-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathBanditLab-Universal.yaml
More file actions
358 lines (328 loc) · 23.7 KB
/
BanditLab-Universal.yaml
File metadata and controls
358 lines (328 loc) · 23.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
#cloud-config
#Description: BanditLab universal cloud-init config
#Version: v2025.11.13.3
#Created: 2025-11-13
#Target: Ubuntu 22.04 (jammy) and/or 24.04 (noble)
apt:
sources:
dotnet_backports:
source: deb [arch="arm64","amd64"] https://ppa.launchpadcontent.net/dotnet/backports/ubuntu/ $RELEASE main
key: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGWzzawBEAD0r2+MRyiDtGRmCZ+S15spTUY9/l/0bKIZp5S+WTfd1NlSzkCl
+XYQa4cy9+jzeAgosiN0Brx8X1ohYo2uRc4+yEZaODpuR4X5roAabLEE9/R3n9XL
HJ0pqLiieqmsHcICqMFNYLc7eG3ttN3knRRbKQBk/P6UpJhcWRIex4Oeo5RK5pS3
zCJzRCwqf/rZFfcHgssXSXjDqnYONOuNNyxp0qHG3PG3WVUjnnjx3tWI33T/Qiat
FNJh3wW3Y+wMuRUuB04DymVgVoFBB2xWu158GtpuKrFQ7xf3ZSD4JgcwCx2pXQ+E
P7GEm+S7ARk1hnN4vto3oqg8h6QdVbjaO+E+u7snmneC0GPCLlj9cvrKnRXEwJag
oj+t0g7sR8iSbjfnLxAAPfPRpHnLCk/NjtB6kASJxggUEsRe3mcO+9WgvF/w85np
or0L+AvPSnnUxrLybwKLT+0TbSOA3CKGAOfSAqCS77hbRjdjuzSoh5O7IQUZOrJJ
XzfKZylSbW/t1mSZbmLMxB3aD/HfDeWLS3JWOQVMDCGCVE9yh6P9X0B/5UEYp5mu
nQ34rttqMCu9gBPR93f21kz3dUoA5m/OSkvqrAwqgarlPKdQnjcthJGI0l+xU1fI
fqC3wDjYIgJ+DCGl7OyLW7htMj+ZY7eJbHHXN4AMAwDFQcicW42VVnrIVwARAQAB
tCJMYXVuY2hwYWQgUFBBIGZvciAuTkVUIEAgQ2Fub25pY2FsiQJOBBMBCgA4FiEE
RaPxJxWb6eUBeBHGISWxZOjl0/oFAmWzzawCGwMFCwkIBwIGFQoJCAsCBBYCAwEC
HgECF4AACgkQISWxZOjl0/poJA//U5RZZxAAWxWGj9qyelawo7KecLWImcFUDcnI
2mfQOB9havZYcOcjenYiJTxKoJ4lRQzGbA/ssGea07zRtdaP/pyWv6iWfVsX3Dvl
hwetndbkllbUKoFEQndyxKuK+JBaM3YLDqUVJhJp3w5Jn2IqfnWkZnGf3vZWFCtY
Alobynkqnv0EVX4FteHG+/T4ouTXCkJVwMtekDdCkYXOE7mWWcRW7KAeHq/wI85T
HaWR6jWjhsF9U0wjludVGeeoL6F8FGaHxbTbn7pQR8Epz92hl9+tQkyxjtjuXDtj
TWvI1buewpzHujk5AXknLabmuFCGl/AHxYB6i4briBvar0SRy3x9XszvMiEtb69V
ApepUcG/PmlUb5X0KofDoQ7btS56HxPRnScOyWX/tUccod41s7Tsx5eGYTEcZjRh
FBYgjqhnMkcFoEpFx9Wt2Z2cRpZXzc07uz3WAF8eb3QcOkFrwySogVDhdF+cHvGI
RyD27ZbxEsQDIr2hCgOdDg/Cvz9uvN5WhiFL/xM82idIWfczF1rkFb9p6AxR9c26
99oVl+UOLTSPlPmsgtDwOTwc0EYjspEit30BQWQUEN4VaQlGpGLJxshs8hGf57fq
5i/EmixUuQvkThlBZIdSkAeFhwS0mnGmcOQmfCE/6hBqBCgDEDspJPW56SGOVZMo
yRDdXGU=
=zcgX
-----END PGP PUBLIC KEY BLOCK-----
google-cloud-sdk:
source: deb [arch="arm64","amd64"] https://packages.cloud.google.com/apt cloud-sdk main
key: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBGCRt7MBCADkYJHHQQoL6tKrW/LbmfR9ljz7ib2aWno4JO3VKQvLwjyUMPpq
/SXXMOnx8jXwgWizpPxQYDRJ0SQXS9ULJ1hXRL/OgMnZAYvYDeV2jBnKsAIEdiG/
e1qm8P4W9qpWJc+hNq7FOT13RzGWRx57SdLWSXo0KeY38r9lvjjOmT/cuOcmjwlD
T9XYf/RSO+yJ/AsyMdAr+ZbDeQUd9HYJiPdI04lGaGM02MjDMnx+monc+y54t+Z+
ry1WtQdzoQt9dHlIPlV1tR+xV5DHHsejCZxu9TWzzSlL5wfBBeEz7R/OIzivGJpW
QdJzd+2QDXSRg9q2XYWP5ZVtSgjVVJjNlb6ZABEBAAG0VEFydGlmYWN0IFJlZ2lz
dHJ5IFJlcG9zaXRvcnkgU2lnbmVyIDxhcnRpZmFjdC1yZWdpc3RyeS1yZXBvc2l0
b3J5LXNpZ25lckBnb29nbGUuY29tPokBTgQTAQoAOBYhBDW6oLM+nrOW9ZyoOMC6
XObcYxWjBQJgkbezAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEMC6XObc
YxWj+igIAMFh6DrAYMeq9sbZ1ZG6oAMrinUheGQbEqe76nIDQNsZnhDwZ2wWqgVC
7DgOMqlhQmOmzm7M6Nzmq2dvPwq3xC2OeI9fQyzjT72deBTzLP7PJok9PJFOMdLf
ILSsUnmMsheQt4DUO0jYAX2KUuWOIXXJaZ319QyoRNBPYa5qz7qXS7wHLOY89IDq
fHt6Aud8ER5zhyOyhytcYMeaGC1g1IKWmgewnhEq02FantMJGlmmFi2eA0EPD02G
C3742QGqRxLwjWsm5/TpyuU24EYKRGCRm7QdVIo3ugFSetKrn0byOxWGBvtu4fH8
XWvZkRT+u+yzH1s5yFYBqc2JTrrJvRWZAQ0EYoi11AEIANaYpM1kRhaBfLvcW8oV
jl9Guji0Y1rgF7hNlbfBmly30KPwSPKRTtL0Q+gncR0qnEWW0dG7tBsOLotZI0Dh
fHCe51CtgbGfHHpG7UoEcXEeEt9ay8VwYzCK3/OenG0i31TOoKbZhMRbk1SfNDit
dipVArYUsbjB5gnlsrCRj5mydEmnPF0cYnSkGKrCQxPxt9B0nKZQGjCf5J65DYcS
p+NUywhF7R3B4PY8dZ5aj19NezPVDlpuIZyTI5XKg33/8OBK8tShxRxmyta9g9o3
6jyVdM7cZgUY1WzHTr2vFquR4KM6mJA5atCbLBchJC51y6xKCaaB+xFlhbsUMHLk
xCsAEQEAAbRRUmFwdHVyZSBBdXRvbWF0aWMgU2lnbmluZyBLZXkgKGNsb3VkLXJh
cHR1cmUtc2lnbmluZy1rZXktMjAyMi0wMy0wNy0wOF8wMV8wMS5wdWIpiQEiBBMB
CAAWBQJiiLXUCRC1PcgNE+3vBQIbAwIZAQAAwagH/3xAE0gg3dDYPdpqGt+RvprF
3nnM7BHS2euK4lGg8eg26is6kK/1pYwy9AAI1aTGy8nEQXw5RvOFJiMBHnfhEOKC
NN62MraLbAovP+QmNlu4XhlczKcKbjR5WbVdmpTrdT1dHZHGZemnI2kypA70uvMY
Sc0m6HbeJxpljqejXZrHKbFyV7/5IKZ1rygMB9rSLIDaLKD95TTlu5m/ngwLpEHX
dC1L7y86soMavtFin9Vi9DNhab5yToO+VpVfpUHnUGQuXbdJCSfJkgkFU+by21Tr
kTKuuAbWMsscVcNSon9Gk0qr48LNaLK3i7LcB9crz1FzMu7e7GIPQJAjRPfW78i5
AQ0EYoi11AEIAMgwwl1FyDQ+G/v4KtnPfFETwVvPwA35gIuKBB4fQH2WKPGSMAWv
62EHQis67uu7A1j6a90/p0B7BS6v6kloiMR77izwkEQVvgHEl8EE+4RsZLFuLg48
Qm7BPndMwkwSzv6AjEIKbCKhOCBMGnonMOxP9x0F7JYK6wJDANamqhgKhRYkutRD
p06Ujuzqn6IhQ0hqa3IELBviLOzbsd0SlfyC872sR21xvvf30fI7egPiAeBy4WK5
lOm9Yd2f1ZjA8Yzqekk0btyu0udy1NHRw/0q61I83OnJJ4CeIfHwv15t0P2008JY
L4605wZGtwF4TOeRiHULiTN0/U5Gbm6meScAEQEAAYkBHwQYAQgAEwUCYoi11AkQ
tT3IDRPt7wUCGwwAAEmYCACFE+T90WPvVtT9RNeuQSRlnMT0nNSBqf+23JGtXpBs
VkAEHJ/iliMGP7IsrDfbzT/8la6sqjHa7MSrWF1c951EcgJG6HUWN3TSi1pD7AYX
eRjvjOVaK8Hpanq2cv1JNDWhVgFS/seFIegnmyEQvJ53HEfG6tSAUAP6lsVciIrx
ycAd9dMkxyuY+kL5hYQL8N6ojIRw0+TNGG1FK4RFdyrWf4om8xQAowP+17PC+6PM
FppJZqmZ2caa1GOMvsjFR4ZqZVY7AtBtSv7fgzDN14l1wvx9q/ksDxSTS6XJ5d3C
IArwUpCyLEj7Fm/PsdSzyWfilnAbD9Om871wyQeiC2DN
=gsYm
-----END PGP PUBLIC KEY BLOCK-----
write_files:
- path: /etc/profile.d/99-postdeploy.sh
owner: root:root
permissions: '0644'
content: |
# One-time post-deploy actions on first interactive login of user 'ubuntu'
# Guard: only interactive shells
case $- in *i* ) ;; * ) return ;; esac
# Guard: only the ubuntu user
[ "$USER" = "ubuntu" ] || return
SENTINEL="/home/ubuntu/.lab/.postdeploy.done"
LOG="/home/ubuntu/.lab/postdeploy.log"
LOCK="/home/ubuntu/.lab/.postdeploy.lock"
# If already completed, do nothing
[ -f "$SENTINEL" ] && return
# Ensure workspace exists and log is owned by ubuntu
mkdir -p /home/ubuntu/.lab
: > "$LOG"
chown ubuntu:ubuntu "$LOG"
# Serialize to avoid duplicate runs if multiple sessions log in at once
exec 9>"$LOCK"
if ! flock -n 9; then
# Another session is running postdeploy
return
fi
echo "[postdeploy] Starting at $(date -Is)" | tee -a "$LOG"
# Run in a subshell so shell options don't leak into the user's session
(
set -e
# 1) Run your init script
bash /home/ubuntu/.lab/fortoolsinit.sh | tee -a "$LOG"
# 2) Install plaso requirements using your venv python
/home/ubuntu/plaso/bin/python3 -m pip install -r /home/ubuntu/.lab/plasoinit.in | tee -a "$LOG"
)
status=$?
if [ $status -eq 0 ]; then
echo "[postdeploy] Finished OK at $(date -Is)" | tee -a "$LOG"
touch "$SENTINEL"
chown ubuntu:ubuntu "$SENTINEL"
else
echo "[postdeploy] Failed with code $status at $(date -Is). Will retry on next login." | tee -a "$LOG"
# Do not create the sentinel so it runs again next time
fi
# Do not remove this file; the sentinel ensures it runs only once on success
defer: true
- path: /home/ubuntu/.lab/plasoinit.in
owner: ubuntu:ubuntu
permissions: '0644'
content: |
acstore==20240407
artifacts==20240518
bencode.py==4.0.0
certifi==2025.1.31
cffi==1.17.1
charset-normalizer==3.4.1
defusedxml==0.7.1
dfdatetime==20251018
dfvfs==20240505
dfwinreg==20240229
dtfabric==20230520
Events==0.5
Flor==1.1.3
idna==3.10
libbde-python==20240502
libcaes-python==20240413
libcreg-python==20240419
libesedb-python==20240420
libevt-python==20240421
libevtx-python==20240504
libewf-python==20240506
libfcrypto-python==20240414
libfsapfs-python==20240429
libfsext-python==20240501
libfsfat-python==20240501
libfshfs-python==20240501
libfsntfs-python==20240501
libfsxfs-python==20240501
libfvde-python==20240502
libfwnt-python==20240415
libfwsi-python==20240423
liblnk-python==20240423
libluksde-python==20240503
libmodi-python==20240507
libmsiecf-python==20240425
libolecf-python==20240427
libphdi-python==20240508
libqcow-python==20240308
libregf-python==20240421
libscca-python==20240427
libsigscan-python==20240505
libsmdev-python==20240505
libsmraw-python==20240506
libvhdi-python==20240509
libvmdk-python==20240510
libvsapm-python==20240503
libvsgpt-python==20240504
libvshadow-python==20240504
libvslvm-python==20240504
lz4==4.4.3
opensearch-py==2.8.0
pefile==2024.8.26
plaso==20240826
psutil==7.0.0
pycparser==2.22
pyparsing==3.1.4
python-dateutil==2.9.0.post0
pytsk3==20250312
pytz==2025.2
PyYAML==6.0.2
pyzmq==26.3.0
redis==5.2.1
requests==2.32.3
six==1.17.0
urllib3==2.3.0
xattr==1.1.4
XlsxWriter==3.2.2
yara-python==4.5.1
zstd==1.5.6.6
defer: true
- path: /home/ubuntu/.lab/fortoolsinit.sh
owner: ubuntu:ubuntu
permissions: '0644'
content: |
echo '#######################################'
echo '# BanditLab tool deployement script #'
echo '#######################################'
sudo apt install -y afflib-tools attr cewl dc3dd dislocker dnsrecon ewf-tools exifprobe fcrackzip forensic-artifacts forensics-colorize galleta hashdeep pff-tools mc recoverdm scrounge-ntfs sleuthkit ssdeep wipe yara ext3grep libimage-exiftool-perl testdisk geoip-bin mblaze mboxgrep pev unar tesseract-ocr libvshadow-utils dotnet-runtime-6.0 python3.12 python3.12-venv python3-pip extundelete libarchive-tools ugrep apt-transport-https parallel nikto jq xmlstarlet attr poppler-utils xq libplist-utils qpdf
sudo apt -s install tshark
#sudo apt install python3.12 python3.12-venv
#sudo snap install multipass-sshfs
/home/ubuntu/pyapps/bin/python3 -m pip install wheel construct pdfid oletools pyhindsight auto-archiver xlsxgrep tabulate dnspython domaintools_api evtxtract parse_smsdb pycryptodome
#/home/ubuntu/pyapps/bin/python3 -m pip install https://github.com/msuhanov/dfir_ntfs/archive/refs/tags/1.1.20.tar.gz
source /home/ubuntu/pyapps/bin/activate&&pip install https://github.com/msuhanov/dfir_ntfs/archive/refs/tags/1.1.20.tar.gz
/home/ubuntu/pyapps/bin/python3 -m pip install git+https://github.com/cisagov/ioc-scanner.git
/home/ubuntu/pyapps/bin/python3 -m pip install git+https://github.com/cclgroupltd/ccl_chromium_reader.git
/home/ubuntu/pyapps/bin/python3 -m pip install chardet
/home/ubuntu/pyapps/bin/python3 -m pip install https://github.com/0CM/BanditLab/raw/refs/heads/main/packages/edrparser-2.2.0.tar.gz
#/home/ubuntu/plaso/bin/python3 -m pip install plaso
sudo chmod 755 /home/ubuntu/pyapps/bin/hindsight.py
sudo chmod 755 /home/ubuntu/pyapps/bin/hindsight_gui.py
wget --no-check-certificate https://raw.githubusercontent.com/ajread4/prefetcher/refs/heads/main/prefetcher.py -O /home/ubuntu/pyapps/bin/prefetcher.py && chmod 755 /home/ubuntu/pyapps/bin/prefetcher.py
mkdir -p "$HOME"/{DATA,ewfmount,evidence,tools,tools/hayabusa,tools/memprocfs,tools/trufflehog,tools/noseyparker,tools/pup,tools/vt,tools/nuclei}
ARCH=$(uname -m)
if [ "$ARCH" = "aarch64" ]; then
echo "Running deployment for aarch64 architecture"
wget --no-check-certificate -qO- https://github.com/0CM/BanditLab/raw/main/packages/EZTools_aarch64-20240710.tar.gz | tar -xz -C "$HOME"/tools/
wget --no-check-certificate -qO- https://github.com/0CM/BanditLab/raw/main/packages/sidr_aarch64-20240702.tar.gz | tar -xz -C "$HOME"/tools/
wget --no-check-certificate -qO- https://github.com/ufrisk/MemProcFS/releases/download/v5.16/MemProcFS_files_and_binaries_v5.16.7-linux_aarch64-20251113.tar.gz | tar -xz -C "$HOME"/tools/memprocfs
wget --no-check-certificate -qO- https://github.com/Yamato-Security/hayabusa/releases/download/v3.7.0/hayabusa-3.7.0-lin-aarch64-gnu.zip | bsdtar -xvf- -C "$HOME"/tools/hayabusa
chmod 755 "$HOME"/tools/hayabusa/hayabusa-3.7.0-lin-aarch64-gnu
ln -s $HOME/tools/hayabusa/hayabusa-3.7.0-lin-aarch64-gnu $HOME/tools/hayabusa/hayabusa
wget --no-check-certificate -qO- https://github.com/trufflesecurity/trufflehog/releases/download/v3.91.1/trufflehog_3.91.1_linux_arm64.tar.gz | tar -xz -C "$HOME"/tools/trufflehog
wget --no-check-certificate -qO- https://github.com/praetorian-inc/noseyparker/releases/download/v0.24.0/noseyparker-v0.24.0-aarch64-unknown-linux-gnu.tar.gz | tar -xz -C "$HOME"/tools/noseyparker
wget --no-check-certificate -qO- https://github.com/WithSecureLabs/chainsaw/releases/download/v2.13.1/chainsaw_aarch64-unknown-linux-gnu.tar.gz | tar -xz -C "$HOME"/tools
wget --no-check-certificate -qO- https://github.com/0CM/BanditLab/raw/main/packages/timeliner_aarch64-20240805.tar.gz | tar -xz -C "$HOME"/tools/
wget --no-check-certificate -qO- https://github.com/ericchiang/pup/releases/download/v0.4.0/pup_v0.4.0_linux_arm64.zip | bsdtar -xvf- -C "$HOME"/tools/pup && chmod 755 "$HOME"/tools/pup/pup && sudo ln -s "$HOME"/tools/pup/pup /usr/bin/pup
wget --no-check-certificate -qO- https://github.com/0CM/BanditLab/raw/main/packages/vt-cli_aarch64-20240720.tar.gz | tar -xz -C "$HOME"/tools/vt && chmod 755 "$HOME"/tools/vt/vt && sudo ln -s "$HOME"/tools/vt/vt /usr/bin/vt
wget --no-check-certificate -qO- https://github.com/projectdiscovery/nuclei/releases/download/v3.5.1/nuclei_3.5.1_linux_arm64.zip | bsdtar -xvf- -C "$HOME"/tools/nuclei && chmod 755 "$HOME"/tools/nuclei/nuclei && sudo ln -s "$HOME"/tools/nuclei/nuclei /usr/bin/nuclei
nuclei -update
echo 'alias installpwsh="sudo -u ubuntu sh -c 'wget --no-check-certificate -qO- https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell-7.5.0-linux-arm64.tar.gz | tar -xz -C $HOME/tools/ --one-top-level=powershell && chmod 755 $HOME/tools/powershell/pwsh && sudo ln -s $HOME/tools/powershell/pwsh /usr/bin/pwsh'"' >> /home/ubuntu/.bashrc
elif [ "$ARCH" = "x86_64" ]; then
echo "Running deployment for x86_64 architecture"
echo "Running deployment for x86_64 architecture"
wget --no-check-certificate -qO- https://github.com/0CM/BanditLab/raw/main/packages/EZTools_x86_64-20240725.tar.gz | tar -xz -C "$HOME"/tools/
wget --no-check-certificate -qO- https://github.com/0CM/BanditLab/raw/main/packages/sidr_x86_64-20240725.tar.gz | tar -xz -C "$HOME"/tools/
wget --no-check-certificate -qO- https://github.com/ufrisk/MemProcFS/releases/download/v5.16/MemProcFS_files_and_binaries_v5.16.7-linux_x64-20251113.tar.gz | tar -xz -C "$HOME"/tools/memprocfs
wget --no-check-certificate -qO- https://github.com/Yamato-Security/hayabusa/releases/download/v3.7.0/hayabusa-3.7.0-lin-x64-musl.zip | bsdtar -xvf- -C "$HOME"/tools/hayabusa
chmod 755 "$HOME"/tools/hayabusa/hayabusa-3.7.0-lin-x64-musl
ln -s $HOME/tools/hayabusa/hayabusa-3.7.0-lin-x64-musl $HOME/tools/hayabusa/hayabusa
wget --no-check-certificate -qO- https://github.com/trufflesecurity/trufflehog/releases/download/v3.91.1/trufflehog_3.91.1_linux_amd64.tar.gz | tar -xz -C "$HOME"/tools/trufflehog
wget --no-check-certificate -qO- https://github.com/praetorian-inc/noseyparker/releases/download/v0.24.0/noseyparker-v0.24.0-x86_64-unknown-linux-gnu.tar.gz | tar -xz -C "$HOME"/tools/noseyparker
wget --no-check-certificate -qO- https://github.com/WithSecureLabs/chainsaw/releases/download/v2.13.1/chainsaw_x86_64-unknown-linux-gnu.tar.gz| tar -xz -C "$HOME"/tools
wget --no-check-certificate -qO- https://github.com/0CM/BanditLab/raw/main/packages/timeliner_x86_64-20240805.tar.gz | tar -xz -C "$HOME"/tools/
wget --no-check-certificate -qO- https://github.com/ericchiang/pup/releases/download/v0.4.0/pup_v0.4.0_linux_amd64.zip | bsdtar -xvf- -C "$HOME"/tools/pup && chmod 755 "$HOME"/tools/pup/pup && sudo ln -s "$HOME"/tools/pup/pup /usr/bin/pup
wget --no-check-certificate -qO- https://github.com/VirusTotal/vt-cli/releases/download/1.2.0/Linux64.zip| bsdtar -xvf- -C "$HOME"/tools/vt && chmod 755 "$HOME"/tools/vt/vt && sudo ln -s "$HOME"/tools/vt/vt /usr/bin/vt
wget --no-check-certificate -qO- https://github.com/projectdiscovery/nuclei/releases/download/v3.5.1/nuclei_3.5.1_linux_amd64.zip | bsdtar -xvf- -C "$HOME"/tools/nuclei && chmod 755 "$HOME"/tools/nuclei/nuclei && sudo ln -s "$HOME"/tools/nuclei/nuclei /usr/bin/nuclei
nuclei -update
wget --no-check-certificate https://raw.githubusercontent.com/ydkhatri/OneDrive/refs/heads/main/odl.py -O /home/ubuntu/pyapps/bin/odl.py && chmod 755 /home/ubuntu/pyapps/bin/odl.py
echo 'alias installpwsh="sudo -u ubuntu sh -c 'wget --no-check-certificate -qO- https://github.com/PowerShell/PowerShell/releases/download/v7.5.4/powershell-7.5.4-linux-musl-x64.tar.gz | tar -xz -C $HOME/tools/ --one-top-level=powershell && chmod 755 $HOME/tools/powershell/pwsh && sudo ln -s $HOME/tools/powershell/pwsh /usr/bin/pwsh'"' >> /home/ubuntu/.bashrc
fi
mkdir $HOME/tools/EZTools/RECmd/BatchExamples
wget https://raw.githubusercontent.com/EricZimmerman/RECmd/refs/heads/master/BatchExamples/Kroll_Batch.reb -O $HOME/tools/EZTools/RECmd/BatchExamples/Kroll_Batch.reb --no-check-certificate
wget https://raw.githubusercontent.com/EricZimmerman/RECmd/refs/heads/master/BatchExamples/UserActivity.reb -O $HOME/tools/EZTools/RECmd/BatchExamples/UserActivity.reb --no-check-certificate
ln -s $HOME/tools/hayabusa/hayabusa-2.16.0-lin-aarch64-gnu $HOME/tools/hayabusa/hayabusa
sudo -u ubuntu sh -c 'rm -rf $HOME/tools/chainsaw/sigma/&&git clone https://github.com/SigmaHQ/sigma $HOME/tools/chainsaw/sigma/'
sudo -u ubuntu sh -c 'git clone https://github.com/WithSecureLabs/chainsaw.git && mv chainsaw/mappings chainsaw/rules "$HOME/tools/chainsaw/" && rm -rf chainsaw'
sudo -u ubuntu sh -c 'git clone https://github.com/CISOfy/lynis $HOME/tools/lynis'
sudo -u ubuntu sh -c 'nuclei -update'
sudo -u ubuntu sh -c '$HOME/tools/hayabusa/hayabusa-2.16.0-lin-aarch64-gnu update-rules'
# Aliases and other customization for Binary Bandits Forensic VM
echo 'alias edrparser="source $HOME/pyapps/bin/activate&&edrparser"' >> /home/ubuntu/.bashrc
echo 'alias log2timeline="source $HOME/plaso/bin/activate&&log2timeline"' >> /home/ubuntu/.bashrc
echo 'alias pinfo="source $HOME/plaso/bin/activate&&pinfo"' >> /home/ubuntu/.bashrc
echo 'alias psteal="source $HOME/plaso/bin/activate&&psteal"' >> /home/ubuntu/.bashrc
echo 'alias psort="source $HOME/plaso/bin/activate&&psort"' >> /home/ubuntu/.bashrc
echo 'alias mftecmd="/home/ubuntu/tools/EZTools/MFTECmd/MFTECmd"' >> /home/ubuntu/.bashrc
echo 'alias amcacheparser="/home/ubuntu/tools/EZTools/AmcacheParser/AmcacheParser"' >> /home/ubuntu/.bashrc
echo 'alias bstrings="/home/ubuntu/tools/EZTools/bstrings/bstrings"' >> /home/ubuntu/.bashrc
echo 'alias evtxecmd="/home/ubuntu/tools/EZTools/EvtxECmd/EvtxECmd"' >> /home/ubuntu/.bashrc
echo 'alias jlecmd="/home/ubuntu/tools/EZTools/JLECmd/JLECmd"' >> /home/ubuntu/.bashrc
echo 'alias lecmd="/home/ubuntu/tools/EZTools/LECmd/LECmd"' >> /home/ubuntu/.bashrc
echo 'alias rbcmd="/home/ubuntu/tools/EZTools/RBCmd/RBCmd"' >> /home/ubuntu/.bashrc
echo 'alias recmd="/home/ubuntu/tools/EZTools/RECmd/RECmd"' >> /home/ubuntu/.bashrc
echo 'alias srumecmd="/home/ubuntu/tools/EZTools/SrumECmd/SrumECmd"' >> /home/ubuntu/.bashrc
echo 'alias recentfilecacheparser="/home/ubuntu/tools/EZTools/RecentFileCacheParser/RecentFileCacheParser"' >> /home/ubuntu/.bashrc
echo 'alias sqlecmd="/home/ubuntu/tools/EZTools/SQLECmd/SQLECmd"' >> /home/ubuntu/.bashrc
echo 'alias wxtcmd="/home/ubuntu/tools/EZTools/WxTCmd/WxTCmd"' >> /home/ubuntu/.bashrc
echo 'alias rla="/home/ubuntu/tools/EZTools/rla/rla"' >> /home/ubuntu/.bashrc
echo 'alias sidr="/home/ubuntu/tools/sidr/sidr"' >> /home/ubuntu/.bashrc
echo 'alias vt="/home/ubuntu/tools/vt/vt"' >> /home/ubuntu/.bashrc
echo 'alias noseyparker="/home/ubuntu/tools/noseyparker/bin/noseyparker"' >> /home/ubuntu/.bashrc
echo 'alias trufflehog="/home/ubuntu/tools/trufflehog/trufflehog"' >> /home/ubuntu/.bashrc
echo 'alias timeliner="/home/ubuntu/tools/timeliner/timeliner"' >> /home/ubuntu/.bashrc
echo 'alias pyapps="source $HOME/pyapps/bin/activate"' >> /home/ubuntu/.bashrc
echo 'alias peepdf="source $HOME/pyapps/bin/activate&&peepdf"' >> /home/ubuntu/.bashrc
echo 'alias pdfid="source $HOME/pyapps/bin/activate&&pdfid"' >> /home/ubuntu/.bashrc
echo 'alias fat_parser="source $HOME/pyapps/bin/activate&&fat_parser"' >> /home/ubuntu/.bashrc
echo 'alias ntfs_parser="source $HOME/pyapps/bin/activate&&ntfs_parser"' >> /home/ubuntu/.bashrc
echo 'alias hindsight="source $HOME/pyapps/bin/activate&&hindsight.py"' >> /home/ubuntu/.bashrc
echo 'alias hindsight_gui="source $HOME/pyapps/bin/activate&&hindsight_gui.py"' >> /home/ubuntu/.bashrc
echo 'alias browserexport="source $HOME/pyapps/bin/activate&&browserexport"' >> /home/ubuntu/.bashrc
echo 'alias parse_smsdb="source $HOME/pyapps/bin/activate&&parse_smsdb"' >> /home/ubuntu/.bashrc
echo 'alias olevba="source $HOME/pyapps/bin/activate&&olevba"' >> /home/ubuntu/.bashrc
echo 'alias prefetch="source $HOME/pyapps/bin/activate&&prefetcher.py"' >> /home/ubuntu/.bashrc
echo 'alias prefetcher="source $HOME/pyapps/bin/activate&&prefetcher.py"' >> /home/ubuntu/.bashrc
echo 'alias auto-archiver="source $HOME/pyapps/bin/activate&&auto-archiver"' >> /home/ubuntu/.bashrc
echo 'alias xlsxgrep="source $HOME/pyapps/bin/activate&&xlsxgrep"' >> /home/ubuntu/.bashrc
echo 'alias ioc-scan="source $HOME/pyapps/bin/activate&&ioc-scan"' >> /home/ubuntu/.bashrc
echo 'alias odl="source $HOME/pyapps/bin/activate&&odl.py"' >> /home/ubuntu/.bashrc
echo 'alias installazurecli="curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash"' >> /home/ubuntu/.bashrc
echo 'alias installgcloudcli="sudo snap install google-cloud-cli --classic"' >> /home/ubuntu/.bashrc
echo 'alias installgcloudsdk="sudo snap install google-cloud-sdk --classic"' >> /home/ubuntu/.bashrc
echo 'alias chainsaw="/home/ubuntu/tools/chainsaw/chainsaw"' >> /home/ubuntu/.bashrc
echo 'alias installpwsh="sudo -u ubuntu sh -c 'wget --no-check-certificate -qO- https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell-7.5.0-linux-arm64.tar.gz | tar -xz -C $HOME/tools/ --one-top-level=powershell && chmod 755 $HOME/tools/powershell/pwsh && sudo ln -s $HOME/tools/powershell/pwsh /usr/bin/pwsh'"' >> /home/ubuntu/.bashrc
defer: true
runcmd:
- sudo update-ca-certificates
- sudo -u ubuntu sh -c 'sudo apt update'
- sudo -u ubuntu sh -c 'sudo apt install -y libplist-utils python3.12 python3.12-venv python3-pip'
- sudo -u ubuntu sh -c 'sudo snap install multipass-sshfs'
- sudo -u ubuntu sh -c 'python3 -m venv /home/ubuntu/pyapps'
- sudo -u ubuntu sh -c 'python3 -m venv /home/ubuntu/plaso'
- sudo -u ubuntu sh -c '/home/ubuntu/pyapps/bin/python3 -m pip install --upgrade pip'
- sudo -u ubuntu sh -c '/home/plaso/pyapps/bin/python3 -m pip install --upgrade pip'