forensicnomicon-cli 0.1.2

4n6query — DFIR lookup tool: query LOL/LOFL binaries, abusable sites, and 6,548 forensic artifacts from the command line
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

[package]
name = "forensicnomicon-cli"
version = "0.1.2"
edition.workspace = true
rust-version = "1.75"
authors = ["Albert Hui <albert@securityronin.com>"]
description = "4n6query — DFIR lookup tool: query LOL/LOFL binaries, abusable sites, and 6,548 forensic artifacts from the command line"
license = "Apache-2.0"
repository = "https://github.com/SecurityRonin/forensicnomicon"
homepage = "https://github.com/SecurityRonin/forensicnomicon"
documentation = "https://docs.rs/forensicnomicon"
readme = "../../README.md"
keywords = ["dfir", "forensics", "lolbins", "mitre-attack", "soc"]
categories = ["command-line-utilities"]
exclude = [".github/", "target/", "wix/"]
# The bin name (4n6query) differs from the package name, so cargo-deb cannot
# resolve which binary to build ("no bin target … in default-run packages").
# default-run names it explicitly (sqlite-forensic avoids this only because its
# bin name equals its package name).
default-run = "4n6query"

[[bin]]
name = "4n6query"
path = "src/main.rs"

[dependencies]
forensicnomicon = { workspace = true, features = ["serde"] }
clap = { version = "4", features = ["derive"] }
serde = { workspace = true }
serde_json = { workspace = true }
serde_yaml = { workspace = true }
# TUI
ratatui = "0.29"
crossterm = "0.28"
toml = "0.8"
dirs = "5"

[dev-dependencies]
assert_cmd = "2"
predicates = "3"

# ---------------------------------------------------------------------------
# cargo-deb: Debian / Ubuntu / Kali package
# ---------------------------------------------------------------------------
[package.metadata.deb]
maintainer = "SecurityRonin <security-ronin@users.noreply.github.com>"
section = "utils"
priority = "optional"
extended-description = """\
4n6query is the DFIR query CLI for the forensicnomicon catalog.
Look up any binary (certutil.exe, osascript, curl), abusable domain \
(raw.githubusercontent.com), MITRE technique (T1547.001), or keyword \
(userassist, prefetch) across 6,548 enriched forensic artifacts, \
all six LOL/LOFL datasets (Windows/macOS/Linux), and 54 abusable sites.
Also ships as 4q — the short alias for interactive use."""
# The binary asset MUST start with exactly `target/release/` (no `../../`) so
# cargo-deb recognises it as the Cargo target dir and rewrites it to
# `target/<triple>/release/` under `--target` (cross builds). The `4q` static
# file is not a target-dir path, so it stays member-relative.
assets = [
    ["target/release/4n6query", "usr/bin/4n6query", "755"],
    ["../../dist/4q", "usr/bin/4q", "755"],
]

[lints]
workspace = true