{"id":15036956,"url":"https://github.com/ghostpack/seatbelt","last_synced_at":"2025-05-13T19:16:24.359Z","repository":{"id":37483990,"uuid":"142192459","full_name":"GhostPack/Seatbelt","owner":"GhostPack","description":"Seatbelt is a C# project that performs a number of security oriented host-survey \"safety checks\" relevant from both offensive and defensive security perspectives.","archived":false,"fork":false,"pushed_at":"2025-01-10T20:12:49.000Z","size":885,"stargazers_count":4053,"open_issues_count":9,"forks_count":723,"subscribers_count":105,"default_branch":"master","last_synced_at":"2025-04-27T20:06:41.846Z","etag":null,"topics":["csharp","situational-awareness"],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GhostPack.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-24T17:38:51.000Z","updated_at":"2025-04-26T18:35:16.000Z","dependencies_parsed_at":"2023-02-14T11:45:25.551Z","dependency_job_id":"d7583746-4b9f-4a5b-bad2-d7c59e8eb142","html_url":"https://github.com/GhostPack/Seatbelt","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FSeatbelt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FSeatbelt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FSeatbelt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FSeatbelt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GhostPack","download_url":"https://codeload.github.com/GhostPack/Seatbelt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254010823,"owners_count":21999003,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csharp","situational-awareness"],"created_at":"2024-09-24T20:32:51.543Z","updated_at":"2025-05-13T19:16:24.309Z","avatar_url":"https://github.com/GhostPack.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Seatbelt\r\n\r\n----\r\n\r\nSeatbelt is a C# project that performs a number of security oriented host-survey \"safety checks\" relevant from both offensive and defensive security perspectives.\r\n\r\n[@andrewchiles](https://twitter.com/andrewchiles)' [HostEnum.ps1](https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1) script and [@tifkin\\_](https://twitter.com/tifkin_)'s [Get-HostProfile.ps1](https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1) provided inspiration for many of the artifacts to collect.\r\n\r\n[@harmj0y](https://twitter.com/harmj0y) and [@tifkin_](https://twitter.com/tifkin_) are the primary authors of this implementation.\r\n\r\nSeatbelt is licensed under the BSD 3-Clause license.\r\n\r\n\r\n## Table of Contents\r\n\r\n- [Seatbelt](#seatbelt)\r\n * [Table of Contents](#table-of-contents)\r\n * [Command Line Usage](#command-line-usage)\r\n * [Command Groups](#command-groups)\r\n + [system](#system)\r\n + [user](#user)\r\n + [misc](#misc)\r\n + [Additional Command Groups](#additional-command-groups)\r\n * [Command Arguments](#command-arguments)\r\n * [Output](#output)\r\n * [Remote Enumeration](#remote-enumeration)\r\n * [Building Your Own Modules](#building-your-own-modules)\r\n * [Compile Instructions](#compile-instructions)\r\n * [Acknowledgments](#acknowledgments)\r\n\r\n\r\n## Command Line Usage\r\n\r\n```\r\n\r\n\r\n %\u0026\u0026@@@\u0026\u0026 \r\n \u0026\u0026\u0026\u0026\u0026\u0026\u0026%%%, #\u0026\u0026@@@@@@%%%%%%###############% \r\n \u0026%\u0026 %\u0026%% \u0026////(((\u0026%%%%%#%################//((((###%%%%%%%%%%%%%%%\r\n%%%%%%%%%%%######%%%#%%####% \u0026%%**# @////(((\u0026%%%%%%######################(((((((((((((((((((\r\n#%#%%%%%%%#######%#%%####### %\u0026%,,,,,,,,,,,,,,,, @////(((\u0026%%%%%#%#####################(((((((((((((((((((\r\n#%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((\u0026%%%%%%%######################(#(((#(#((((((((((\r\n#####%%%#################### \u0026%%...... ... .. @////(((\u0026%%%%%%%###############%######((#(#(####((((((((\r\n#######%##########%######### %%%...... ... .. @////(((\u0026%%%%%#########################(#(#######((#####\r\n###%##%%#################### \u0026%%............... @////(((\u0026%%%%%%%%##############%#######(#########((#####\r\n#####%###################### %%%.. @////(((\u0026%%%%%%%################ \r\n \u0026%\u0026 %%%%% Seatbelt %////(((\u0026%%%%%%%%#############* \r\n \u0026%%\u0026\u0026\u0026%%%%% v1.2.1 ,(((\u0026%%%%%%%%%%%%%%%%%, \r\n #%%%%##, \r\n\r\n\r\nAvailable commands (+ means remote usage is supported):\r\n\r\n + AMSIProviders - Providers registered for AMSI\r\n + AntiVirus - Registered antivirus (via WMI)\r\n + AppLocker - AppLocker settings, if installed\r\n ARPTable - Lists the current ARP table and adapter information (equivalent to arp -a)\r\n AuditPolicies - Enumerates classic and advanced audit policy settings\r\n + AuditPolicyRegistry - Audit settings via the registry\r\n + AutoRuns - Auto run executables/scripts/programs\r\n azuread - Return AzureAD info\r\n Certificates - Finds user and machine personal certificate files\r\n CertificateThumbprints - Finds thumbprints for all certificate store certs on the system\r\n + ChromiumBookmarks - Parses any found Chrome/Edge/Brave/Opera bookmark files\r\n + ChromiumHistory - Parses any found Chrome/Edge/Brave/Opera history files\r\n + ChromiumPresence - Checks if interesting Chrome/Edge/Brave/Opera files exist\r\n + CloudCredentials - AWS/Google/Azure/Bluemix cloud credential files\r\n + CloudSyncProviders - All configured Office 365 endpoints (tenants and teamsites) which are synchronised by OneDrive.\r\n CredEnum - Enumerates the current user's saved credentials using CredEnumerate()\r\n + CredGuard - CredentialGuard configuration\r\n dir - Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == [directory] [maxDepth] [regex] [boolIgnoreErrors]\r\n + DNSCache - DNS cache entries (via WMI)\r\n + DotNet - DotNet versions\r\n + DpapiMasterKeys - List DPAPI master keys\r\n EnvironmentPath - Current environment %PATH$ folders and SDDL information\r\n + EnvironmentVariables - Current environment variables\r\n + ExplicitLogonEvents - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.\r\n ExplorerMRUs - Explorer most recently used files (last 7 days, argument == last X days)\r\n + ExplorerRunCommands - Recent Explorer \"run\" commands\r\n FileInfo - Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)\r\n + FileZilla - FileZilla configuration files\r\n + FirefoxHistory - Parses any found FireFox history files\r\n + FirefoxPresence - Checks if interesting Firefox files exist\r\n + Hotfixes - Installed hotfixes (via WMI)\r\n IdleTime - Returns the number of seconds since the current user's last input.\r\n + IEFavorites - Internet Explorer favorites\r\n IETabs - Open Internet Explorer tabs\r\n + IEUrls - Internet Explorer typed URLs (last 7 days, argument == last X days)\r\n + InstalledProducts - Installed products via the registry\r\n InterestingFiles - \"Interesting\" files matching various patterns in the user's folder. Note: takes non-trivial time.\r\n + InterestingProcesses - \"Interesting\" processes - defensive products and admin tools\r\n InternetSettings - Internet settings including proxy configs and zones configuration\r\n + KeePass - Finds KeePass configuration files\r\n + LAPS - LAPS settings, if installed\r\n + LastShutdown - Returns the DateTime of the last system shutdown (via the registry).\r\n LocalGPOs - Local Group Policy settings applied to the machine/local users\r\n + LocalGroups - Non-empty local groups, \"-full\" displays all groups (argument == computername to enumerate)\r\n + LocalUsers - Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)\r\n + LogonEvents - Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.\r\n + LogonSessions - Windows logon sessions\r\n LOLBAS - Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.\r\n + LSASettings - LSA settings (including auth packages)\r\n + MappedDrives - Users' mapped drives (via WMI)\r\n McAfeeConfigs - Finds McAfee configuration files\r\n McAfeeSiteList - Decrypt any found McAfee SiteList.xml configuration files.\r\n MicrosoftUpdates - All Microsoft updates (via COM)\r\n MTPuTTY - MTPuTTY configuration files\r\n NamedPipes - Named pipe names, any readable ACL information and associated process information.\r\n + NetworkProfiles - Windows network profiles\r\n + NetworkShares - Network shares exposed by the machine (via WMI)\r\n + NTLMSettings - NTLM authentication settings\r\n OfficeMRUs - Office most recently used file list (last 7 days)\r\n OneNote - List OneNote backup files\r\n + OptionalFeatures - List Optional Features/Roles (via WMI)\r\n OracleSQLDeveloper - Finds Oracle SQLDeveloper connections.xml files\r\n + OSInfo - Basic OS info (i.e. architecture, OS version, etc.)\r\n + OutlookDownloads - List files downloaded by Outlook\r\n + PoweredOnEvents - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.\r\n + PowerShell - PowerShell versions and security settings\r\n + PowerShellEvents - PowerShell script block logs (4104) with sensitive data.\r\n + PowerShellHistory - Searches PowerShell console history files for sensitive regex matches.\r\n Printers - Installed Printers (via WMI)\r\n + ProcessCreationEvents - Process creation logs (4688) with sensitive data.\r\n Processes - Running processes with file info company names that don't contain 'Microsoft', \"-full\" enumerates all processes\r\n + ProcessOwners - Running non-session 0 process list with owners. For remote use.\r\n + PSSessionSettings - Enumerates PS Session Settings from the registry\r\n + PuttyHostKeys - Saved Putty SSH host keys\r\n + PuttySessions - Saved Putty configuration (interesting fields) and SSH host keys\r\n RDCManFiles - Windows Remote Desktop Connection Manager settings files\r\n + RDPSavedConnections - Saved RDP connections stored in the registry\r\n + RDPSessions - Current incoming RDP sessions (argument == computername to enumerate)\r\n + RDPsettings - Remote Desktop Server/Client Settings\r\n RecycleBin - Items in the Recycle Bin deleted in the last 30 days - only works from a user context!\r\n reg - Registry key values (HKLM\\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]\r\n RPCMappedEndpoints - Current RPC endpoints mapped\r\n + SCCM - System Center Configuration Manager (SCCM) settings, if applicable\r\n + ScheduledTasks - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', \"-full\" dumps all Scheduled tasks\r\n SearchIndex - Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == \u003csearch path\u003e \u003cpattern1,pattern2,...\u003e\r\n SecPackageCreds - Obtains credentials from security packages\r\n + SecureBoot - Secure Boot configuration\r\n SecurityPackages - Enumerates the security packages currently available using EnumerateSecurityPackagesA()\r\n Services - Services with file info company names that don't contain 'Microsoft', \"-full\" dumps all processes\r\n + SlackDownloads - Parses any found 'slack-downloads' files\r\n + SlackPresence - Checks if interesting Slack files exist\r\n + SlackWorkspaces - Parses any found 'slack-workspaces' files\r\n + SuperPutty - SuperPutty configuration files\r\n + Sysmon - Sysmon configuration from the registry\r\n + SysmonEvents - Sysmon process creation logs (1) with sensitive data.\r\n TcpConnections - Current TCP connections and their associated processes and services\r\n TokenGroups - The current token's local and domain groups\r\n TokenPrivileges - Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)\r\n + UAC - UAC system policies via the registry\r\n UdpConnections - Current UDP connections and associated processes and services\r\n UserRightAssignments - Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate\r\n WifiProfile - Enumerates the saved Wifi profiles and extract the ssid, authentication type, cleartext key/passphrase (when possible)\r\n + WindowsAutoLogon - Registry autologon information\r\n WindowsCredentialFiles - Windows credential DPAPI blobs\r\n + WindowsDefender - Windows Defender settings (including exclusion locations)\r\n + WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry\r\n + WindowsFirewall - Non-standard firewall rules, \"-full\" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)\r\n WindowsVault - Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).\r\n + WMI - Runs a specified WMI query\r\n WMIEventConsumer - Lists WMI Event Consumers\r\n WMIEventFilter - Lists WMI Event Filters\r\n WMIFilterBinding - Lists WMI Filter to Consumer Bindings\r\n + WSUS - Windows Server Update Services (WSUS) settings, if applicable\r\n\r\n\r\nSeatbelt has the following command groups: All, User, System, Slack, Chromium, Remote, Misc\r\n\r\n You can invoke command groups with \"Seatbelt.exe \u003cgroup\u003e\"\r\n\r\n\r\n Or command groups except specific commands \"Seatbelt.exe \u003cgroup\u003e -Command\"\r\n\r\n \"Seatbelt.exe -group=all\" runs all commands\r\n\r\n \"Seatbelt.exe -group=user\" runs the following commands:\r\n\r\n azuread, Certificates, CertificateThumbprints, ChromiumPresence, CloudCredentials, \r\n CloudSyncProviders, CredEnum, dir, DpapiMasterKeys, \r\n ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence, \r\n IdleTime, IEFavorites, IETabs, IEUrls, \r\n KeePass, MappedDrives, MTPuTTY, OfficeMRUs, \r\n OneNote, OracleSQLDeveloper, PowerShellHistory, PuttyHostKeys, \r\n PuttySessions, RDCManFiles, RDPSavedConnections, SecPackageCreds, \r\n SlackDownloads, SlackPresence, SlackWorkspaces, SuperPutty, \r\n TokenGroups, WindowsCredentialFiles, WindowsVault\r\n\r\n \"Seatbelt.exe -group=system\" runs the following commands:\r\n\r\n AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies, \r\n AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints, \r\n CredGuard, DNSCache, DotNet, EnvironmentPath, \r\n EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings, \r\n LAPS, LastShutdown, LocalGPOs, LocalGroups, \r\n LocalUsers, LogonSessions, LSASettings, McAfeeConfigs, \r\n NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings, \r\n OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell, \r\n Processes, PSSessionSettings, RDPSessions, RDPsettings, \r\n SCCM, SecureBoot, Services, Sysmon, \r\n TcpConnections, TokenPrivileges, UAC, UdpConnections, \r\n UserRightAssignments, WifiProfile, WindowsAutoLogon, WindowsDefender, \r\n WindowsEventForwarding, WindowsFirewall, WMI, WMIEventConsumer, \r\n WMIEventFilter, WMIFilterBinding, WSUS\r\n\r\n \"Seatbelt.exe -group=slack\" runs the following commands:\r\n\r\n SlackDownloads, SlackPresence, SlackWorkspaces\r\n\r\n \"Seatbelt.exe -group=chromium\" runs the following commands:\r\n\r\n ChromiumBookmarks, ChromiumHistory, ChromiumPresence\r\n\r\n \"Seatbelt.exe -group=remote\" runs the following commands:\r\n\r\n AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials, \r\n DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables, \r\n ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes, \r\n InterestingProcesses, KeePass, LastShutdown, LocalGroups, \r\n LocalUsers, LogonEvents, LogonSessions, LSASettings, \r\n MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, \r\n OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell, \r\n ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions, \r\n RDPSavedConnections, RDPSessions, RDPsettings, SecureBoot, \r\n Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall\r\n \r\n\r\n \"Seatbelt.exe -group=misc\" runs the following commands:\r\n\r\n ChromiumBookmarks, ChromiumHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory, \r\n InstalledProducts, InterestingFiles, LogonEvents, LOLBAS, \r\n McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents, \r\n Printers, ProcessCreationEvents, ProcessOwners, RecycleBin, \r\n reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex, \r\n SecurityPackages, SysmonEvents\r\n\r\n\r\nExamples:\r\n 'Seatbelt.exe \u003cCommand\u003e [Command2] ...' will run one or more specified checks only\r\n 'Seatbelt.exe \u003cCommand\u003e -full' will return complete results for a command without any filtering.\r\n 'Seatbelt.exe \"\u003cCommand\u003e [argument]\"' will pass an argument to a command that supports it (note the quotes).\r\n 'Seatbelt.exe -group=all' will run ALL enumeration checks, can be combined with \"-full\".\r\n 'Seatbelt.exe -group=all -AuditPolicies' will run all enumeration checks EXCEPT AuditPolicies, can be combined with \"-full\".\r\n 'Seatbelt.exe \u003cCommand\u003e -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\\USER -password=PASSWORD]' will run an applicable check remotely\r\n 'Seatbelt.exe -group=remote -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\\USER -password=PASSWORD]' will run remote specific checks\r\n 'Seatbelt.exe -group=system -outputfile=\"C:\\Temp\\out.txt\"' will run system checks and output to a .txt file.\r\n 'Seatbelt.exe -group=user -q -outputfile=\"C:\\Temp\\out.json\"' will run in quiet mode with user checks and output to a .json file.\r\n```\r\n\r\n**Note:** searches that target users will run for the current user if not-elevated and for ALL users if elevated.\r\n\r\n\r\n## Command Groups\r\n\r\n**Note:** many commands do some type of filtering by default. Supplying the `-full` argument prevents filtering output. Also, the command group `all` will run all current checks.\r\n\r\nFor example, the following command will run ALL checks and returns ALL output:\r\n\r\n`Seatbelt.exe -group=all -full`\r\n\r\n### system\r\n\r\nRuns checks that mine interesting data about the system.\r\n\r\nExecuted with: `Seatbelt.exe -group=system`\r\n\r\n| Command | Description |\r\n| ----------- | ----------- |\r\n| AMSIProviders | Providers registered for AMSI |\r\n| AntiVirus | Registered antivirus (via WMI) |\r\n| AppLocker | AppLocker settings, if installed |\r\n| ARPTable | Lists the current ARP table and adapter information(equivalent to arp -a) |\r\n| AuditPolicies | Enumerates classic and advanced audit policy settings |\r\n| AuditPolicyRegistry | Audit settings via the registry |\r\n| AutoRuns | Auto run executables/scripts/programs |\r\n| Certificates | User and machine personal certificate files |\r\n| CertificateThumbprints | Thumbprints for all certificate store certs on the system |\r\n| CredGuard | CredentialGuard configuration |\r\n| DNSCache | DNS cache entries (via WMI) |\r\n| DotNet | DotNet versions |\r\n| EnvironmentPath | Current environment %PATH$ folders and SDDL information |\r\n| EnvironmentVariables | Current user environment variables |\r\n| Hotfixes | Installed hotfixes (via WMI) |\r\n| InterestingProcesses | \"Interesting\" processes - defensive products and admin tools |\r\n| InternetSettings | Internet settings including proxy configs |\r\n| LAPS | LAPS settings, if installed |\r\n| LastShutdown | Returns the DateTime of the last system shutdown (via the registry) |\r\n| LocalGPOs | Local Group Policy settings applied to the machine/local users |\r\n| LocalGroups | Non-empty local groups, \"full\" displays all groups (argument == computername to enumerate) |\r\n| LocalUsers | Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate) |\r\n| LogonSessions | Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. |\r\n| LSASettings | LSA settings (including auth packages) |\r\n| McAfeeConfigs | Finds McAfee configuration files |\r\n| NamedPipes | Named pipe names and any readable ACL information |\r\n| NetworkProfiles | Windows network profiles |\r\n| NetworkShares | Network shares exposed by the machine (via WMI) |\r\n| NTLMSettings | NTLM authentication settings |\r\n| OptionalFeatures | TODO |\r\n| OSInfo | Basic OS info (i.e. architecture, OS version, etc.) |\r\n| PoweredOnEvents | Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days. |\r\n| PowerShell | PowerShell versions and security settings |\r\n| Processes | Running processes with file info company names that don't contain 'Microsoft', \"full\" enumerates all processes |\r\n| PSSessionSettings | Enumerates PS Session Settings from the registry |\r\n| RDPSessions | Current incoming RDP sessions (argument == computername to enumerate) |\r\n| RDPsettings | Remote Desktop Server/Client Settings |\r\n| SCCM | System Center Configuration Manager (SCCM) settings, if applicable |\r\n| Services | Services with file info company names that don't contain 'Microsoft', \"full\" dumps all processes |\r\n| Sysmon | Sysmon configuration from the registry |\r\n| TcpConnections | Current TCP connections and their associated processes and services |\r\n| TokenPrivileges | Currently enabled token privileges (e.g. SeDebugPrivilege/etc.) |\r\n| UAC | UAC system policies via the registry |\r\n| UdpConnections | Current UDP connections and associated processes and services |\r\n| UserRightAssignments | Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate |\r\n| WifiProfile | TODO |\r\n| WindowsAutoLogon | Registry autologon information |\r\n| WindowsDefender | Windows Defender settings (including exclusion locations) |\r\n| WindowsEventForwarding | Windows Event Forwarding (WEF) settings via the registry |\r\n| WindowsFirewall | Non-standard firewall rules, \"full\" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public) |\r\n| WMIEventConsumer | Lists WMI Event Consumers |\r\n| WMIEventFilter | Lists WMI Event Filters |\r\n| WMIFilterBinding | Lists WMI Filter to Consumer Bindings |\r\n| WSUS | Windows Server Update Services (WSUS) settings, if applicable |\r\n\r\n\r\n### user\r\n\r\nRuns checks that mine interesting data about the currently logged on user (if not elevated) or ALL users (if elevated).\r\n\r\nExecuted with: `Seatbelt.exe -group=user`\r\n\r\n| Command | Description |\r\n| ----------- | ----------- |\r\n| Certificates | User and machine personal certificate files |\r\n| CertificateThumbprints | Thumbprints for all certificate store certs on the system |\r\n| ChromiumPresence | Checks if interesting Chrome/Edge/Brave/Opera files exist |\r\n| CloudCredentials | AWS/Google/Azure cloud credential files |\r\n| CloudSyncProviders | TODO |\r\n| CredEnum | Enumerates the current user's saved credentials using CredEnumerate() |\r\n| dir | Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == \\\u003cdirectory\\\u003e \\\u003cdepth\\\u003e \\\u003cregex\\\u003e |\r\n| DpapiMasterKeys | List DPAPI master keys |\r\n| Dsregcmd | TODO |\r\n| ExplorerMRUs | Explorer most recently used files (last 7 days, argument == last X days) |\r\n| ExplorerRunCommands | Recent Explorer \"run\" commands |\r\n| FileZilla | FileZilla configuration files |\r\n| FirefoxPresence | Checks if interesting Firefox files exist |\r\n| IdleTime | Returns the number of seconds since the current user's last input. |\r\n| IEFavorites | Internet Explorer favorites |\r\n| IETabs | Open Internet Explorer tabs |\r\n| IEUrls| Internet Explorer typed URLs (last 7 days, argument == last X days) |\r\n| KeePass | TODO |\r\n| MappedDrives | Users' mapped drives (via WMI) |\r\n| OfficeMRUs | Office most recently used file list (last 7 days) |\r\n| OneNote | TODO |\r\n| OracleSQLDeveloper | TODO |\r\n| PowerShellHistory | Iterates through every local user and attempts to read their PowerShell console history if successful will print it |\r\n| PuttyHostKeys | Saved Putty SSH host keys |\r\n| PuttySessions | Saved Putty configuration (interesting fields) and SSH host keys |\r\n| RDCManFiles | Windows Remote Desktop Connection Manager settings files |\r\n| RDPSavedConnections | Saved RDP connections stored in the registry |\r\n| SecPackageCreds | Obtains credentials from security packages |\r\n| SlackDownloads | Parses any found 'slack-downloads' files |\r\n| SlackPresence | Checks if interesting Slack files exist |\r\n| SlackWorkspaces | Parses any found 'slack-workspaces' files |\r\n| SuperPutty | SuperPutty configuration files |\r\n| TokenGroups | The current token's local and domain groups |\r\n| WindowsCredentialFiles | Windows credential DPAPI blobs |\r\n| WindowsVault | Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge). |\r\n\r\n\r\n### misc\r\n\r\nRuns all miscellaneous checks.\r\n\r\nExecuted with: `Seatbelt.exe -group=misc`\r\n\r\n| Command | Description |\r\n| ----------- | ----------- |\r\n| ChromiumBookmarks | Parses any found Chrome/Edge/Brave/Opera bookmark files |\r\n| ChromiumHistory | Parses any found Chrome/Edge/Brave/Opera history files |\r\n| ExplicitLogonEvents | Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days. |\r\n| FileInfo | Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s) |\r\n| FirefoxHistory | Parses any found FireFox history files |\r\n| InstalledProducts | Installed products via the registry |\r\n| InterestingFiles | \"Interesting\" files matching various patterns in the user's folder. Note: takes non-trivial time. |\r\n| LogonEvents | Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. |\r\n| LOLBAS | Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time. |\r\n| McAfeeSiteList | Decrypt any found McAfee SiteList.xml configuration files. |\r\n| MicrosoftUpdates | All Microsoft updates (via COM) |\r\n| OutlookDownloads | List files downloaded by Outlook |\r\n| PowerShellEvents | PowerShell script block logs (4104) with sensitive data. |\r\n| Printers | Installed Printers (via WMI) |\r\n| ProcessCreationEvents | Process creation logs (4688) with sensitive data. |\r\n| ProcessOwners | Running non-session 0 process list with owners. For remote use. |\r\n| RecycleBin | Items in the Recycle Bin deleted in the last 30 days - only works from a user context! |\r\n| reg | Registry key values (HKLM\\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors] |\r\n| RPCMappedEndpoints | Current RPC endpoints mapped |\r\n| ScheduledTasks | Scheduled tasks (via WMI) that aren't authored by 'Microsoft', \"full\" dumps all Scheduled tasks |\r\n| SearchIndex | Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == \\\u003csearch path\\\u003e \\\u003cpattern1,pattern2,...\\\u003e |\r\n| SecurityPackages | Enumerates the security packages currently available using EnumerateSecurityPackagesA() |\r\n| SysmonEvents | Sysmon process creation logs (1) with sensitive data. |\r\n\r\n\r\n### Additional Command Groups\r\n\r\nExecuted with: `Seatbelt.exe -group=GROUPNAME`\r\n\r\n| Alias | Description |\r\n| ----------- | ----------- |\r\n| Slack | Runs modules that start with \"Slack*\" |\r\n| Chromium | Runs modules that start with \"Chromium*\" |\r\n| Remote | Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials, DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables, ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes, InterestingProcesses, KeePass, LastShutdown, LocalGroups, LocalUsers, LogonEvents, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell, ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall |\r\n\r\n\r\n## Command Arguments\r\n\r\nCommand that accept arguments have it noted in their description. To pass an argument to a command, enclose the command an arguments in double quotes.\r\n\r\nFor example, the following command returns 4624 logon events for the last 30 days:\r\n\r\n`Seatbelt.exe \"LogonEvents 30\"`\r\n\r\nThe following command queries a registry three levels deep, returning only keys/valueNames/values that match the regex `.*defini.*`, and ignoring any errors that occur.\r\n\r\n`Seatbelt.exe \"reg \\\"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\\" 3 .*defini.* true\"`\r\n\r\n\r\n## Output\r\n\r\nSeatbelt can redirect its output to a file with the `-outputfile=\"C:\\Path\\file.txt\"` argument. If the file path ends in .json, the output will be structured json.\r\n\r\nFor example, the following command will output the results of system checks to a txt file:\r\n\r\n`Seatbelt.exe -group=system -outputfile=\"C:\\Temp\\system.txt\"`\r\n\r\n\r\n## Remote Enumeration\r\n\r\nCommands noted with a + in the help menu can be run remotely against another system. This is performed over WMI via queries for WMI classes and WMI's StdRegProv for registry enumeration.\r\n\r\nTo enumerate a remote system, supply `-computername=COMPUTER.DOMAIN.COM` - an alternate username and password can be specified with `-username=DOMAIN\\USER -password=PASSWORD`\r\n\r\nFor example, the following command runs remote-focused checks against a remote system:\r\n\r\n`Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\\sam -password=\"yum \\\"po-ta-toes\\\"\"`\r\n\r\n\r\n## Building Your Own Modules\r\n\r\nSeatbelt's structure is completely modular, allowing for additional command modules to be dropped into the file structure and loaded up dynamically.\r\n\r\nThere is a commented command module template at `.\\Seatbelt\\Commands\\Template.cs` for reference. Once built, drop the module in the logical file location, include it in the project in the Visual Studio Solution Explorer, and compile.\r\n\r\n\r\n## Compile Instructions\r\n\r\nWe are not planning on releasing binaries for Seatbelt, so you will have to compile yourself.\r\n\r\nSeatbelt has been built against .NET 3.5 and 4.0 with C# 8.0 features and is compatible with [Visual Studio Community Edition](https://visualstudio.microsoft.com/downloads/). Simply open up the project .sln, choose \"release\", and build. To change the target .NET framework version, [modify the project's settings](https://github.com/GhostPack/Seatbelt/issues/27) and rebuild the project.\r\n\r\n\r\n## Acknowledgments\r\n\r\nSeatbelt incorporates various collection items, code C# snippets, and bits of PoCs found throughout research for its capabilities. These ideas, snippets, and authors are highlighted in the appropriate locations in the source code, and include:\r\n\r\n* [@andrewchiles](https://twitter.com/andrewchiles)' [HostEnum.ps1](https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1) script and [@tifkin\\_](https://twitter.com/tifkin_)'s [Get-HostProfile.ps1](https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1) provided inspiration for many of the artifacts to collect.\r\n* [Boboes' code concerning NetLocalGroupGetMembers](https://stackoverflow.com/questions/33935825/pinvoke-netlocalgroupgetmembers-runs-into-fatalexecutionengineerror/33939889#33939889)\r\n* [ambyte's code for converting a mapped drive letter to a network path](https://gist.github.com/ambyte/01664dc7ee576f69042c)\r\n* [Igor Korkhov's code to retrieve current token group information](https://stackoverflow.com/questions/2146153/how-to-get-the-logon-sid-in-c-sharp/2146418#2146418)\r\n* [RobSiklos' snippet to determine if a host is a virtual machine](https://stackoverflow.com/questions/498371/how-to-detect-if-my-application-is-running-in-a-virtual-machine/11145280#11145280)\r\n* [JGU's snippet on file/folder ACL right comparison](https://stackoverflow.com/questions/1410127/c-sharp-test-if-user-has-write-access-to-a-folder/21996345#21996345)\r\n* [Rod Stephens' pattern for recursive file enumeration](http://csharphelper.com/blog/2015/06/find-files-that-match-multiple-patterns-in-c/)\r\n* [SwDevMan81's snippet for enumerating current token privileges](https://stackoverflow.com/questions/4349743/setting-size-of-token-privileges-luid-and-attributes-array-returned-by-gettokeni)\r\n* [Jared Atkinson's PowerShell work on Kerberos ticket caches](https://github.com/Invoke-IR/ACE/blob/master/ACE-Management/PS-ACE/Scripts/ACE_Get-KerberosTicketCache.ps1)\r\n* [darkmatter08's Kerberos C# snippet](https://www.dreamincode.net/forums/topic/135033-increment-memory-pointer-issue/)\r\n* Numerous [PInvoke.net](https://www.pinvoke.net/) samples \u003c3\r\n* [Jared Hill's awesome CodeProject to use Local Security Authority to Enumerate User Sessions](https://www.codeproject.com/Articles/18179/Using-the-Local-Security-Authority-to-Enumerate-Us)\r\n* [Fred's code on querying the ARP cache](https://social.technet.microsoft.com/Forums/lync/en-US/e949b8d6-17ad-4afc-88cd-0019a3ac9df9/powershell-alternative-to-arp-a?forum=ITCG)\r\n* [ShuggyCoUk's snippet on querying the TCP connection table](https://stackoverflow.com/questions/577433/which-pid-listens-on-a-given-port-in-c-sharp/577660#577660)\r\n* [yizhang82's example of using reflection to interact with COM objects through C#](https://gist.github.com/yizhang82/a1268d3ea7295a8a1496e01d60ada816)\r\n* [@djhohnstein](https://twitter.com/djhohnstein)'s [SharpWeb project](https://github.com/djhohnstein/SharpWeb/blob/master/Edge/SharpEdge.cs)\r\n* [@djhohnstein](https://twitter.com/djhohnstein)'s [EventLogParser project](https://github.com/djhohnstein/EventLogParser)\r\n* [@cmaddalena](https://twitter.com/cmaddalena)'s [SharpCloud project](https://github.com/chrismaddalena/SharpCloud), BSD 3-Clause\r\n* [@_RastaMouse](https://twitter.com/_RastaMouse)'s [Watson project](https://github.com/rasta-mouse/Watson/), GPL License\r\n* [@_RastaMouse](https://twitter.com/_RastaMouse)'s [Work on AppLocker enumeration](https://rastamouse.me/2018/09/enumerating-applocker-config/)\r\n* [@peewpw](https://twitter.com/peewpw)'s [Invoke-WCMDump project](https://github.com/peewpw/Invoke-WCMDump/blob/master/Invoke-WCMDump.ps1), GPL License\r\n* TrustedSec's [HoneyBadger project](https://github.com/trustedsec/HoneyBadger/tree/master/modules/post/windows/gather), BSD 3-Clause\r\n* CENTRAL Solutions's [Audit User Rights Assignment Project](https://www.centrel-solutions.com/support/tools.aspx?feature=auditrights), No license\r\n* Collection ideas inspired from [@ukstufus](https://twitter.com/ukstufus)'s [Reconerator](https://github.com/stufus/reconerator)\r\n* Office MRU locations and timestamp parsing information from Dustin Hurlbut's paper [Microsoft Office 2007, 2010 - Registry Artifacts](https://ad-pdf.s3.amazonaws.com/Microsoft_Office_2007-2010_Registry_ArtifactsFINAL.pdf)\r\n* The [Windows Commands list](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands), used for sensitive regex construction\r\n* [Ryan Ries' code for enumeration mapped RPC endpoints](https://stackoverflow.com/questions/21805038/how-do-i-pinvoke-rpcmgmtepeltinqnext)\r\n* [Chris Haas' post on EnumerateSecurityPackages()](https://stackoverflow.com/a/5941873)\r\n* [darkoperator](carlos_perez)'s work [on the HoneyBadger project](https://github.com/trustedsec/HoneyBadger)\r\n* [@airzero24](https://twitter.com/airzero24)'s work on [WMI Registry enumeration](https://github.com/airzero24/WMIReg)\r\n* Alexandru's answer on [RegistryKey.OpenBaseKey alternatives](https://stackoverflow.com/questions/26217199/what-are-some-alternatives-to-registrykey-openbasekey-in-net-3-5)\r\n* Tomas Vera's [post on JavaScriptSerializer](http://www.tomasvera.com/programming/using-javascriptserializer-to-parse-json-objects/)\r\n* Marc Gravell's [note on recursively listing files/folders](https://stackoverflow.com/a/929418)\r\n* [@mattifestation](https://twitter.com/mattifestation)'s [Sysmon rule parser](https://github.com/mattifestation/PSSysmonTools/blob/master/PSSysmonTools/Code/SysmonRuleParser.ps1#L589-L595)\r\n* Some inspiration from spolnik's [Simple.CredentialsManager project](https://github.com/spolnik/Simple.CredentialsManager), Apache 2 license\r\n* [This post on Credential Guard settings](https://www.tenforums.com/tutorials/68926-verify-if-device-guard-enabled-disabled-windows-10-a.html)\r\n* [This thread](https://social.technet.microsoft.com/Forums/windows/en-US/b0e13a16-51a6-4aca-8d44-c85e097f882b/nametype-in-nla-information-for-a-network-profile) on network profile information\r\n* Mark McKinnon's post on [decoding the DateCreated and DateLastConnected SSID values](http://cfed-ttf.blogspot.com/2009/08/decoding-datecreated-and.html)\r\n* This Specops [post on group policy caching](https://specopssoft.com/blog/things-work-group-policy-caching/)\r\n* sa_ddam213's StackOverflow post on [enumerating items in the Recycle Bin](https://stackoverflow.com/questions/18071412/list-filenames-in-the-recyclebin-with-c-sharp-without-using-any-external-files)\r\n* Kirill Osenkov's [code for managed assembly detection](https://stackoverflow.com/a/15608028)\r\n* The [Mono project](https://github.com/mono/linux-packaging-mono/blob/d356d2b7db91d62b80a61eeb6fbc70a402ac3cac/external/corefx/LICENSE.TXT) for the SecBuffer/SecBufferDesc classes\r\n* [Elad Shamir](https://twitter.com/elad_shamir) and his [Internal-Monologue](https://github.com/eladshamir/Internal-Monologue/) project, [Vincent Le Toux](https://twitter.com/mysmartlogon) for his [DetectPasswordViaNTLMInFlow](https://github.com/vletoux/DetectPasswordViaNTLMInFlow/) project, and Lee Christensen for this [GetNTLMChallenge](https://github.com/leechristensen/GetNTLMChallenge/) project. All of these served as inspiration int he SecPackageCreds command.\r\n* @leftp and @eksperience's [Gopher project](https://github.com/EncodeGroup/Gopher) for inspiration for the FileZilla and SuperPutty commands\r\n* @funoverip for the original McAfee SiteList.xml decryption code\r\n\r\nWe've tried to do our due diligence for citations, but if we've left someone/something out, please let us know!\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghostpack%2Fseatbelt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fghostpack%2Fseatbelt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghostpack%2Fseatbelt/lists"}