Page cover image

Seatbelt

LogoGitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.GitHub

Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

@andrewchiles' HostEnum.ps1 script and @tifkin_'s Get-HostProfile.ps1 provided inspiration for many of the artifacts to collect.

@harmj0y and @tifkin_ are the primary authors of this implementation.

Seatbelt is licensed under the BSD 3-Clause license.

Table of Contents

  • Seatbelt

    • Table of Contents

    • Command Line Usage

    • Command Groups

      • system

      • user

      • misc

      • Additional Command Groups

    • Command Arguments

    • Output

    • Remote Enumeration

    • Building Your Own Modules

    • Compile Instructions

    • Acknowledgments

Command Line Usage



                        %&&@@@&&
                        &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%
                        &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
#####%######################  %%%..                       @////(((&%%%%%%%################
                        &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*
                        &%%&&&%%%%%        v1.2.0         ,(((&%%%%%%%%%%%%%%%%%,
                         #%%%%##,


Available commands (+ means remote usage is supported):

    + AMSIProviders          - Providers registered for AMSI
    + AntiVirus              - Registered antivirus (via WMI)
    + AppLocker              - AppLocker settings, if installed
      ARPTable               - Lists the current ARP table and adapter information (equivalent to arp -a)
      AuditPolicies          - Enumerates classic and advanced audit policy settings
    + AuditPolicyRegistry    - Audit settings via the registry
    + AutoRuns               - Auto run executables/scripts/programs
      Certificates           - Finds user and machine personal certificate files
      CertificateThumbprints - Finds thumbprints for all certificate store certs on the systen
    + ChromiumBookmarks      - Parses any found Chrome/Edge/Brave/Opera bookmark files
    + ChromiumHistory        - Parses any found Chrome/Edge/Brave/Opera history files
    + ChromiumPresence       - Checks if interesting Chrome/Edge/Brave/Opera files exist
    + CloudCredentials       - AWS/Google/Azure/Bluemix cloud credential files
    + CloudSyncProviders     - All configured Office 365 endpoints (tenants and teamsites) which are synchronised by OneDrive.
      CredEnum               - Enumerates the current user's saved credentials using CredEnumerate()
    + CredGuard              - CredentialGuard configuration
      dir                    - Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == [directory] [maxDepth] [regex] [boolIgnoreErrors]
    + DNSCache               - DNS cache entries (via WMI)
    + DotNet                 - DotNet versions
    + DpapiMasterKeys        - List DPAPI master keys
      Dsregcmd               - Return Tenant information - Replacement for Dsregcmd /status
      EnvironmentPath        - Current environment %PATH$ folders and SDDL information
    + EnvironmentVariables   - Current environment variables
    + ExplicitLogonEvents    - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
      ExplorerMRUs           - Explorer most recently used files (last 7 days, argument == last X days)
    + ExplorerRunCommands    - Recent Explorer "run" commands
      FileInfo               - Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
    + FileZilla              - FileZilla configuration files
    + FirefoxHistory         - Parses any found FireFox history files
    + FirefoxPresence        - Checks if interesting Firefox files exist
    + Hotfixes               - Installed hotfixes (via WMI)
      IdleTime               - Returns the number of seconds since the current user's last input.
    + IEFavorites            - Internet Explorer favorites
      IETabs                 - Open Internet Explorer tabs
    + IEUrls                 - Internet Explorer typed URLs (last 7 days, argument == last X days)
    + InstalledProducts      - Installed products via the registry
      InterestingFiles       - "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
    + InterestingProcesses   - "Interesting" processes - defensive products and admin tools
      InternetSettings       - Internet settings including proxy configs and zones configuration
    + KeePass                - Finds KeePass configuration files
    + LAPS                   - LAPS settings, if installed
    + LastShutdown           - Returns the DateTime of the last system shutdown (via the registry).
      LocalGPOs              - Local Group Policy settings applied to the machine/local users
    + LocalGroups            - Non-empty local groups, "-full" displays all groups (argument == computername to enumerate)
    + LocalUsers             - Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)
    + LogonEvents            - Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
    + LogonSessions          - Windows logon sessions
      LOLBAS                 - Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.
    + LSASettings            - LSA settings (including auth packages)
    + MappedDrives           - Users' mapped drives (via WMI)
      McAfeeConfigs          - Finds McAfee configuration files
      McAfeeSiteList         - Decrypt any found McAfee SiteList.xml configuration files.
      MicrosoftUpdates       - All Microsoft updates (via COM)
      NamedPipes             - Named pipe names, any readable ACL information and associated process information.
    + NetworkProfiles        - Windows network profiles
    + NetworkShares          - Network shares exposed by the machine (via WMI)
    + NTLMSettings           - NTLM authentication settings
      OfficeMRUs             - Office most recently used file list (last 7 days)
      OneNote                - List OneNote backup files
    + OptionalFeatures       - List Optional Features/Roles (via WMI)
      OracleSQLDeveloper     - Finds Oracle SQLDeveloper connections.xml files
    + OSInfo                 - Basic OS info (i.e. architecture, OS version, etc.)
    + OutlookDownloads       - List files downloaded by Outlook
    + PoweredOnEvents        - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
    + PowerShell             - PowerShell versions and security settings
    + PowerShellEvents       - PowerShell script block logs (4104) with sensitive data.
    + PowerShellHistory      - Searches PowerShell console history files for sensitive regex matches.
      Printers               - Installed Printers (via WMI)
    + ProcessCreationEvents  - Process creation logs (4688) with sensitive data.
      Processes              - Running processes with file info company names that don't contain 'Microsoft', "-full" enumerates all processes
    + ProcessOwners          - Running non-session 0 process list with owners. For remote use.
    + PSSessionSettings      - Enumerates PS Session Settings from the registry
    + PuttyHostKeys          - Saved Putty SSH host keys
    + PuttySessions          - Saved Putty configuration (interesting fields) and SSH host keys
      RDCManFiles            - Windows Remote Desktop Connection Manager settings files
    + RDPSavedConnections    - Saved RDP connections stored in the registry
    + RDPSessions            - Current incoming RDP sessions (argument == computername to enumerate)
    + RDPsettings            - Remote Desktop Server/Client Settings
      RecycleBin             - Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
      reg                    - Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
      RPCMappedEndpoints     - Current RPC endpoints mapped
    + SCCM                   - System Center Configuration Manager (SCCM) settings, if applicable
    + ScheduledTasks         - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks
      SearchIndex            - Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>
      SecPackageCreds        - Obtains credentials from security packages
      SecurityPackages       - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
      Services               - Services with file info company names that don't contain 'Microsoft', "-full" dumps all processes
    + SlackDownloads         - Parses any found 'slack-downloads' files
    + SlackPresence          - Checks if interesting Slack files exist
    + SlackWorkspaces        - Parses any found 'slack-workspaces' files
    + SuperPutty             - SuperPutty configuration files
    + Sysmon                 - Sysmon configuration from the registry
    + SysmonEvents           - Sysmon process creation logs (1) with sensitive data.
      TcpConnections         - Current TCP connections and their associated processes and services
      TokenGroups            - The current token's local and domain groups
      TokenPrivileges        - Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
    + UAC                    - UAC system policies via the registry
      UdpConnections         - Current UDP connections and associated processes and services
      UserRightAssignments   - Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
      WifiProfile            - Enumerates the saved Wifi profiles and extract the ssid, authentication type, cleartext key/passphrase (when possible)
    + WindowsAutoLogon       - Registry autologon information
      WindowsCredentialFiles - Windows credential DPAPI blobs
    + WindowsDefender        - Windows Defender settings (including exclusion locations)
    + WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry
    + WindowsFirewall        - Non-standard firewall rules, "-full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
      WindowsVault           - Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
    + WMI                    - Runs a specified WMI query
      WMIEventConsumer       - Lists WMI Event Consumers
      WMIEventFilter         - Lists WMI Event Filters
      WMIFilterBinding       - Lists WMI Filter to Consumer Bindings
    + WSUS                   - Windows Server Update Services (WSUS) settings, if applicable


Seatbelt has the following command groups: All, User, System, Slack, Chromium, Remote, Misc

    You can invoke command groups with         "Seatbelt.exe <group>"


    Or command groups except specific commands "Seatbelt.exe <group> -Command"

   "Seatbelt.exe -group=all" runs all commands

   "Seatbelt.exe -group=user" runs the following commands:

        Certificates, CertificateThumbprints, ChromiumPresence, CloudCredentials, CloudSyncProviders,
        CredEnum, dir, DpapiMasterKeys, Dsregcmd,
        ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence,
        IdleTime, IEFavorites, IETabs, IEUrls,
        KeePass, MappedDrives, OfficeMRUs, OneNote,
        OracleSQLDeveloper, PowerShellHistory, PuttyHostKeys, PuttySessions,
        RDCManFiles, RDPSavedConnections, SecPackageCreds, SlackDownloads,
        SlackPresence, SlackWorkspaces, SuperPutty, TokenGroups,
        WindowsCredentialFiles, WindowsVault

   "Seatbelt.exe -group=system" runs the following commands:

        AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
        AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints,
        CredGuard, DNSCache, DotNet, EnvironmentPath,
        EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings,
        LAPS, LastShutdown, LocalGPOs, LocalGroups,
        LocalUsers, LogonSessions, LSASettings, McAfeeConfigs,
        NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings,
        OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
        Processes, PSSessionSettings, RDPSessions, RDPsettings,
        SCCM, Services, Sysmon, TcpConnections,
        TokenPrivileges, UAC, UdpConnections, UserRightAssignments,
        WifiProfile, WindowsAutoLogon, WindowsDefender, WindowsEventForwarding,
        WindowsFirewall, WMI, WMIEventConsumer, WMIEventFilter,
        WMIFilterBinding, WSUS

   "Seatbelt.exe -group=slack" runs the following commands:

        SlackDownloads, SlackPresence, SlackWorkspaces

   "Seatbelt.exe -group=chromium" runs the following commands:

        ChromiumBookmarks, ChromiumHistory, ChromiumPresence

   "Seatbelt.exe -group=remote" runs the following commands:

        AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials,
        DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables,
        ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes,
        InterestingProcesses, KeePass, LastShutdown, LocalGroups,
        LocalUsers, LogonEvents, LogonSessions, LSASettings,
        MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
        OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
        ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions,
        RDPSavedConnections, RDPSessions, RDPsettings, Sysmon,
        WindowsDefender, WindowsEventForwarding, WindowsFirewall

   "Seatbelt.exe -group=misc" runs the following commands:

        ChromiumBookmarks, ChromiumHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
        InstalledProducts, InterestingFiles, LogonEvents, LOLBAS,
        McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents,
        Printers, ProcessCreationEvents, ProcessOwners, RecycleBin,
        reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex,
        SecurityPackages, SysmonEvents


Examples:
    'Seatbelt.exe <Command> [Command2] ...' will run one or more specified checks only
    'Seatbelt.exe <Command> -full' will return complete results for a command without any filtering.
    'Seatbelt.exe "<Command> [argument]"' will pass an argument to a command that supports it (note the quotes).
    'Seatbelt.exe -group=all' will run ALL enumeration checks, can be combined with "-full".
    'Seatbelt.exe -group=all -AuditPolicies' will run all enumeration checks EXCEPT AuditPolicies, can be combined with "-full".
    'Seatbelt.exe <Command> -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\USER -password=PASSWORD]' will run an applicable check remotely
    'Seatbelt.exe -group=remote -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\USER -password=PASSWORD]' will run remote specific checks
    'Seatbelt.exe -group=system -outputfile="C:\Temp\out.txt"' will run system checks and output to a .txt file.
    'Seatbelt.exe -group=user -q -outputfile="C:\Temp\out.json"' will run in quiet mode with user checks and output to a .json file.

Note: searches that target users will run for the current user if not-elevated and for ALL users if elevated.

A more detailed wiki is coming...

Command Groups

Note: many commands do some type of filtering by default. Supplying the -full argument prevents filtering output. Also, the command group all will run all current checks.

For example, the following command will run ALL checks and returns ALL output:

Seatbelt.exe -group=all -full

system

Runs checks that mine interesting data about the system.

Executed with: Seatbelt.exe -group=system

CommandDescription

AMSIProviders

Providers registered for AMSI

AntiVirus

Registered antivirus (via WMI)

AppLocker

AppLocker settings, if installed

ARPTable

Lists the current ARP table and adapter information(equivalent to arp -a)

AuditPolicies

Enumerates classic and advanced audit policy settings

AuditPolicyRegistry

Audit settings via the registry

AutoRuns

Auto run executables/scripts/programs

Certificates

User and machine personal certificate files

CertificateThumbprints

Thumbprints for all certificate store certs on the system

CredGuard

CredentialGuard configuration

DNSCache

DNS cache entries (via WMI)

DotNet

DotNet versions

EnvironmentPath

Current environment %PATH$ folders and SDDL information

EnvironmentVariables

Current user environment variables

Hotfixes

Installed hotfixes (via WMI)

InterestingProcesses

"Interesting" processes - defensive products and admin tools

InternetSettings

Internet settings including proxy configs

LAPS

LAPS settings, if installed

LastShutdown

Returns the DateTime of the last system shutdown (via the registry)

LocalGPOs

Local Group Policy settings applied to the machine/local users

LocalGroups

Non-empty local groups, "full" displays all groups (argument == computername to enumerate)

LocalUsers

Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)

LogonSessions

Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.

LSASettings

LSA settings (including auth packages)

McAfeeConfigs

Finds McAfee configuration files

NamedPipes

Named pipe names and any readable ACL information

NetworkProfiles

Windows network profiles

NetworkShares

Network shares exposed by the machine (via WMI)

NTLMSettings

NTLM authentication settings

OptionalFeatures

TODO

OSInfo

Basic OS info (i.e. architecture, OS version, etc.)

PoweredOnEvents

Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.

PowerShell

PowerShell versions and security settings

Processes

Running processes with file info company names that don't contain 'Microsoft', "full" enumerates all processes

PSSessionSettings

Enumerates PS Session Settings from the registry

RDPSessions

Current incoming RDP sessions (argument == computername to enumerate)

RDPsettings

Remote Desktop Server/Client Settings

SCCM

System Center Configuration Manager (SCCM) settings, if applicable

Services

Services with file info company names that don't contain 'Microsoft', "full" dumps all processes

Sysmon

Sysmon configuration from the registry

TcpConnections

Current TCP connections and their associated processes and services

TokenPrivileges

Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)

UAC

UAC system policies via the registry

UdpConnections

Current UDP connections and associated processes and services

UserRightAssignments

Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate

WifiProfile

TODO

WindowsAutoLogon

Registry autologon information

WindowsDefender

Windows Defender settings (including exclusion locations)

WindowsEventForwarding

Windows Event Forwarding (WEF) settings via the registry

WindowsFirewall

Non-standard firewall rules, "full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)

WMIEventConsumer

Lists WMI Event Consumers

WMIEventFilter

Lists WMI Event Filters

WMIFilterBinding

Lists WMI Filter to Consumer Bindings

WSUS

Windows Server Update Services (WSUS) settings, if applicable

user

Runs checks that mine interesting data about the currently logged on user (if not elevated) or ALL users (if elevated).

Executed with: Seatbelt.exe -group=user

CommandDescription

Certificates

User and machine personal certificate files

CertificateThumbprints

Thumbprints for all certificate store certs on the system

ChromiumPresence

Checks if interesting Chrome/Edge/Brave/Opera files exist

CloudCredentials

AWS/Google/Azure cloud credential files

CloudSyncProviders

TODO

CredEnum

Enumerates the current user's saved credentials using CredEnumerate()

dir

Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == <directory> <depth> <regex>

DpapiMasterKeys

List DPAPI master keys

Dsregcmd

TODO

ExplorerMRUs

Explorer most recently used files (last 7 days, argument == last X days)

ExplorerRunCommands

Recent Explorer "run" commands

FileZilla

FileZilla configuration files

FirefoxPresence

Checks if interesting Firefox files exist

IdleTime

Returns the number of seconds since the current user's last input.

IEFavorites

Internet Explorer favorites

IETabs

Open Internet Explorer tabs

IEUrls

Internet Explorer typed URLs (last 7 days, argument == last X days)

KeePass

TODO

MappedDrives

Users' mapped drives (via WMI)

OfficeMRUs

Office most recently used file list (last 7 days)

OneNote

TODO

OracleSQLDeveloper

TODO

PowerShellHistory

Iterates through every local user and attempts to read their PowerShell console history if successful will print it

PuttyHostKeys

Saved Putty SSH host keys

PuttySessions

Saved Putty configuration (interesting fields) and SSH host keys

RDCManFiles

Windows Remote Desktop Connection Manager settings files

RDPSavedConnections

Saved RDP connections stored in the registry

SecPackageCreds

Obtains credentials from security packages

SlackDownloads

Parses any found 'slack-downloads' files

SlackPresence

Checks if interesting Slack files exist

SlackWorkspaces

Parses any found 'slack-workspaces' files

SuperPutty

SuperPutty configuration files

TokenGroups

The current token's local and domain groups

WindowsCredentialFiles

Windows credential DPAPI blobs

WindowsVault

Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).

misc

Runs all miscellaneous checks.

Executed with: Seatbelt.exe -group=misc

CommandDescription

ChromiumBookmarks

Parses any found Chrome/Edge/Brave/Opera bookmark files

ChromiumHistory

Parses any found Chrome/Edge/Brave/Opera history files

ExplicitLogonEvents

Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.

FileInfo

Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)

FirefoxHistory

Parses any found FireFox history files

InstalledProducts

Installed products via the registry

InterestingFiles

"Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.

LogonEvents

Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.

LOLBAS

Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.

McAfeeSiteList

Decrypt any found McAfee SiteList.xml configuration files.

MicrosoftUpdates

All Microsoft updates (via COM)

OutlookDownloads

List files downloaded by Outlook

PowerShellEvents

PowerShell script block logs (4104) with sensitive data.

Printers

Installed Printers (via WMI)

ProcessCreationEvents

Process creation logs (4688) with sensitive data.

ProcessOwners

Running non-session 0 process list with owners. For remote use.

RecycleBin

Items in the Recycle Bin deleted in the last 30 days - only works from a user context!

reg

Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]

RPCMappedEndpoints

Current RPC endpoints mapped

ScheduledTasks

Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "full" dumps all Scheduled tasks

SearchIndex

Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>

SecurityPackages

Enumerates the security packages currently available using EnumerateSecurityPackagesA()

SysmonEvents

Sysmon process creation logs (1) with sensitive data.

Additional Command Groups

Executed with: Seatbelt.exe -group=GROUPNAME

AliasDescription

Slack

Runs modules that start with "Slack*"

Chromium

Runs modules that start with "Chromium*"

Remote

Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials, DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables, ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes, InterestingProcesses, KeePass, LastShutdown, LocalGroups, LocalUsers, LogonEvents, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell, ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall

Command Arguments

Command that accept arguments have it noted in their description. To pass an argument to a command, enclose the command an arguments in double quotes.

For example, the following command returns 4624 logon events for the last 30 days:

Seatbelt.exe "LogonEvents 30"

The following command queries a registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.*, and ignoring any errors that occur.

Seatbelt.exe "reg \"HKLM\SOFTWARE\Microsoft\Windows Defender\" 3 .*defini.* true"

Output

Seatbelt can redirect its output to a file with the -outputfile="C:\Path\file.txt" argument. If the file path ends in .json, the output will be structured json.

For example, the following command will output the results of system checks to a txt file:

Seatbelt.exe -group=system -outputfile="C:\Temp\system.txt"

Remote Enumeration

Commands noted with a + in the help menu can be run remotely against another system. This is performed over WMI via queries for WMI classes and WMI's StdRegProv for registry enumeration.

To enumerate a remote system, supply -computername=COMPUTER.DOMAIN.COM - an alternate username and password can be specified with -username=DOMAIN\USER -password=PASSWORD

For example, the following command runs remote-focused checks against a remote system:

Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\""

Building Your Own Modules

Seatbelt's structure is completely modular, allowing for additional command modules to be dropped into the file structure and loaded up dynamically.

There is a commented command module template at .\Seatbelt\Commands\Template.cs for reference. Once built, drop the module in the logical file location, include it in the project in the Visual Studio Solution Explorer, and compile.

Compile Instructions

We are not planning on releasing binaries for Seatbelt, so you will have to compile yourself.

Seatbelt has been built against .NET 3.5 and 4.0 with C# 8.0 features and is compatible with Visual Studio Community Edition. Simply open up the project .sln, choose "release", and build. To change the target .NET framework version, modify the project's settings and rebuild the project.

Acknowledgments

Seatbelt incorporates various collection items, code C# snippets, and bits of PoCs found throughout research for its capabilities. These ideas, snippets, and authors are highlighted in the appropriate locations in the source code, and include:

We've tried to do our due diligence for citations, but if we've left someone/something out, please let us know!

PreviousRubeusNextSeth

Last updated