Description
Seatbelt is a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.
| Platform | Windows |
| Author | @harmj0y and @tifkin_ are the primary authors |
| License | 3-Clause BSD |
| URL | https://github.com/GhostPack/Seatbelt |
Usage
%&&@@@&&
&&&&&&&%%%, #&&@@@@@@%%%%%%###############%
&%& %&%% &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####% &%%**# @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%####### %&%,,,,,,,,,,,,,,,, @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%#################### &%%...... ... .. @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%######### %%%...... ... .. @////(((&%%%%%#########################(#(#######((#####
###%##%%#################### &%%............... @////(((&%%%%%%%%##############%#######(#########((#####
#####%###################### %%%.. @////(((&%%%%%%%################
&%& %%%%% Seatbelt %////(((&%%%%%%%%#############*
&%%&&&%%%%% v1.0.0 ,(((&%%%%%%%%%%%%%%%%%,
#%%%%##,
Available commands (+ means remote usage is supported):
+ AMSIProviders - Providers registered for AMSI
+ AntiVirus - Registered antivirus (via WMI)
AppLocker - AppLocker settings, if installed
ARPTable - Lists the current ARP table and adapter information (equivalent to arp -a)
AuditPolicies - Enumerates classic and advanced audit policy settings
+ AuditPolicyRegistry - Audit settings via the registry
+ AutoRuns - Auto run executables/scripts/programs
ChromeBookmarks - Parses any found Chrome bookmark files
ChromeHistory - Parses any found Chrome history files
ChromePresence - Checks if interesting Google Chrome files exist
CloudCredentials - AWS/Google/Azure cloud credential files
CredEnum - Enumerates the current user's saved credentials using CredEnumerate()
CredGuard - CredentialGuard configuration
dir - Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == [directory] [depth] [regex] [boolIgnoreErrors]
+ DNSCache - DNS cache entries (via WMI)
+ DotNet - DotNet versions
DpapiMasterKeys - List DPAPI master keys
EnvironmentPath - Current environment %PATH$ folders and SDDL information
EnvironmentVariables - Current user environment variables
ExplicitLogonEvents - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
ExplorerMRUs - Explorer most recently used files (last 7 days, argument == last X days)
+ ExplorerRunCommands - Recent Explorer "run" commands
FileInfo - Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
FirefoxHistory - Parses any found FireFox history files
FirefoxPresence - Checks if interesting Firefox files exist
+ Hotfixes - Installed hotfixes (via WMI)
IdleTime - Returns the number of seconds since the current user's last input.
IEFavorites - Internet Explorer favorites
IETabs - Open Internet Explorer tabs
IEUrls - Internet Explorer typed URLs (last 7 days, argument == last X days)
InstalledProducts - Installed products via the registry
InterestingFiles - "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
+ InterestingProcesses - "Interesting" processes - defensive products and admin tools
InternetSettings - Internet settings including proxy configs and zones configuration
+ LAPS - LAPS settings, if installed
+ LastShutdown - Returns the DateTime of the last system shutdown (via the registry).
LocalGPOs - Local Group Policy settings applied to the machine/local users
+ LocalGroups - Non-empty local groups, "-full" displays all groups (argument == computername to enumerate)
+ LocalUsers - Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)
LogonEvents - Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
+ LogonSessions - Windows logon sessions
+ LSASettings - LSA settings (including auth packages)
+ MappedDrives - Users' mapped drives (via WMI)
MicrosoftUpdates - All Microsoft updates.
NamedPipes - Named pipe names and any readable ACL information.
+ NetworkProfiles - Windows network profiles
+ NetworkShares - Network shares exposed by the machine (via WMI)
+ NTLMSettings - NTLM authentication settings
OfficeMRUs - Office most recently used file list (last 7 days)
OSInfo - Basic OS info (i.e. architecture, OS version, etc.)
OutlookDownloads - List files downloaded by Outlook
PoweredOnEvents - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
+ PowerShell - PowerShell versions and security settings
PowerShellEvents - PowerShell script block logs (4104) with sensitive data.
Printers - Installed Printers (via WMI)
ProcessCreationEvents - Process creation logs (4688) with sensitive data.
Processes - Running processes with file info company names that don't contain 'Microsoft', "-full" enumerates all processes
+ ProcessOwners - Running non-session 0 process list with owners. For remote use.
+ PSSessionSettings - Enumerates PS Session Settings from the registry
+ PuttyHostKeys - Saved Putty SSH host keys
+ PuttySessions - Saved Putty configuration (interesting fields) and SSH host keys
RDCManFiles - Windows Remote Desktop Connection Manager settings files
+ RDPSavedConnections - Saved RDP connections stored in the registry
+ RDPSessions - Current incoming RDP sessions (argument == computername to enumerate)
RecycleBin - Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
reg - Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
RPCMappedEndpoints - Current RPC endpoints mapped
+ SCCM - System Center Configuration Manager (SCCM) settings, if applicable
+ ScheduledTasks - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks
SearchIndex - Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>
SecurityPackages - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
Services - Services with file info company names that don't contain 'Microsoft', "-full" dumps all processes
SlackDownloads - Parses any found 'slack-downloads' files
SlackPresence - Checks if interesting Slack files exist
SlackWorkspaces - Parses any found 'slack-workspaces' files
+ Sysmon - Sysmon configuration from the registry
SysmonEvents - Sysmon process creation logs (1) with sensitive data.
TcpConnections - Current TCP connections and their associated processes and services
TokenGroups - The current token's local and domain groups
TokenPrivileges - Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
+ UAC - UAC system policies via the registry
UdpConnections - Current UDP connections and associated processes and services
UserRightAssignments - Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
+ WindowsAutoLogon - Registry autologon information
WindowsCredentialFiles - Windows credential DPAPI blobs
+ WindowsDefender - Windows Defender settings (including exclusion locations)
+ WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry
+ WindowsFirewall - Non-standard firewall rules, "-full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
WindowsVault - Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
WMIEventConsumer - Lists WMI Event Consumers
WMIEventFilter - Lists WMI Event Filters
WMIFilterBinding - Lists WMI Filter to Consumer Bindings
+ WSUS - Windows Server Update Services (WSUS) settings, if applicable
Seatbelt has the following command groups: All, User, System, Slack, Chrome, Remote, Misc
You can invoke command groups with "Seatbelt.exe <group>"
"Seatbelt.exe -group=all" runs all commands
"Seatbelt.exe -group=user" runs the following commands:
ChromePresence, CloudCredentials, CredEnum, dir, DpapiMasterKeys,
ExplorerMRUs, ExplorerRunCommands, FirefoxPresence, IdleTime,
IEFavorites, IETabs, IEUrls, MappedDrives,
OfficeMRUs, PuttyHostKeys, PuttySessions, RDCManFiles,
RDPSavedConnections, SlackDownloads, SlackPresence, SlackWorkspaces,
TokenGroups, WindowsCredentialFiles, WindowsVault
"Seatbelt.exe -group=system" runs the following commands:
AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
AuditPolicyRegistry, AutoRuns, CredGuard, DNSCache,
DotNet, EnvironmentPath, EnvironmentVariables, Hotfixes,
InterestingProcesses, InternetSettings, LAPS, LastShutdown,
LocalGPOs, LocalGroups, LocalUsers, LogonSessions,
LSASettings, NamedPipes, NetworkProfiles, NetworkShares,
NTLMSettings, OSInfo, PoweredOnEvents, PowerShell,
Printers, Processes, PSSessionSettings, RDPSessions,
SCCM, Services, Sysmon, TcpConnections,
TokenPrivileges, UAC, UdpConnections, UserRightAssignments,
WindowsAutoLogon, WindowsDefender, WindowsEventForwarding, WindowsFirewall,
WMIEventConsumer, WMIEventFilter, WMIFilterBinding, WSUS
"Seatbelt.exe -group=slack" runs the following commands:
SlackDownloads, SlackPresence, SlackWorkspaces
"Seatbelt.exe -group=chrome" runs the following commands:
ChromeBookmarks, ChromeHistory, ChromePresence
"Seatbelt.exe -group=remote" runs the following commands:
AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes,
InterestingProcesses, LastShutdown, LogonSessions, LSASettings,
MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions,
RDPSavedConnections, RDPSessions, Sysmon, WindowsDefender,
WindowsEventForwarding, WindowsFirewall
"Seatbelt.exe -group=misc" runs the following commands:
ChromeBookmarks, ChromeHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
InstalledProducts, InterestingFiles, LogonEvents, MicrosoftUpdates,
OutlookDownloads, PowerShellEvents, ProcessCreationEvents, ProcessOwners,
RecycleBin, reg, RPCMappedEndpoints, ScheduledTasks,
SearchIndex, SecurityPackages, SysmonEventsExamples
seatbelt -q AntiVirus
This will check for installed AntiVirus.
C:\Tools>seatbelt -q AntiVirus
====== AntiVirus ======
Engine : Windows Defender
ProductEXE : windowsdefender://
ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exeseatbelt -q InstalledProducts
This will query WMI for installed software on the system.
C:\Tools>seatbelt -q InstalledProducts
====== InstalledProducts ======
DisplayName : BleachBit 4.4.2.2142
DisplayVersion : 4.4.2.2142
Publisher : BleachBit
InstallDate : 1/13/2022 12:00:00 AM
Architecture : x86
DisplayName : Google Chrome
DisplayVersion : 99.0.4844.74
Publisher : Google LLC
InstallDate : 3/15/2022 12:00:00 AM
Architecture : x86
DisplayName : Icecast v2.0.0
DisplayVersion :
Publisher :
InstallDate : 1/1/0001 12:00:00 AM
Architecture : x86
DisplayName : Microsoft Edge
DisplayVersion : 99.0.1150.39
Publisher : Microsoft Corporation
InstallDate : 3/14/2022 12:00:00 AM
Architecture : x86
DisplayName : Microsoft Edge Update
DisplayVersion : 1.3.155.85
Publisher :
InstallDate : 1/1/0001 12:00:00 AM
Architecture : x86
DisplayName : Npcap
DisplayVersion : 1.10
Publisher : Nmap Project
InstallDate : 1/1/0001 12:00:00 AM
Architecture : x86
DisplayName : Wireshark 3.4.4 64-bit
DisplayVersion : 3.4.4
Publisher : The Wireshark developer community, https://www.wireshark.org
InstallDate : 1/1/0001 12:00:00 AM
Architecture : x86
DisplayName : Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
DisplayVersion : 12.0.30501.0
Publisher : Microsoft Corporation
InstallDate : 1/1/0001 12:00:00 AM
Architecture : x86
...
DisplayName : Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29910
DisplayVersion : 14.28.29910
Publisher : Microsoft Corporation
InstallDate : 4/8/2021 12:00:00 AM
Architecture : x64
DisplayName : Java(TM) SE Development Kit 15 (64-bit)
DisplayVersion : 15.0.0.0
Publisher : Oracle Corporation
InstallDate : 9/26/2020 12:00:00 AM
Architecture : x64seatbelt.exe -q <command> -computername=x.x.x.x -username=<domain>\<user> -password=<password>
This will run a command remotely through RPC.
Blog Posts