Add Zimmermantools

[naacbin]

Add Zimmerman forensic tools in .NET6 to improve performance (except hasher which is only available in .NET4).

As JLECmd is included in this PR, #243 can be closed.

[Ana06]

I am not sure if Forensic is the best category. I tend to Utilities for most of them. I think we may want to use some of these tools in FLARE-VM as well and we don't have a Forensic category at the moment (and I think it doesn't make sense for FLARE-VM). @vm-packages opinions?

[Ana06]

@mandiant/flare-vm opinions on adding any of these tools to FLARE-VM?

[naacbin]

I am not sure if Forensic is the best category. I tend to Utilities for most of them. I think we may want to use some of these tools in FLARE-VM as well and we don't have a Forensic category at the moment (and I think it doesn't make sense for FLARE-VM). @vm-packages opinions?

All of the tools are part of ZimmemanTools suite which are dedicated forensic tools, so it makes sense to be in Forensic category (which exist yara is part of it).

I don't think it should be included in a FLARE-VM or COMMANDO-VM by default but still need to be in VM-Packages as you can create your custom VM with the config.xml.

[naacbin]

When all packages are merge to main, I will share my custom ansible script to build my VMs (hopefully before Christmas ^^)

[Ana06]

@naacbin

which exist yara is part of it

you are right, we already have the Forensinc folder in FLARE-VM.

I don't think it should be included in a FLARE-VM or COMMANDO-VM by default but still need to be in VM-Packages as you can create your custom VM with the config.xml.

But it people think these are important/useful tools we should add them in order to provide a good default set of tools. JFYI, the default config file in FLARE-VM is what the FLARE team uses for its internal builds, the set of tools that we think a reverse engineer needs to do their job efficiently. 😉

[naacbin]

3 tools could be of interest to Flare-VM :

• bstrings -> strings with regex
• EZViewer -> Application to open office document (xlsx, docx, etc.)
• Registry Explorer -> Better explorer of registry (without edition option)

[Ana06]

I have the feeling some of the tools in this PR could be in a more concrete category than Forensic. @vm-packages opinions?

@mandiant/flare-vm opinions on adding any of this tools to the default FLARE-VM config?

[emtuls]

Looking at the 3 tools suggested as potential for Flare-VM, these are my thoughts:

• bstrings - I'm indifferent on this. Possibly useful, but I don't personally think I'd use it.
• EZViewer - This looks potentially useful for document analysis, though I don't do enough document analysis to be able to determine how well it might handle actual malicious docs like how Didier Stevens tools work. I'm okay with adding it and possibly to our defaults as well, since it's lightweight and not intrusive.
• Registry Explorer - I think this is a very useful tool and I am for adding it overall as well as adding to our defaults.

On another note @Ana06, we have an Office category, but no tools added for it. Would changing the category name to something like Documents be better? I think it might encompass more and wouldn't silo it into just "MS Office" things, while still being inclusive of them.

[Ana06]

Thanks for the input @emtuls! Apart from EZViewer, we are planing to add some more tools that may go in the Office/Documents category:

• New tools: OneNoteAnalyzer and onedump #788
• New package: xmlmacrodeobfuscator #790
• New package: offvis.vm #791

I like the idea to change the Office category to Documents.

Adding @KJaeYoung as he has a lot of malicious document experience. @KJaeYoung do you have a name preference for these kind of tools (Office vs Documents)? What do you think about adding EZViewer to the default installation of FLARE-VM?

The current categories are: https://github.com/mandiant/VM-Packages/blob/main/categories.txt

[KJaeYoung]

Thanks for the input @emtuls! Apart from EZViewer, we are planing to add some more tools that may go in the Office/Documents category:

* [New package: onedump.vm #788](https://github.com/mandiant/VM-Packages/issues/788)

* [New package: xmlmacrodeobfuscator #790](https://github.com/mandiant/VM-Packages/issues/790)

* [New package: offvis.vm #791](https://github.com/mandiant/VM-Packages/issues/791)

I like the idea to change the Office category to Documents.

Adding @KJaeYoung as he has a lot of malicious document experience. @KJaeYoung do you have a name preference for these kind of tools (Office vs Documents)? What do you think about adding EZViewer to the default installation of FLARE-VM?

The current categories are: https://github.com/mandiant/VM-Packages/blob/main/categories.txt

All three tools going into the Office category seems fine to me. I have not used EZViewer before. I will give it a shot and evaluate it and get back to you.

[naacbin]

Once #812 is merged, CI/CD need to be rerun.

[emtuls]

Following up from #903

A few issues to address which are all just category mismatches:

1. bstrings is listed as Utilities in the chocolateyinstall and Forensic in chocolatelyuninstall.
2. EZViewer is listed as Office in the chocolateyinstall and Forensic in chocolatelyuninstall.
3. Hasher is listed as Forensic in the chocolateyinstall and Utilities in chocolatelyuninstall.

I'm indifferent on which category bstrings should be in. I was looking to try to minimize throwing everything into Utilities if we can help it, but bstrings also doesn't seem to fit well in other categories (at the moment), other than possibly Forensic, so I'd be okay with it being in either.

As far as ones that fall into Office, if we're suggesting changing the category from Office to Documents (which I think is better), then those would likely need to be changed.

RegistryExplorer can now fall into the Registry category instead of Forensic.

[naacbin]

Following up from #903

A few issues to address which are all just category mismatches:

1. `bstrings` is listed as `Utilities` in the `chocolateyinstall` and `Forensic` in `chocolatelyuninstall`.

2. `EZViewer` is listed as `Office` in the `chocolateyinstall` and `Forensic` in `chocolatelyuninstall`.

3. `Hasher` is listed as `Forensic` in the `chocolateyinstall` and `Utilities` in `chocolatelyuninstall`.

I'm indifferent on which category bstrings should be in. I was looking to try to minimize throwing everything into Utilities if we can help it, but bstrings also doesn't seem to fit well in other categories (at the moment), other than possibly Forensic, so I'd be okay with it being in either.

As far as ones that fall into Office, if we're suggesting changing the category from Office to Documents (which I think is better), then those would likely need to be changed.

RegistryExplorer can now fall into the Registry category instead of Forensic.

I fixed the category mismatches. However, has I think this PR can be merged before #903, I didn't change categories of EZViewer, Hasher and RegistryExplorer. I will do it in your PR directly. If it's not the case I'll modify this one.

• EZViewer -> Documents
• Hasher -> File Information
• RegistryExplorer -> Registry

[emtuls]

If this one gets merged first, I can modify them to #903, so no worries. 🙂

Thank you for pushing through with this one!

[Ana06]

@mandiant/vms any objection on merging this PR and addressing categories discussions/changes in #903 afterwards?

[Ana06]

I think it is time to get this in, thanks for all the work @naacbin 🚀