Seatbelt

AMSIProviders

Providers registered for AMSI

AntiVirus

Registered antivirus (via WMI)

AppLocker

AppLocker settings, if installed

ARPTable

Lists the current ARP table and adapter information(equivalent to arp -a)

AuditPolicies

Enumerates classic and advanced audit policy settings

AuditPolicyRegistry

Audit settings via the registry

AutoRuns

Auto run executables/scripts/programs

Certificates

User and machine personal certificate files

CertificateThumbprints

Thumbprints for all certificate store certs on the system

CredGuard

CredentialGuard configuration

DNSCache

DNS cache entries (via WMI)

DotNet

DotNet versions

EnvironmentPath

Current environment %PATH$ folders and SDDL information

EnvironmentVariables

Current user environment variables

Hotfixes

Installed hotfixes (via WMI)

InterestingProcesses

"Interesting" processes - defensive products and admin tools

InternetSettings

Internet settings including proxy configs

LAPS

LAPS settings, if installed

LastShutdown

Returns the DateTime of the last system shutdown (via the registry)

LocalGPOs

Local Group Policy settings applied to the machine/local users

LocalGroups

Non-empty local groups, "full" displays all groups (argument == computername to enumerate)

LocalUsers

Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)

LogonSessions

Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.

LSASettings

LSA settings (including auth packages)

McAfeeConfigs

Finds McAfee configuration files

NamedPipes

Named pipe names and any readable ACL information

NetworkProfiles

Windows network profiles

NetworkShares

Network shares exposed by the machine (via WMI)

NTLMSettings

NTLM authentication settings

OptionalFeatures

TODO

OSInfo

Basic OS info (i.e. architecture, OS version, etc.)

PoweredOnEvents

Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.

PowerShell

PowerShell versions and security settings

Processes

Running processes with file info company names that don't contain 'Microsoft', "full" enumerates all processes

PSSessionSettings

Enumerates PS Session Settings from the registry

RDPSessions

Current incoming RDP sessions (argument == computername to enumerate)

RDPsettings

Remote Desktop Server/Client Settings

SCCM

System Center Configuration Manager (SCCM) settings, if applicable

Services

Services with file info company names that don't contain 'Microsoft', "full" dumps all processes

Sysmon

Sysmon configuration from the registry

TcpConnections

Current TCP connections and their associated processes and services

TokenPrivileges

Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)

UAC

UAC system policies via the registry

UdpConnections

Current UDP connections and associated processes and services

UserRightAssignments

Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate

WifiProfile

TODO

WindowsAutoLogon

Registry autologon information

WindowsDefender

Windows Defender settings (including exclusion locations)

WindowsEventForwarding

Windows Event Forwarding (WEF) settings via the registry

WindowsFirewall

Non-standard firewall rules, "full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)

WMIEventConsumer

Lists WMI Event Consumers

WMIEventFilter

Lists WMI Event Filters

WMIFilterBinding

Lists WMI Filter to Consumer Bindings

WSUS

Windows Server Update Services (WSUS) settings, if applicable

Certificates

User and machine personal certificate files

CertificateThumbprints

Thumbprints for all certificate store certs on the system

ChromiumPresence

Checks if interesting Chrome/Edge/Brave/Opera files exist

CloudCredentials

AWS/Google/Azure cloud credential files

CloudSyncProviders

TODO

CredEnum

Enumerates the current user's saved credentials using CredEnumerate()

dir

Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == <directory> <depth> <regex>

DpapiMasterKeys

List DPAPI master keys

Dsregcmd

TODO

ExplorerMRUs

Explorer most recently used files (last 7 days, argument == last X days)

ExplorerRunCommands

Recent Explorer "run" commands

FileZilla

FileZilla configuration files

FirefoxPresence

Checks if interesting Firefox files exist

IdleTime

Returns the number of seconds since the current user's last input.

IEFavorites

Internet Explorer favorites

IETabs

Open Internet Explorer tabs

IEUrls

Internet Explorer typed URLs (last 7 days, argument == last X days)

KeePass

TODO

MappedDrives

Users' mapped drives (via WMI)

OfficeMRUs

Office most recently used file list (last 7 days)

OneNote

TODO

OracleSQLDeveloper

TODO

PowerShellHistory

Iterates through every local user and attempts to read their PowerShell console history if successful will print it

PuttyHostKeys

Saved Putty SSH host keys

PuttySessions

Saved Putty configuration (interesting fields) and SSH host keys

RDCManFiles

Windows Remote Desktop Connection Manager settings files

RDPSavedConnections

Saved RDP connections stored in the registry

SecPackageCreds

Obtains credentials from security packages

SlackDownloads

Parses any found 'slack-downloads' files

SlackPresence

Checks if interesting Slack files exist

SlackWorkspaces

Parses any found 'slack-workspaces' files

SuperPutty

SuperPutty configuration files

TokenGroups

The current token's local and domain groups

WindowsCredentialFiles

Windows credential DPAPI blobs

WindowsVault

Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).

ChromiumBookmarks

Parses any found Chrome/Edge/Brave/Opera bookmark files

ChromiumHistory

Parses any found Chrome/Edge/Brave/Opera history files

ExplicitLogonEvents

Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.

FileInfo

Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)

FirefoxHistory

Parses any found FireFox history files

InstalledProducts

Installed products via the registry

InterestingFiles

"Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.

LogonEvents

Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.

LOLBAS

Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.

McAfeeSiteList

Decrypt any found McAfee SiteList.xml configuration files.

MicrosoftUpdates

All Microsoft updates (via COM)

OutlookDownloads

List files downloaded by Outlook

PowerShellEvents

PowerShell script block logs (4104) with sensitive data.

Printers

Installed Printers (via WMI)

ProcessCreationEvents

Process creation logs (4688) with sensitive data.

ProcessOwners

Running non-session 0 process list with owners. For remote use.

RecycleBin

Items in the Recycle Bin deleted in the last 30 days - only works from a user context!

reg

Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]

RPCMappedEndpoints

Current RPC endpoints mapped

ScheduledTasks

Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "full" dumps all Scheduled tasks

SearchIndex

Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>

SecurityPackages

Enumerates the security packages currently available using EnumerateSecurityPackagesA()

SysmonEvents

Sysmon process creation logs (1) with sensitive data.

Slack

Runs modules that start with "Slack*"

Chromium

Runs modules that start with "Chromium*"

Remote

Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials, DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables, ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes, InterestingProcesses, KeePass, LastShutdown, LocalGroups, LocalUsers, LogonEvents, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell, ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall