight.py','hindsight_gui.py'] %} + +include: + - sift.packages.python3-virtualenv + +sift-python3-package-pyhindsight-venv: + virtualenv.managed: + - name: /opt/pyhindsight + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - setuptools_rust + - keyrings.alt + - git+https://github.com/cclgroupltd/ccl_chromium_reader.git + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-pyhindsight: + pip.installed: + - name: pyhindsight + - bin_env: /opt/pyhindsight/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-pyhindsight-venv + +{% for file in files %} +sift-python3-package-pyhindsight-symlink-{{ file }}: + file.symlink: + - name: /usr/local/bin/{{ file }} + - target: /opt/pyhindsight/bin/{{ file }} + - makedirs: False + - require: + - pip: sift-python3-package-pyhindsight + +sift-python3-package-pyhindsight-chmod-{{ file }}: + file.managed: + - name: /opt/pyhindsight/bin/{{ file }} + - mode: 755 + - require: + - file: sift-python3-package-pyhindsight-symlink-{{ file }} +{% endfor %} diff --git a/sift/python3-packages/init.sls b/sift/python3-packages/init.sls index 4d8a3aff..975e8074 100644 --- a/sift/python3-packages/init.sls +++ b/sift/python3-packages/init.sls @@ -1,4 +1,5 @@ include: + - sift.python3-packages.analyzemft - sift.python3-packages.python3-keyring - sift.python3-packages.pip - sift.python3-packages.python3-keyring @@ -6,23 +7,28 @@ include: - sift.python3-packages.bitstring - sift.python3-packages.colorama - sift.python3-packages.geoip2 - - sift.python3-packages.ioc_writer + - sift.python3-packages.hindsight + - sift.python3-packages.ioc-writer ### - sift.python3-packages.imagemounter - sift.python3-packages.keyrings-alt - sift.python3-packages.lxml + - sift.python3-packages.mac-apt - sift.python3-packages.machinae - sift.python3-packages.pefile + - sift.python3-packages.pe-carver + - sift.python3-packages.pe-scanner - sift.python3-packages.pillow - - sift.python3-packages.pyhindsight - sift.python3-packages.python-dateutil - sift.python3-packages.python-evtx - sift.python3-packages.python-magic - - sift.python3-packages.python-registry - sift.python3-packages.setuptools - sift.python3-packages.setuptools-rust - sift.python3-packages.six + - sift.python3-packages.sqlite-carver - sift.python3-packages.stix-validator - sift.python3-packages.stix + - sift.python3-packages.usbdeviceforensics + - sift.python3-packages.usnparser - sift.python3-packages.virustotal-api - sift.python3-packages.wheel - sift.python3-packages.yara-python @@ -31,6 +37,7 @@ sift-python3-packages: test.nop: - name: sift-python3-packages - require: + - sls: sift.python3-packages.analyzemft - sls: sift.python3-packages.python3-keyring - sls: sift.python3-packages.pip - sls: sift.python3-packages.python3-keyring @@ -38,23 +45,28 @@ sift-python3-packages: - sls: sift.python3-packages.bitstring - sls: sift.python3-packages.colorama - sls: sift.python3-packages.geoip2 - - sls: sift.python3-packages.ioc_writer + - sls: sift.python3-packages.hindsight + - sls: sift.python3-packages.ioc-writer ### - sls: sift.python3-packages.imagemounter - sls: sift.python3-packages.keyrings-alt - sls: sift.python3-packages.lxml + - sls: sift.python3-packages.mac-apt - sls: sift.python3-packages.machinae - sls: sift.python3-packages.pefile + - sls: sift.python3-packages.pe-carver + - sls: sift.python3-packages.pe-scanner - sls: sift.python3-packages.pillow - - sls: sift.python3-packages.pyhindsight - sls: sift.python3-packages.python-dateutil - sls: sift.python3-packages.python-evtx - sls: sift.python3-packages.python-magic - - sls: sift.python3-packages.python-registry - sls: sift.python3-packages.setuptools - sls: sift.python3-packages.setuptools-rust - sls: sift.python3-packages.six + - sls: sift.python3-packages.sqlite-carver - sls: sift.python3-packages.stix-validator - sls: sift.python3-packages.stix + - sls: sift.python3-packages.usbdeviceforensics + - sls: sift.python3-packages.usnparser - sls: sift.python3-packages.virustotal-api - sls: sift.python3-packages.wheel - sls: sift.python3-packages.yara-python diff --git a/sift/python3-packages/ioc-writer.sls b/sift/python3-packages/ioc-writer.sls new file mode 100644 index 00000000..4b86d711 --- /dev/null +++ b/sift/python3-packages/ioc-writer.sls @@ -0,0 +1,47 @@ +# Name: ioc_writer +# Website: https://github.com/mandiant/ioc_writer/ +# Description: Tool to write and edit IOC objects +# Category: +# Author: William Gibb +# License: Apache License 2.0 (https://github.com/mandiant/ioc_writer/blob/master/LICENSE) +# Notes: iocdump, openioc_10_to_11, openioc_11_to_10 + +{% set files = ['iocdump','openioc_10_to_11','openioc_11_to_10'] %} + +include: + - sift.packages.python3-virtualenv + - sift.packages.libxml2-dev + - sift.packages.libxslt-dev + +sift-python3-package-ioc-writer-venv: + virtualenv.managed: + - name: /opt/ioc_writer + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - lxml + - yara-python + - require: + - sls: sift.packages.python3-virtualenv + - sls: sift.packages.libxml2-dev + - sls: sift.packages.libxslt-dev + +sift-python3-package-ioc-writer: + pip.installed: + - name: ioc_writer + - bin_env: /opt/ioc_writer/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-ioc-writer-venv + +{% for file in files %} +sift-python3-package-ioc-writer-symlink-{{ file }}: + file.symlink: + - name: /usr/local/bin/{{ file }} + - target: /opt/ioc_writer/bin/{{ file }} + - makedirs: False + - require: + - pip: sift-python3-package-ioc-writer +{% endfor %} diff --git a/sift/python3-packages/ioc_writer.sls b/sift/python3-packages/ioc_writer.sls deleted file mode 100644 index 34161993..00000000 --- a/sift/python3-packages/ioc_writer.sls +++ /dev/null @@ -1,13 +0,0 @@ -include: - - sift.python3-packages.pip - - sift.python3-packages.lxml - - sift.python3-packages.yara-python - -sift-python3-packages-ioc-writer: - pip.installed: - - name: ioc_writer - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.pip - - sls: sift.python3-packages.lxml - - sls: sift.python3-packages.yara-python diff --git a/sift/python3-packages/mac-apt.sls b/sift/python3-packages/mac-apt.sls new file mode 100644 index 00000000..9b6fdda8 --- /dev/null +++ b/sift/python3-packages/mac-apt.sls @@ -0,0 +1,86 @@ +# Name: mac_apt +# Website: https://github.com/ydkhatri/mac_apt +# Description: macOS and iOS Artifact Parsing Tool +# Category: +# Author: Yogesh Khatri +# License: MIT License (https://github.com/ydkhatri/mac_apt/blob/master/LICENSE.txt) +# Notes: mac_apt.py, mac_apt_artifact_only.py, mac_apt_mounted_sys_data.py, ios_apt.py, extract_apfs_fs.py + +{% set files = ['mac_apt.py','mac_apt_artifact_only.py','mac_apt_mounted_sys_data.py','ios_apt.py','extract_apfs_fs.py'] %} + +include: + - sift.packages.python3-virtualenv + - sift.packages.python3-dev + - sift.packages.libbz2-dev + - sift.packages.zlib1g-dev + - sift.packages.git + +sift-python3-package-mac-apt-venv: + virtualenv.managed: + - name: /opt/mac-apt + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - pybindgen==0.21.0 + - require: + - sls: sift.packages.python3-virtualenv + - sls: sift.packages.python3-dev + - sls: sift.packages.libbz2-dev + - sls: sift.packages.zlib1g-dev + +sift-python3-package-mac-apt-git: + git.latest: + - name: https://github.com/ydkhatri/mac_apt.git + - target: /opt/mac-apt/bin/mac_apt_git/ + - user: root + - rev: master + - force_clone: True + - force_reset: True + - require: + - sls: sift.packages.git + - virtualenv: sift-python3-package-mac-apt-venv + +sift-python3-package-mac-apt-requirements: + pip.installed: + - bin_env: /opt/mac-apt/bin/python3 + - requirements: /opt/mac-apt/bin/mac_apt_git/requirements.txt + - upgrade: False + - cwd: /opt/mac-apt/bin/mac_apt_git/ + - require: + - git: sift-python3-package-mac-apt-git + +{% for file in files %} + +sift-python3-package-mac-apt-chmod-{{ file }}: + file.managed: + - name: /opt/mac-apt/bin/mac_apt_git/{{ file }} + - mode: 755 + - require: + - pip: sift-python3-package-mac-apt-requirements + +sift-python3-package-mac-apt-prepend-{{ file }}: + file.prepend: + - name: /opt/mac-apt/bin/mac_apt_git/{{ file }} + - text: '#!/opt/mac-apt/bin/python3' + - watch: + - file: sift-python3-package-mac-apt-chmod-{{ file }} + +sift-python3-package-mac-apt-fix-crlf-{{ file }}: + file.replace: + - name: /opt/mac-apt/bin/mac_apt_git/{{ file }} + - pattern: '\r' + - repl: '' + - require: + - file: sift-python3-package-mac-apt-prepend-{{ file }} + +sift-python3-package-mac-apt-symlink-{{ file }}: + file.symlink: + - name: /usr/local/bin/{{ file }} + - target: /opt/mac-apt/bin/mac_apt_git/{{ file }} + - makedirs: False + - require: + - file: sift-python3-package-mac-apt-fix-crlf-{{ file }} + +{% endfor %} diff --git a/sift/python3-packages/machinae.sls b/sift/python3-packages/machinae.sls index 5203d7d2..d9ec90d0 100644 --- a/sift/python3-packages/machinae.sls +++ b/sift/python3-packages/machinae.sls @@ -1,13 +1,46 @@ -# WEBSITE: https://github.com/HurricaneLabs/machinae -# LICENSE: MIT +# Name: machinae +# Website: https://github.com/HurricaneLabs/machinae +# Description: Machinae Security Intelligence Collector +# Category: +# Author: Hurricane Labs +# License: MIT License (https://github.com/HurricaneLabs/machinae/blob/master/LICENSE.txt) +# Notes: + include: - - sift.python3-packages.pip - - sift.python3-packages.defang + - sift.packages.python3-virtualenv + +sift-python3-package-machinae-venv: + virtualenv.managed: + - name: /opt/machinae + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - defang + - require: + - sls: sift.packages.python3-virtualenv -sift-python3-packages-machinae: +sift-python3-package-machinae: pip.installed: - name: machinae - - bin_env: /usr/bin/python3 + - bin_env: /opt/machinae/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-machinae-venv + +sift-python3-package-machinae-symlink: + file.symlink: + - name: /usr/local/bin/machinae + - target: /opt/machinae/bin/machinae + - makedirs: False + - require: + - pip: sift-python3-package-machinae + +sift-python3-package-machine-config: + file.managed: + - name: /etc/machinae.yml + - source: https://raw.githubusercontent.com/HurricaneLabs/machinae/refs/heads/master/machinae.yml + - skip_verify: True - require: - - sls: sift.python3-packages.pip - - sls: sift.python3-packages.defang + - file: sift-python3-package-machinae-symlink diff --git a/sift/python3-packages/pe-carver.sls b/sift/python3-packages/pe-carver.sls new file mode 100644 index 00000000..4b68498c --- /dev/null +++ b/sift/python3-packages/pe-carver.sls @@ -0,0 +1,37 @@ +# Name: pe-carver +# Website: https://github.com/digitalsleuth/pe-carver +# Description: Carves EXEs from given data files +# Category: +# Author: Brian Baskin (Rurik), Corey Forman (digitalsleuth) +# License: Apache License v2 (https://github.com/digitalsleuth/pe-carver/blob/main/LICENSE) +# Notes: pe-carver + +include: + - sift.packages.python3-virtualenv + +sift-python3-package-pe-carver-venv: + virtualenv.managed: + - name: /opt/pe-carver + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-pe-carver: + pip.installed: + - name: pe-carver + - bin_env: /opt/pe-carver/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-pe-carver-venv + +sift-python3-package-pe-carver-symlink: + file.symlink: + - name: /usr/local/bin/pe-carver + - target: /opt/pe-carver/bin/pe-carver + - makedirs: False + - require: + - pip: sift-python3-package-pe-carver diff --git a/sift/python3-packages/pe-scanner.sls b/sift/python3-packages/pe-scanner.sls new file mode 100644 index 00000000..c91dfda4 --- /dev/null +++ b/sift/python3-packages/pe-scanner.sls @@ -0,0 +1,42 @@ +# Name: pe-scanner +# Website: https://github.com/digitalsleuth/pe-scanner +# Description: Python 3 rebuild of the original pescanner +# Category: +# Author: Michael Ligh, Glenn P. Edwards Jr., Corey Forman (digitalsleuth) +# License: GNU General Public License v3 (https://github.com/digitalsleuth/pe-scanner/blob/main/LICENSE) +# Notes: pe-scanner + +include: + - sift.packages.python3-virtualenv + - sift.packages.git + - sift.packages.python3-magic + +sift-python3-package-pe-scanner-venv: + virtualenv.managed: + - name: /opt/pe-scanner + - venv_bin: /usr/bin/virtualenv + - system_site_packages: True + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-pe-scanner: + pip.installed: + - name: git+https://github.com/digitalsleuth/pe-scanner.git + - bin_env: /opt/pe-scanner/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-pe-scanner-venv + - sls: sift.packages.git + - sls: sift.packages.python3-magic + +sift-python3-package-pe-scanner-symlink: + file.symlink: + - name: /usr/local/bin/pe-scanner + - target: /opt/pe-scanner/bin/pe-scanner + - makedirs: False + - require: + - pip: sift-python3-package-pe-scanner diff --git a/sift/python3-packages/pyhindsight.sls b/sift/python3-packages/pyhindsight.sls deleted file mode 100644 index 3fe531af..00000000 --- a/sift/python3-packages/pyhindsight.sls +++ /dev/null @@ -1,55 +0,0 @@ -include: - - sift.python3-packages.pip - - sift.python3-packages.setuptools-rust - - sift.python3-packages.keyrings-alt - -sift-python3-packages-pyhindsight: - pip.installed: - - name: pyhindsight - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.pip - - sls: sift.python3-packages.setuptools-rust - - sls: sift.python3-packages.keyrings-alt - -sift-python3-packages-pyhindsight-encoding: - file.replace: - - name: /usr/local/bin/hindsight.py - - pattern: '\r' - - repl: '' - - require: - - pip: sift-python3-packages-pyhindsight - -sift-python3-packages-pyhindsight-chmod: - file.managed: - - name: /usr/local/bin/hindsight.py - - mode: 755 - - watch: - - file: sift-python3-packages-pyhindsight-encoding - -sift-python3-packages-pyhindsight-gui-encoding: - file.replace: - - name: /usr/local/bin/hindsight_gui.py - - pattern: '\r' - - repl: '' - - require: - - pip: sift-python3-packages-pyhindsight - -sift-python3-packages-pyhindsight-gui-prepend: - file.replace: - - name: /usr/local/bin/hindsight_gui.py - - pattern: '#!/usr/bin/env python3' - - repl: '#!/usr/bin/env python3' - - prepend_if_not_found: True - - count: 1 - - require: - - pip: sift-python3-packages-pyhindsight - -sift-python3-packages-pyhindsight-gui-chmod: - file.managed: - - name: /usr/local/bin/hindsight_gui.py - - mode: 755 - - watch: - - file: sift-python3-packages-pyhindsight-gui-prepend - - diff --git a/sift/python3-packages/python-evtx.sls b/sift/python3-packages/python-evtx.sls index cde132cc..63ada010 100644 --- a/sift/python3-packages/python-evtx.sls +++ b/sift/python3-packages/python-evtx.sls @@ -4,16 +4,51 @@ # Category: # Author: Willi Ballenthin # License: Apache License 2.0 (https://github.com/williballenthin/python-evtx/blob/master/LICENSE.TXT) -# Notes: evtx_dates.py, evtx_dump.py, evtx_dump_chunk_slack.py, evtx_dump_json.py, evtx_info.py +# Notes: evtx_dump.py, evtx_dump_chunk_slack.py, evtx_dump_json.py, evtx_eid_record_numbers.py, evtx_extract_record.py, evtx_filter_records.py, evtx_info.py, evtx_record_structure.py, evtx_structure.py, evtx_templates.py + +{% set files = ['evtx_dump.py','evtx_dump_chunk_slack.py','evtx_dump_json.py','evtx_eid_record_numbers.py','evtx_extract_record.py','evtx_filter_records.py','evtx_info.py','evtx_record_structure.py','evtx_structure.py','evtx_templates.py'] %} include: - - sift.python3-packages.pip + - sift.packages.python3-virtualenv - sift.packages.git -sift-python3-packages-python-evtx: +sift-python3-package-python-evtx-venv: + virtualenv.managed: + - name: /opt/python-evtx + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - xmltodict + - lxml + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-python-evtx: pip.installed: - name: git+https://github.com/williballenthin/python-evtx.git - - bin_env: /usr/bin/python3 + - bin_env: /opt/python-evtx/bin/python3 + - upgrade: True - require: - - sls: sift.python3-packages.pip + - virtualenv: sift-python3-package-python-evtx-venv - sls: sift.packages.git + +sift-python3-package-python-evtx-import-fix: + file.replace: + - name: /opt/python-evtx/bin/evtx_eid_record_numbers.py + - pattern: 'from filter_records' + - repl: 'from evtx_filter_records' + - count: 1 + - require: + - pip: sift-python3-package-python-evtx + +{% for file in files %} +sift-python3-package-python-evtx-symlink-{{ file }}: + file.symlink: + - name: /usr/local/bin/{{ file }} + - target: /opt/python-evtx/bin/{{ file }} + - makedirs: False + - require: + - pip: sift-python3-package-python-evtx +{% endfor %} diff --git a/sift/python3-packages/python-registry.sls b/sift/python3-packages/python-registry.sls deleted file mode 100644 index e8c3ab71..00000000 --- a/sift/python3-packages/python-registry.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.pip - -sift-python3-packages-python-registry: - pip.installed: - - name: python-registry - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.pip diff --git a/sift/python3-packages/sqlite-carver.sls b/sift/python3-packages/sqlite-carver.sls new file mode 100644 index 00000000..d086c8e7 --- /dev/null +++ b/sift/python3-packages/sqlite-carver.sls @@ -0,0 +1,37 @@ +# Name: sqlite-carver +# Website: https://github.com/digitalsleuth/sqlite-carver +# Description: Script to recover deleted entries in an SQLite database, rebuild of SQLite-Deleted-Records-Parser +# Category: +# Author: Mari DeGrazia and Corey Forman (digitalsleuth) +# License: GNU General Public License v3 (https://github.com/digitalsleuth/sqlite-carver/blob/main/LICENSE) +# Notes: sqlite-carver + +include: + - sift.packages.python3-virtualenv + +sift-python3-package-sqlite-carver-venv: + virtualenv.managed: + - name: /opt/sqlite-carver + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-sqlite-carver: + pip.installed: + - name: sqlite-carver + - bin_env: /opt/sqlite-carver/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-sqlite-carver-venv + +sift-python3-package-sqlite-carver-symlink: + file.symlink: + - name: /usr/local/bin/sqlite-carver + - target: /opt/sqlite-carver/bin/sqlite-carver + - makedirs: False + - require: + - pip: sift-python3-package-sqlite-carver diff --git a/sift/python3-packages/stix-validator.sls b/sift/python3-packages/stix-validator.sls index e9e8d559..d29b206e 100644 --- a/sift/python3-packages/stix-validator.sls +++ b/sift/python3-packages/stix-validator.sls @@ -1,11 +1,39 @@ +# Name: stix-validator +# Website: https://stixproject.github.io/ +# Description: Tool for using the Structured Threat Information eXpression language +# Category: +# Author: The MITRE Corporation +# License: BSD 3-Clause (https://github.com/STIXProject/stix-validator/blob/master/LICENSE.txt) +# Notes: stix-validator + include: - - sift.python3-packages.pip - - sift.python3-packages.stix + - sift.packages.python3-virtualenv + +sift-python3-package-stix-validator-venv: + virtualenv.managed: + - name: /opt/stix-validator + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - lxml + - stix + - require: + - sls: sift.packages.python3-virtualenv -sift-python3-packages-stix-validator: +sift-python3-package-stix-validator: pip.installed: - name: stix-validator - - bin_env: /usr/bin/python3 + - bin_env: /opt/stix-validator/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-stix-validator-venv + +sift-python3-package-stix-validator-symlink: + file.symlink: + - name: /usr/local/bin/stix-validator + - target: /opt/stix-validator/bin/stix-validator + - makedirs: False - require: - - sls: sift.python3-packages.pip - - sls: sift.python3-packages.stix + - pip: sift-python3-package-stix-validator diff --git a/sift/python3-packages/stix.sls b/sift/python3-packages/stix.sls deleted file mode 100644 index fd1c2f0e..00000000 --- a/sift/python3-packages/stix.sls +++ /dev/null @@ -1,11 +0,0 @@ -include: - - sift.python3-packages.pip - - sift.python3-packages.lxml - -sift-python3-packages-stix: - pip.installed: - - name: stix - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.pip - - sls: sift.python3-packages.lxml diff --git a/sift/python3-packages/usbdeviceforensics.sls b/sift/python3-packages/usbdeviceforensics.sls new file mode 100644 index 00000000..aaa25788 --- /dev/null +++ b/sift/python3-packages/usbdeviceforensics.sls @@ -0,0 +1,43 @@ +# Name: usbdeviceforensics +# Website: https://github.com/digitalsleuth/usbdeviceforensics +# Description: Python script to parse USB Device artifacts from Windows systems +# Category: +# Author: Mark Woan, Corey Forman (digitalsleuth) +# License: None +# Notes: usbdeviceforensics + +include: + - sift.packages.python3-virtualenv + - sift.packages.git + - sift.packages.python3-dev + +sift-python3-package-usbdeviceforensics-venv: + virtualenv.managed: + - name: /opt/usbdeviceforensics + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - python-registry + - enum34 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-usbdeviceforensics: + pip.installed: + - name: git+https://github.com/digitalsleuth/usbdeviceforensics.git + - bin_env: /opt/usbdeviceforensics/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-usbdeviceforensics-venv + - sls: sift.packages.git + - sls: sift.packages.python3-dev + +sift-python3-package-usbdeviceforensics-symlink: + file.symlink: + - name: /usr/local/bin/usbdeviceforensics + - target: /opt/usbdeviceforensics/bin/usbdeviceforensics + - force: True + - require: + - pip: sift-python3-package-usbdeviceforensics diff --git a/sift/python3-packages/usnparser.sls b/sift/python3-packages/usnparser.sls new file mode 100644 index 00000000..3d17908f --- /dev/null +++ b/sift/python3-packages/usnparser.sls @@ -0,0 +1,37 @@ +# Name: USN Journal Parser +# Website: https://github.com/digitalsleuth/USN-Journal-Parser +# Description: Python script to parse the NTFS USN Change Journal +# Category: +# Author: Adam Witt (PoorBillionaire) / Corey Forman (digitalsleuth) +# License: Apache License v2 (https://github.com/digitalsleuth/USN-Journal-Parser/blob/main/LICENSE) +# Notes: usnparser + +include: + - sift.packages.python3-virtualenv + +sift-python3-package-usnparser-venv: + virtualenv.managed: + - name: /opt/usnparser + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-usnparser: + pip.installed: + - name: git+https://github.com/digitalsleuth/USN-Journal-Parser.git + - bin_env: /opt/usnparser/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-usnparser-venv + +sift-python3-package-usnparser-symlink: + file.symlink: + - name: /usr/local/bin/usnparser + - target: /opt/usnparser/bin/usn.py + - force: True + - require: + - pip: sift-python3-package-usnparser diff --git a/sift/python3-packages/windowsprefetch.sls b/sift/python3-packages/windowsprefetch.sls new file mode 100644 index 00000000..321961f6 --- /dev/null +++ b/sift/python3-packages/windowsprefetch.sls @@ -0,0 +1,37 @@ +# Name: windowsprefetch +# Website: https://github.com/PoorBillionaire/Windows-Prefetch-Parser +# Description: Windows Prefetch file parser +# Category: +# Author: Adam Witt (PoorBillionaire) +# License: Apache License v2 (https://github.com/PoorBillionaire/Windows-Prefetch-Parser/blob/master/LICENSE) +# Notes: prefetch.py + +include: + - sift.packages.python3-virtualenv + +sift-python3-package-windowsprefetch-venv: + virtualenv.managed: + - name: /opt/windowsprefetch + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-windowsprefetch: + pip.installed: + - name: windowsprefetch + - bin_env: /opt/windowsprefetch/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-windowsprefetch-venv + +sift-python3-package-windowsprefetch-symlink: + file.symlink: + - name: /usr/local/bin/prefetch.py + - target: /opt/windowsprefetch/bin/prefetch.py + - makedirs: False + - require: + - pip: sift-python3-package-windowsprefetch diff --git a/sift/repos/dotnet-backports.sls b/sift/repos/dotnet-backports.sls new file mode 100644 index 00000000..bf33949d --- /dev/null +++ b/sift/repos/dotnet-backports.sls @@ -0,0 +1,12 @@ +include: + - sift.packages.software-properties-common + +sift-dotnet-backports-repo: + pkgrepo.managed: + - name: dotnet-backports + - ppa: dotnet/backports + - keyid: 45A3F127159BE9E5017811C62125B164E8E5D3FA + - keyserver: hkp://p80.pool.sks-keyservers.net:80 + - refresh: true + - require: + - sls: sift.packages.software-properties-common diff --git a/sift/repos/init.sls b/sift/repos/init.sls index bc079fbe..44e33226 100644 --- a/sift/repos/init.sls +++ b/sift/repos/init.sls @@ -5,7 +5,7 @@ include: - sift.repos.openjdk - sift.repos.ubuntu-multiverse - sift.repos.ubuntu-universe - + - sift.repos.dotnet-backports sift-repos: test.nop: @@ -17,4 +17,4 @@ sift-repos: - sls: sift.repos.openjdk - sls: sift.repos.ubuntu-multiverse - sls: sift.repos.ubuntu-universe - + - sls: sift.repos.dotnet-backports diff --git a/sift/scripts/afterglow.sls b/sift/scripts/afterglow.sls deleted file mode 100644 index e3aa20ec..00000000 --- a/sift/scripts/afterglow.sls +++ /dev/null @@ -1,21 +0,0 @@ -# license=gpl -# license_source=https://github.com/zrlram/afterglow/blob/master/afterglow.pl - -{% set commit = "91e7dd3f1f7fb9ab3b68fbe47b31997d8f073c1c" %} -{% set hash = "95900e17f696d4020efc9f52399996badc9974aa084e593200a1a54c1a523a3f" %} - -sift-scripts-afterglow: - file.managed: - - name: /usr/local/bin/afterglow.pl - - source: https://raw.githubusercontent.com/zrlram/afterglow/{{ commit }}/afterglow.pl - - source_hash: sha256={{ hash }} - - mode: 755 - -sift-scripts-afterglow-shebang: - file.replace: - - name: /usr/local/bin/afterglow.pl - - pattern: '#!/usr/bin/perl' - - repl: '#!/usr/bin/env perl' - - count: 1 - - watch: - - file: sift-scripts-afterglow diff --git a/sift/scripts/amcache.sls b/sift/scripts/amcache.sls index 0d6b2764..f110f4cc 100644 --- a/sift/scripts/amcache.sls +++ b/sift/scripts/amcache.sls @@ -1,22 +1,46 @@ -# source=https://github.com/williballenthin/python-registry -# license=apache2 -# license_source=https://github.com/williballenthin/python-registry/blob/master/LICENSE.TXT +# Name: amcache +# Website: https://github.com/williballenthin/python-registry +# Description: Python script to parse amcache artifacts from the Amcache.hve registry file +# Category: +# Author: Willi Ballenthin +# License: Apache License v2 (https://github.com/williballenthin/python-registry/blob/master/LICENSE.TXT) +# Notes: amcache.py -{% set commit = "1a669eada6f7933798751e0cf482a9eb654c739b" -%} -{% set hash = "1065c23fdea1fde90e931bf5ccabc93b508bee0f6855a6ef2b3b9fd74495e279" -%} +include: + - sift.packages.python3-virtualenv -sift-scripts-amcache: - file.managed: - - name: /usr/local/bin/amcache.py - - source: https://raw.githubusercontent.com/williballenthin/python-registry/{{ commit }}/samples/amcache.py - - source_hash: sha256={{ hash }} - - mode: 755 +sift-python3-package-amcache-venv: + virtualenv.managed: + - name: /opt/amcache + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - python-registry + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-amcache: + file.recurse: + - name: /opt/amcache/bin/ + - source: salt://sift/files/amcache + - file_mode: 755 -sift-scripts-amcache-shebang: +sift-python3-package-amcache-shebang: file.replace: - - name: /usr/local/bin/amcache.py - - pattern: '#!/usr/bin/python' - - repl: '#!/usr/bin/env python2' + - name: /opt/amcache/bin/amcache.py + - pattern: '#!/usr/bin/env python3' + - repl: '#!/opt/amcache/bin/python3' - count: 1 - watch: - - file: sift-scripts-amcache + - file: sift-python3-package-amcache + +sift-python3-package-amcache-symlink: + file.symlink: + - name: /usr/local/bin/amcache.py + - target: /opt/amcache/bin/amcache.py + - makedirs: False + - force: True + - require: + - file: sift-python3-package-amcache diff --git a/sift/scripts/docker-compose.sls b/sift/scripts/docker-compose.sls index c93802f9..554ffe48 100644 --- a/sift/scripts/docker-compose.sls +++ b/sift/scripts/docker-compose.sls @@ -1,10 +1,9 @@ -{%- set version = "2.15.1" -%} -{%- set hash = "bcfd9ea51dee4c19dccdfaeef0e7956ef68bf14f3d175933742061a7271ef0f5" -%} +{%- set version = "2.32.4" -%} sift-scripts-docker-compose: file.managed: - name: /usr/local/bin/docker-compose - source: https://github.com/docker/compose/releases/download/v{{ version }}/docker-compose-{{ grains['kernel'] }}-{{ grains['cpuarch'] }} - - source_hash: sha256={{ hash }} + - source_hash: https://github.com/docker/compose/releases/download/v{{ version }}/docker-compose-{{ grains['kernel'] }}-{{ grains['cpuarch'] }}.sha256 - mode: 755 - replace: True diff --git a/sift/scripts/dumbpig.sls b/sift/scripts/dumbpig.sls deleted file mode 100644 index 7e47685a..00000000 --- a/sift/scripts/dumbpig.sls +++ /dev/null @@ -1,12 +0,0 @@ -# source=https://github.com/leonward/dumbpig -# license=gpl - -{% set commit = "429a880e6fb8e1528e406bc962e23f16df5ca959" -%} -{% set hash = "cbb11d7a20556b8c645e71b0c3dc422b4e48c2f18dce719cf6504a4af516bf07" -%} - -sift-scripts-dumbpig: - file.managed: - - name: /usr/local/bin/dumbpig.pl - - source: https://raw.githubusercontent.com/leonward/dumbpig/{{ commit }}/dumbpig.pl - - source_hash: sha256={{ hash }} - - mode: 755 diff --git a/sift/scripts/init.sls b/sift/scripts/init.sls index a29a0e68..e95f038e 100644 --- a/sift/scripts/init.sls +++ b/sift/scripts/init.sls @@ -1,10 +1,8 @@ include: - sift.scripts.4n6 - - sift.scripts.afterglow - sift.scripts.amcache - sift.scripts.cyberchef - sift.scripts.densityscout - - sift.scripts.dumbpig - sift.scripts.dump-mft-entry - sift.scripts.image-mounter - sift.scripts.java-idx-parser @@ -12,18 +10,16 @@ include: - sift.scripts.keydet-tools - sift.scripts.packerid - sift.scripts.page-brute - - sift.scripts.parseusn - sift.scripts.pdf-tools - - sift.scripts.pe-carver - sift.scripts.pescanner + - sift.scripts.pe-carver - sift.scripts.regripper - sift.scripts.screen-scale - sift.scripts.shim-cache-parser - sift.scripts.sift - sift.scripts.sorter - - sift.scripts.sqlite_miner - - sift.scripts.sqlparser - sift.scripts.usbdeviceforensics + - sift.scripts.sqlparser - sift.scripts.virustotal-tools - sift.scripts.vshot - sift.scripts.zimmerman @@ -33,11 +29,9 @@ sift-scripts: - name: sift-scripts - require: - sls: sift.scripts.4n6 - - sls: sift.scripts.afterglow - sls: sift.scripts.amcache - sls: sift.scripts.cyberchef - sls: sift.scripts.densityscout - - sls: sift.scripts.dumbpig - sls: sift.scripts.dump-mft-entry - sls: sift.scripts.image-mounter - sls: sift.scripts.java-idx-parser @@ -45,18 +39,16 @@ sift-scripts: - sls: sift.scripts.keydet-tools - sls: sift.scripts.packerid - sls: sift.scripts.page-brute - - sls: sift.scripts.parseusn - sls: sift.scripts.pdf-tools - - sls: sift.scripts.pe-carver - sls: sift.scripts.pescanner + - sls: sift.scripts.pe-carver - sls: sift.scripts.regripper - sls: sift.scripts.screen-scale - sls: sift.scripts.shim-cache-parser - sls: sift.scripts.sift - sls: sift.scripts.sorter - - sls: sift.scripts.sqlite_miner - - sls: sift.scripts.sqlparser - sls: sift.scripts.usbdeviceforensics + - sls: sift.scripts.sqlparser - sls: sift.scripts.virustotal-tools - sls: sift.scripts.vshot - sls: sift.scripts.zimmerman diff --git a/sift/scripts/packerid.sls b/sift/scripts/packerid.sls index 172fda40..94a66eda 100644 --- a/sift/scripts/packerid.sls +++ b/sift/scripts/packerid.sls @@ -1,30 +1,52 @@ -# source=https://github.com/sooshie/packerid -# license=Unknown +# Name: packerid +# Website: https://github.com/sooshie/packerid +# Description: Script to identify packed files +# Category: +# Author: Jim Clausing +# License: Unknown +# Notes: packerid -{% set commit = "7b2ee6ef57db903bf356fd342c8ca998abdb68cd" -%} -{% set hash = "sha256=be589d4cbe70ecdc3424a6da48d8fc24630d51a6ebf92e5328b36e39423eb038" -%} +{% set commit = "bc54e6d5204ebe83db8d87125d677035d9f456a7" -%} +{% set hash = "sha256=417830ccbf357e8e2b7d9cf47ee4a63a481151fc8cdf03c40b5538aecf96d15d" -%} include: - - sift.packages.python2 - - sift.python-packages.pefile - - sift.python-packages.capstone + - sift.packages.python3-virtualenv -sift-scripts-packerid: +sift-python3-package-packerid-venv: + virtualenv.managed: + - name: /opt/packerid + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - pefile + - capstone + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-packerid: file.managed: - - name: /usr/local/bin/packerid.py + - name: /opt/packerid/bin/packerid.py - source: https://raw.githubusercontent.com/sooshie/packerid/{{ commit }}/packerid.py - source_hash: {{ hash }} - mode: 755 - require: - - sls: sift.packages.python2 - - sls: sift.python-packages.pefile - - sls: sift.python-packages.capstone + - virtualenv: sift-python3-package-packerid-venv -sift-scripts-packerid-shebang: +sift-python3-package-packerid-shebang: file.replace: - - name: /usr/local/bin/packerid.py + - name: /opt/packerid/bin/packerid.py - pattern: '#!/usr/local/bin/python' - - repl: '#!/usr/bin/env python2' + - repl: '#!/opt/packerid/bin/python3' - count: 1 - watch: - - file: sift-scripts-packerid + - file: sift-python3-package-packerid + +sift-python3-package-packerid-symlink: + file.symlink: + - name: /usr/local/bin/packerid.py + - target: /opt/packerid/bin/packerid.py + - makedirs: False + - require: + - file: sift-python3-package-packerid diff --git a/sift/scripts/parseusn.sls b/sift/scripts/parseusn.sls deleted file mode 100644 index 8e63021e..00000000 --- a/sift/scripts/parseusn.sls +++ /dev/null @@ -1,21 +0,0 @@ -# source=https://github.com/superponible/DFIR/ -# license=MIT - -{% set commit = "ee681a07a0c32a5ccaea788cd7d012d19872f181" -%} -{% set hash = "sha256=4540eba4cdddcb0eab1bc21ccea6a6ab7c010936909bb233807dc9bf4189ab10" -%} - -sift-scripts-parseusn: - file.managed: - - name: /usr/local/bin/parseusn.py - - source: https://raw.githubusercontent.com/superponible/DFIR/{{ commit }}/parseusn.py - - source_hash: {{ hash }} - - mode: 755 - -sift-scripts-parseusn-shebang: - file.replace: - - name: /usr/local/bin/parseusn.py - - pattern: '#!/usr/bin/env python\n' - - repl: '#!/usr/bin/env python2\n' - - count: 1 - - watch: - - file: sift-scripts-parseusn diff --git a/sift/scripts/pe-carver.sls b/sift/scripts/pe-carver.sls deleted file mode 100644 index f52a1ec4..00000000 --- a/sift/scripts/pe-carver.sls +++ /dev/null @@ -1,26 +0,0 @@ -# source=https://github.com/Rurik/PE_Carver -# license=unknown - -{% set commit = "9026cd2ca4bd0633f9898a93cb798cd19cffc8f6" -%} -{% set hash = "sha256=6b245decadde4652ff6d1e2b24f6496dd252bee4bf57e7c934fbb9c9f21df849" -%} - -include: - - sift.python-packages.bitstring - - sift.python-packages.pefile - -sift-scripts-pecarve: - file.managed: - - name: /usr/local/bin/pecarve.py - - source: https://raw.githubusercontent.com/Rurik/PE_Carver/{{ commit }}/pe_carve.py - - source_hash: {{ hash }} - - mode: 755 - - require: - - sls: sift.python-packages.bitstring - - sls: sift.python-packages.pefile - -sift-scripts-pecarve-shebang: - file.prepend: - - name: /usr/local/bin/pecarve.py - - text: '#!/usr/bin/env python2' - - watch: - - file: sift-scripts-pecarve diff --git a/sift/scripts/pescanner.sls b/sift/scripts/pescanner.sls deleted file mode 100644 index eefbfb8a..00000000 --- a/sift/scripts/pescanner.sls +++ /dev/null @@ -1,34 +0,0 @@ -# source=https://github.com/hiddenillusion/AnalyzePE/ -# license=unknown - -{% set commit = "9c76ecbc3ac417bc07439c244f2d5ed19af06578" -%} -{% set hash = "sha256=0c4e2a8916df3de0bde67ef47543db6f6068b267fa2b665667a52bc6002e6529" -%} - -include: - - sift.packages.python2 - - sift.python-packages.pefile - - sift.python-packages.pydasm - - sift.python-packages.python-magic - - sift.python-packages.yara-python - -sift-scripts-pescanner: - file.managed: - - name: /usr/local/bin/pescanner.py - - source: https://raw.githubusercontent.com/hiddenillusion/AnalyzePE/{{ commit }}/pescanner.py - - source_hash: {{ hash }} - - mode: 755 - - require: - - sls: sift.packages.python2 - - sls: sift.python-packages.pefile - - sls: sift.python-packages.pydasm - - sls: sift.python-packages.python-magic - - sls: sift.python-packages.yara-python - -sift-scripts-pescanner-shebang: - file.replace: - - name: /usr/local/bin/pescanner.py - - pattern: '#!/usr/bin/env python\n' - - repl: '#!/usr/bin/env python2\n' - - count: 1 - - watch: - - file: sift-scripts-pescanner diff --git a/sift/scripts/plutil.sls b/sift/scripts/plutil.sls deleted file mode 100644 index 48f91af7..00000000 --- a/sift/scripts/plutil.sls +++ /dev/null @@ -1,35 +0,0 @@ -# source=https://github.com/HearthSim/extract-scripts -# license=unknown - -{% set commit = "b830f58fe53958c54def0ec66d0617f9cf5c60d9" -%} -{% set hash = "sha256=a1db4dccfa54a41361d11273dfdd88c59b4caca60f4d58e672cc867393a72166" -%} - -include: - - sift.packages.libencode-perl - -sift-scripts-plutil: - file.managed: - - name: /usr/local/src/scripts/plutil.pl - - source: https://raw.githubusercontent.com/HearthSim/extract-scripts/{{ commit }}/plutil.pl - - source_hash: {{ hash }} - - makedirs: True - - require: - - sls: sift.packages.libencode-perl - -sift-scripts-plutil-binary: - file.copy: - - name: /usr/local/bin/plutil.pl - - source: /usr/local/src/scripts/plutil.pl - - force: True - - mode: 755 - - watch: - - file: sift-scripts-plutil - -sift-scripts-plutil-shebang: - file.replace: - - name: /usr/local/bin/plutil.pl - - pattern: '#!/usr/bin/perl' - - repl: '#!/usr/bin/env perl' - - count: 1 - - watch: - - file: sift-scripts-plutil-binary diff --git a/sift/scripts/regripper.sls b/sift/scripts/regripper.sls index 61908396..86e4a7d0 100644 --- a/sift/scripts/regripper.sls +++ b/sift/scripts/regripper.sls @@ -71,8 +71,8 @@ sift-scripts-regripper-plugins-path-cleanup: sift-scripts-regripper-plugins-cleanup-2: file.replace: - name: /usr/share/regripper/rip.pl - - pattern: ': \(\$plugindir = File::Spec->catfile\("plugins"\)\);' - - repl: '#: ($plugindir = File::Spec->catfile("plugins"));' + - pattern: ': \(\$plugindir = File::Spec->catfile\(\$str, "plugins"\)\);' + - repl: '#: ($plugindir = File::Spec->catfile($str, "plugins"));' - count: 1 - prepend_if_not_found: False - require: diff --git a/sift/scripts/sqlite_miner.sls b/sift/scripts/sqlite_miner.sls deleted file mode 100644 index 42dac61b..00000000 --- a/sift/scripts/sqlite_miner.sls +++ /dev/null @@ -1,41 +0,0 @@ -# Name: sqlite_miner -# Website: https://github.com/threeplanetssoftware/sqlite_miner -# Description: A script to mine SQLite databases for hidden gems that might be overlooked -# Category: -# Author: Jon Baumann, Ciofeca Forensics -# License: GNU General Public License v3.0 (https://github.com/threeplanetssoftware/sqlite_miner/blob/master/LICENSE) -# Notes: sqlite_miner.pl, fun_stuff.pl - -{% set commit = "4220dae48a6e45c1316b153231dc6beef36f2f59" -%} -{% set hash_fun = "sha256=c2e887dc62cb8191e0333f95d2e0eee330f62a778abf394f2ae158be39e44590" -%} -{% set hash_miner = "sha256=0d4b380a27dd57380b581224b1258fbd5059b9314d59aa7ee2f260d352f82278" -%} - -include: - - sift.packages.perl - - sift.perl-packages.dbd-sqlite - -sift-scripts-sqlite-miner-funstuff: - file.managed: - - name: /usr/local/bin/fun_stuff.pl - - source: https://raw.githubusercontent.com/threeplanetssoftware/sqlite_miner/{{ commit }}/fun_stuff.pl - - source_hash: {{ hash_fun }} - - mode: 755 - - require: - - sls: sift.packages.perl - -sift-scripts-sqlite-miner: - file.managed: - - name: /usr/local/bin/sqlite_miner.pl - - source: https://raw.githubusercontent.com/threeplanetssoftware/sqlite_miner/master/sqlite_miner.pl - - source_hash: {{ hash_miner }} - - mode: 755 - - require: - - sls: sift.packages.perl - - sls: sift.perl-packages.dbd-sqlite - -sift-scripts-sqlite-miner-shebang: - file.prepend: - - name: /usr/local/bin/sqlite_miner.pl - - text: '#!/usr/bin/env perl' - - watch: - - file: sift-scripts-sqlite-miner diff --git a/sift/scripts/sqlparser.sls b/sift/scripts/sqlparser.sls deleted file mode 100644 index e5b0e291..00000000 --- a/sift/scripts/sqlparser.sls +++ /dev/null @@ -1,18 +0,0 @@ -# source=https://github.com/mdegrazia/SQLite-Deleted-Records-Parser -# license=unknown - -{% set hash = "sha256=0bb28498141380821d5adc43cc3557ce6a96aeb8a33c414a48e3ccc2a1aad8c9" -%} - -sift-scripts-sqlparser: - file.managed: - - name: /usr/local/bin/sqlparser.py - - source: https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases/download/v.1.1/sqlparse_v1.1.py - - source_hash: {{ hash }} - - mode: 755 - -sift-scripts-sqlparser-shebang: - file.prepend: - - name: /usr/local/bin/sqlparser.py - - text: '#!/usr/bin/env python2' - - watch: - - file: sift-scripts-sqlparser diff --git a/sift/scripts/usbdeviceforensics.sls b/sift/scripts/usbdeviceforensics.sls deleted file mode 100644 index 2aa04ae5..00000000 --- a/sift/scripts/usbdeviceforensics.sls +++ /dev/null @@ -1,21 +0,0 @@ -# source=https://github.com/woanware/usbdeviceforensics -# license=unknown - -{% set commit = "5a0705d5beca09eab2fd5a47a52240dbc0db5bc9" -%} -{% set hash = "sha256=cc643ae2ccd7b772f6d8a2abaa0e9dd33514c60328c5bc3b7d60bb69398b9637" -%} - -sift-scripts-usbdeviceforensics: - file.managed: - - name: /usr/local/bin/usbdeviceforensics.py - - source: https://raw.githubusercontent.com/woanware/usbdeviceforensics/{{ commit }}/usbdeviceforensics.py - - source_hash: {{ hash }} - - mode: 755 - -sift-scripts-usbdeviceforensics-shebang: - file.replace: - - name: /usr/local/bin/usbdeviceforensics.py - - pattern: '#!/usr/bin/python' - - repl: '#!/usr/bin/env python2' - - count: 1 - - watch: - - file: sift-scripts-usbdeviceforensics diff --git a/sift/scripts/zimmerman.sls b/sift/scripts/zimmerman.sls index f6141c3d..05664277 100644 --- a/sift/scripts/zimmerman.sls +++ b/sift/scripts/zimmerman.sls @@ -1,22 +1,21 @@ -{%- set user = salt['pillar.get']('sift_user', 'sansforensics') -%} -{%- set all_users = salt['user.list_users']() -%} -{%- if user == "root" -%} - {%- set home = "/root" -%} -{%- else -%} - {%- set home = "/home/" + user -%} -{%- endif -%} +# Name: Zimmerman Tools +# Website: https://ericzimmerman.github.io/#!index.md +# Description: A collection of Windows binaries to parse Windows artifacts, running with .NET +# Category: +# Author: Eric Zimmerman +# License: MIT License +# Notes: amcacheparser, appcompatcacheparser, bstrings, evtxecmd, iisgeolocate, jlecmd, lecmd, mftecmd, rbcmd, recentfilecacheparser, recmd, rla, sbecmd, sqlecmd, wxtcmd {% set tools = ['AmcacheParser','AppCompatCacheParser','bstrings','EvtxECmd','iisGeolocate','JLECmd','LECmd','MFTECmd','RBCmd','RecentFileCacheParser','RECmd','rla','SBECmd','SQLECmd','WxTCmd'] %} include: - sift.packages.dotnet - - sift.config.user.user {% for tool in tools %} download-{{ tool }}: file.managed: - name: /tmp/{{ tool }}.zip - - source: https://f001.backblazeb2.com/file/EricZimmermanTools/net6/{{ tool }}.zip + - source: https://download.ericzimmermanstools.com/net9/{{ tool }}.zip - skip_verify: True - makedirs: True @@ -42,4 +41,10 @@ extract-{{ tool }}: {% endif %} - mode: 755 - replace: True + +remove-{{ tool }}-zip: + file.absent: + - name: /tmp/{{ tool }}.zip + - require: + - file: {{ tool }}-wrapper {% endfor %}