Seatbelt
Seatbelt是一个C#项目,从进攻和防御性的安全角度进行许多相关的面向安全的主机“安全检查”。
@andrewchiles的hostenum.ps1脚本和 @tifkin_的get-hostprofile.ps1为许多要收集的文物提供了灵感。
@harmj0y和@tifkin_是此实现的主要作者。
Seatbelt已获得BSD 3级判决许可证的许可。
目录
命令行的用法
Seatbelt %////(((&%%%%%%%%#############*
&%%&&&%%%%% v1.2.1 ,(((&%%%%%%%%%%%%%%%%%,
#%%%%##,
Available commands (+ means remote usage is supported):
+ AMSIProviders – Providers registered for AMSI
+ AntiVirus – Registered antivirus (via WMI)
+ AppLocker – AppLocker settings, if installed
ARPTable – Lists the current ARP table and adapter information (equivalent to arp -a)
AuditPolicies – Enumerates classic and advanced audit policy settings
+ AuditPolicyRegistry – Audit settings via the registry
+ AutoRuns – Auto run executables/scripts/programs
azuread – Return AzureAD info
Certificates – Finds user and machine personal certificate files
CertificateThumbprints – Finds thumbprints for all certificate store certs on the system
+ ChromiumBookmarks – Parses any found Chrome/Edge/Brave/Opera bookmark files
+ ChromiumHistory – Parses any found Chrome/Edge/Brave/Opera history files
+ ChromiumPresence – Checks if interesting Chrome/Edge/Brave/Opera files exist
+ CloudCredentials – AWS/Google/Azure/Bluemix cloud credential files
+ CloudSyncProviders – All configured Office 365 endpoints (tenants and teamsites) which are synchronised by OneDrive.
CredEnum – Enumerates the current user\’s saved credentials using CredEnumerate()
+ CredGuard – CredentialGuard configuration
dir – Lists files/folders. By default, lists users\’ downloads, documents, and desktop folders (arguments == [directory] [maxDepth] [regex] [boolIgnoreErrors]
+ DNSCache – DNS cache entries (via WMI)
+ DotNet – DotNet versions
+ DpapiMasterKeys – List DPAPI master keys
EnvironmentPath – Current environment %PATH$ folders and SDDL information
+ EnvironmentVariables – Current environment variables
+ ExplicitLogonEvents – Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
ExplorerMRUs – Explorer most recently used files (last 7 days, argument == last X days)
+ ExplorerRunCommands – Recent Explorer "run" commands
FileInfo – Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
+ FileZilla – FileZilla configuration files
+ FirefoxHistory – Parses any found FireFox history files
+ FirefoxPresence – Checks if interesting Firefox files exist
+ Hotfixes – Installed hotfixes (via WMI)
IdleTime – Returns the number of seconds since the current user\’s last input.
+ IEFavorites – Internet Explorer favorites
IETabs – Open Internet Explorer tabs
+ IEUrls – Internet Explorer typed URLs (last 7 days, argument == last X days)
+ InstalledProducts – Installed products via the registry
InterestingFiles – "Interesting" files matching various patterns in the user\’s folder. Note: takes non-trivial time.
+ InterestingProcesses – "Interesting" processes – defensive products and admin tools
InternetSettings – Internet settings including proxy configs and zones configuration
+ KeePass – Finds KeePass configuration files
+ LAPS – LAPS settings, if installed
+ LastShutdown – Returns the DateTime of the last system shutdown (via the registry).
LocalGPOs – Local Group Policy settings applied to the machine/local users
+ LocalGroups – Non-empty local groups, "-full" displays all groups (argument == computername to enumerate)
+ LocalUsers – Local users, whether they\’re active/disabled, and pwd last set (argument == computername to enumerate)
+ LogonEvents – Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
+ LogonSessions – Windows logon sessions
LOLBAS – Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.
+ LSASettings – LSA settings (including auth packages)
+ MappedDrives – Users\’ mapped drives (via WMI)
McAfeeConfigs – Finds McAfee configuration files
McAfeeSiteList – Decrypt any found McAfee SiteList.xml configuration files.
MicrosoftUpdates – All Microsoft updates (via COM)
MTPuTTY – MTPuTTY configuration files
NamedPipes – Named pipe names, any readable ACL information and associated process information.
+ NetworkProfiles – Windows network profiles
+ NetworkShares – Network shares exposed by the machine (via WMI)
+ NTLMSettings – NTLM authentication settings
OfficeMRUs – Office most recently used file list (last 7 days)
OneNote – List OneNote backup files
+ OptionalFeatures – List Optional Features/Roles (via WMI)
OracleSQLDeveloper – Finds Oracle SQLDeveloper connections.xml files
+ OSInfo – Basic OS info (i.e. architecture, OS version, etc.)
+ OutlookDownloads – List files downloaded by Outlook
+ PoweredOnEvents – Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
+ PowerShell – PowerShell versions and security settings
+ PowerShellEvents – PowerShell script block logs (4104) with sensitive data.
+ PowerShellHistory – Searches PowerShell console history files for sensitive regex matches.
Printers – Installed Printers (via WMI)
+ ProcessCreationEvents – Process creation logs (4688) with sensitive data.
Processes – Running processes with file info company names that don\’t contain \’Microsoft\’, "-full" enumerates all processes
+ ProcessOwners – Running non-session 0 process list with owners. For remote use.
+ PSSessionSettings – Enumerates PS Session Settings from the registry
+ PuttyHostKeys – Saved Putty SSH host keys
+ PuttySessions – Saved Putty configuration (interesting fields) and SSH host keys
RDCManFiles – Windows Remote Desktop Connection Manager settings files
+ RDPSavedConnections – Saved RDP connections stored in the registry
+ RDPSessions – Current incoming RDP sessions (argument == computername to enumerate)
+ RDPsettings – Remote Desktop Server/Client Settings
RecycleBin – Items in the Recycle Bin deleted in the last 30 days – only works from a user context!
reg – Registry key values (HKLM\\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
RPCMappedEndpoints – Current RPC endpoints mapped
+ SCCM – System Center Configuration Manager (SCCM) settings, if applicable
+ ScheduledTasks – Scheduled tasks (via WMI) that aren\’t authored by \’Microsoft\’, "-full" dumps all Scheduled tasks
SearchIndex – Query results from the Windows Search Index, default term of \’passsword\’. (argument(s) == <search path> <pattern1,pattern2,…>
SecPackageCreds – Obtains credentials from security packages
+ SecureBoot – Secure Boot configuration
SecurityPackages – Enumerates the security packages currently available using EnumerateSecurityPackagesA()
Services – Services with file info company names that don\’t contain \’Microsoft\’, "-full" dumps all processes
+ SlackDownloads – Parses any found \’slack-downloads\’ files
+ SlackPresence – Checks if interesting Slack files exist
+ SlackWorkspaces – Parses any found \’slack-workspaces\’ files
+ SuperPutty – SuperPutty configuration files
+ Sysmon – Sysmon configuration from the registry
+ SysmonEvents – Sysmon process creation logs (1) with sensitive data.
TcpConnections – Current TCP connections and their associated processes and services
TokenGroups – The current token\’s local and domain groups
TokenPrivileges – Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
+ UAC – UAC system policies via the registry
UdpConnections – Current UDP connections and associated processes and services
UserRightAssignments – Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
WifiProfile – Enumerates the saved Wifi profiles and extract the ssid, authentication type, cleartext key/passphrase (when possible)
+ WindowsAutoLogon – Registry autologon information
WindowsCredentialFiles – Windows credential DPAPI blobs
+ WindowsDefender – Windows Defender settings (including exclusion locations)
+ WindowsEventForwarding – Windows Event Forwarding (WEF) settings via the registry
+ WindowsFirewall – Non-standard firewall rules, "-full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
WindowsVault – Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
+ WMI – Runs a specified WMI query
WMIEventConsumer – Lists WMI Event Consumers
WMIEventFilter – Lists WMI Event Filters
WMIFilterBinding – Lists WMI Filter to Consumer Bindings
+ WSUS – Windows Server Update Services (WSUS) settings, if applicable
Seatbelt has the following command groups: All, User, System, Slack, Chromium, Remote, Misc
You can invoke command groups with " Seatbelt .exe <group>"
Or command groups except specific commands " Seatbelt .exe <group> -Command"
" Seatbelt .exe -group=all" runs all commands
" Seatbelt .exe -group=user" runs the following commands:
azuread, Certificates, CertificateThumbprints, ChromiumPresence, CloudCredentials,
CloudSyncProviders, CredEnum, dir, DpapiMasterKeys,
ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence,
IdleTime, IEFavorites, IETabs, IEUrls,
KeePass, MappedDrives, MTPuTTY, OfficeMRUs,
OneNote, OracleSQLDeveloper, PowerShellHistory, PuttyHostKeys,
PuttySessions, RDCManFiles, RDPSavedConnections, SecPackageCreds,
SlackDownloads, SlackPresence, SlackWorkspaces, SuperPutty,
TokenGroups, WindowsCredentialFiles, WindowsVault
" Seatbelt .exe -group=system" runs the following commands:
AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints,
CredGuard, DNSCache, DotNet, EnvironmentPath,
EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings,
LAPS, LastShutdown, LocalGPOs, LocalGroups,
LocalUsers, LogonSessions, LSASettings, McAfeeConfigs,
NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings,
OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
Processes, PSSessionSettings, RDPSessions, RDPsettings,
SCCM, SecureBoot, Services, Sysmon,
TcpConnections, TokenPrivileges, UAC, UdpConnections,
UserRightAssignments, WifiProfile, WindowsAutoLogon, WindowsDefender,
WindowsEventForwarding, WindowsFirewall, WMI, WMIEventConsumer,
WMIEventFilter, WMIFilterBinding, WSUS
" Seatbelt .exe -group=slack" runs the following commands:
SlackDownloads, SlackPresence, SlackWorkspaces
" Seatbelt .exe -group=chromium" runs the following commands:
ChromiumBookmarks, ChromiumHistory, ChromiumPresence
" Seatbelt .exe -group=remote" runs the following commands:
AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials,
DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables,
ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes,
InterestingProcesses, KeePass, LastShutdown, LocalGroups,
LocalUsers, LogonEvents, LogonSessions, LSASettings,
MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions,
RDPSavedConnections, RDPSessions, RDPsettings, SecureBoot,
Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall
" Seatbelt .exe -group=misc" runs the following commands:
ChromiumBookmarks, ChromiumHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
InstalledProducts, InterestingFiles, LogonEvents, LOLBAS,
McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents,
Printers, ProcessCreationEvents, ProcessOwners, RecycleBin,
reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex,
SecurityPackages, SysmonEvents
Examples:
\’ Seatbelt .exe <Command> [Command2] …\’ will run one or more specified checks only
\’ Seatbelt .exe <Command> -full\’ will return complete results for a command without any filtering.
\’ Seatbelt .exe "<Command> [argument]"\’ will pass an argument to a command that supports it (note the quotes).
\’ Seatbelt .exe -group=all\’ will run ALL enumeration checks, can be combined with "-full".
\’ Seatbelt .exe -group=all -AuditPolicies\’ will run all enumeration checks EXCEPT AuditPolicies, can be combined with "-full".
\’ Seatbelt .exe <Command> -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\\USER -password=PASSWORD]\’ will run an applicable check remotely
\’ Seatbelt .exe -group=remote -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\\USER -password=PASSWORD]\’ will run remote specific checks
\’ Seatbelt .exe -group=system -outputfile="C:\\Temp\\out.txt"\’ will run system checks and output to a .txt file.
\’ Seatbelt .exe -group=user -q -outputfile="C:\\Temp\\out.json"\’ will run in quiet mode with user checks and output to a .json file.\”>
%&&@@@&&
&&&&&&&%%%, #&&@@@@@@%%%%%%###############%
&%& %&%% &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####% &%%**# @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%####### %&%,,,,,,,,,,,,,,,, @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%#################### &%%...... ... .. @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%######### %%%...... ... .. @////(((&%%%%%#########################(#(#######((#####
###%##%%#################### &%%............... @////(((&%%%%%%%%##############%#######(#########((#####
#####%###################### %%%.. @////(((&%%%%%%%################
&%& %%%%% Seatbelt %////(((&%%%%%%%%#############*
&%%&&&%%%%% v1.2.1 ,(((&%%%%%%%%%%%%%%%%%,
#%%%%##,
Available commands (+ means remote usage is supported):
+ AMSIProviders - Providers registered for AMSI
+ AntiVirus - Registered antivirus (via WMI)
+ AppLocker - AppLocker settings, if installed
ARPTable - Lists the current ARP table and adapter information (equivalent to arp -a)
AuditPolicies - Enumerates classic and advanced audit policy settings
+ AuditPolicyRegistry - Audit settings via the registry
+ AutoRuns - Auto run executables/scripts/programs
azuread - Return AzureAD info
Certificates - Finds user and machine personal certificate files
CertificateThumbprints - Finds thumbprints for all certificate store certs on the system
+ ChromiumBookmarks - Parses any found Chrome/Edge/Brave/Opera bookmark files
+ ChromiumHistory - Parses any found Chrome/Edge/Brave/Opera history files
+ ChromiumPresence - Checks if interesting Chrome/Edge/Brave/Opera files exist
+ CloudCredentials - AWS/Google/Azure/Bluemix cloud credential files
+ CloudSyncProviders - All configured Office 365 endpoints (tenants and teamsites) which are synchronised by OneDrive.
CredEnum - Enumerates the current user\'s saved credentials using CredEnumerate()
+ CredGuard - CredentialGuard configuration
dir - Lists files/folders. By default, lists users\' downloads, documents, and desktop folders (arguments == [directory] [maxDepth] [regex] [boolIgnoreErrors]
+ DNSCache - DNS cache entries (via WMI)
+ DotNet - DotNet versions
+ DpapiMasterKeys - List DPAPI master keys
EnvironmentPath - Current environment %PATH$ folders and SDDL information
+ EnvironmentVariables - Current environment variables
+ ExplicitLogonEvents - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
ExplorerMRUs - Explorer most recently used files (last 7 days, argument == last X days)
+ ExplorerRunCommands - Recent Explorer \"run\" commands
FileInfo - Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
+ FileZilla - FileZilla configuration files
+ FirefoxHistory - Parses any found FireFox history files
+ FirefoxPresence - Checks if interesting Firefox files exist
+ Hotfixes - Installed hotfixes (via WMI)
IdleTime - Returns the number of seconds since the current user\'s last input.
+ IEFavorites - Internet Explorer favorites
IETabs - Open Internet Explorer tabs
+ IEUrls - Internet Explorer typed URLs (last 7 days, argument == last X days)
+ InstalledProducts - Installed products via the registry
InterestingFiles - \"Interesting\" files matching various patterns in the user\'s folder. Note: takes non-trivial time.
+ InterestingProcesses - \"Interesting\" processes - defensive products and admin tools
InternetSettings - Internet settings including proxy configs and zones configuration
+ KeePass - Finds KeePass configuration files
+ LAPS - LAPS settings, if installed
+ LastShutdown - Returns the DateTime of the last system shutdown (via the registry).
LocalGPOs - Local Group Policy settings applied to the machine/local users
+ LocalGroups - Non-empty local groups, \"-full\" displays all groups (argument == computername to enumerate)
+ LocalUsers - Local users, whether they\'re active/disabled, and pwd last set (argument == computername to enumerate)
+ LogonEvents - Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
+ LogonSessions - Windows logon sessions
LOLBAS - Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.
+ LSASettings - LSA settings (including auth packages)
+ MappedDrives - Users\' mapped drives (via WMI)
McAfeeConfigs - Finds McAfee configuration files
McAfeeSiteList - Decrypt any found McAfee SiteList.xml configuration files.
MicrosoftUpdates - All Microsoft updates (via COM)
MTPuTTY - MTPuTTY configuration files
NamedPipes - Named pipe names, any readable ACL information and associated process information.
+ NetworkProfiles - Windows network profiles
+ NetworkShares - Network shares exposed by the machine (via WMI)
+ NTLMSettings - NTLM authentication settings
OfficeMRUs - Office most recently used file list (last 7 days)
OneNote - List OneNote backup files
+ OptionalFeatures - List Optional Features/Roles (via WMI)
OracleSQLDeveloper - Finds Oracle SQLDeveloper connections.xml files
+ OSInfo - Basic OS info (i.e. architecture, OS version, etc.)
+ OutlookDownloads - List files downloaded by Outlook
+ PoweredOnEvents - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
+ PowerShell - PowerShell versions and security settings
+ PowerShellEvents - PowerShell script block logs (4104) with sensitive data.
+ PowerShellHistory - Searches PowerShell console history files for sensitive regex matches.
Printers - Installed Printers (via WMI)
+ ProcessCreationEvents - Process creation logs (4688) with sensitive data.
Processes - Running processes with file info company names that don\'t contain \'Microsoft\', \"-full\" enumerates all processes
+ ProcessOwners - Running non-session 0 process list with owners. For remote use.
+ PSSessionSettings - Enumerates PS Session Settings from the registry
+ PuttyHostKeys - Saved Putty SSH host keys
+ PuttySessions - Saved Putty configuration (interesting fields) and SSH host keys
RDCManFiles - Windows Remote Desktop Connection Manager settings files
+ RDPSavedConnections - Saved RDP connections stored in the registry
+ RDPSessions - Current incoming RDP sessions (argument == computername to enumerate)
+ RDPsettings - Remote Desktop Server/Client Settings
RecycleBin - Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
reg - Registry key values (HKLM\\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
RPCMappedEndpoints - Current RPC endpoints mapped
+ SCCM - System Center Configuration Manager (SCCM) settings, if applicable
+ ScheduledTasks - Scheduled tasks (via WMI) that aren\'t authored by \'Microsoft\', \"-full\" dumps all Scheduled tasks
SearchIndex - Query results from the Windows Search Index, default term of \'passsword\'. (argument(s) == <search path> <pattern1,pattern2,...>
SecPackageCreds - Obtains credentials from security packages
+ SecureBoot - Secure Boot configuration
SecurityPackages - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
Services - Services with file info company names that don\'t contain \'Microsoft\', \"-full\" dumps all processes
+ SlackDownloads - Parses any found \'slack-downloads\' files
+ SlackPresence - Checks if interesting Slack files exist
+ SlackWorkspaces - Parses any found \'slack-workspaces\' files
+ SuperPutty - SuperPutty configuration files
+ Sysmon - Sysmon configuration from the registry
+ SysmonEvents - Sysmon process creation logs (1) with sensitive data.
TcpConnections - Current TCP connections and their associated processes and services
TokenGroups - The current token\'s local and domain groups
TokenPrivileges - Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
+ UAC - UAC system policies via the registry
UdpConnections - Current UDP connections and associated processes and services
UserRightAssignments - Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
WifiProfile - Enumerates the saved Wifi profiles and extract the ssid, authentication type, cleartext key/passphrase (when possible)
+ WindowsAutoLogon - Registry autologon information
WindowsCredentialFiles - Windows credential DPAPI blobs
+ WindowsDefender - Windows Defender settings (including exclusion locations)
+ WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry
+ WindowsFirewall - Non-standard firewall rules, \"-full\" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
WindowsVault - Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
+ WMI - Runs a specified WMI query
WMIEventConsumer - Lists WMI Event Consumers
WMIEventFilter - Lists WMI Event Filters
WMIFilterBinding - Lists WMI Filter to Consumer Bindings
+ WSUS - Windows Server Update Services (WSUS) settings, if applicable
Seatbelt has the following command groups: All, User, System, Slack, Chromium, Remote, Misc
You can invoke command groups with \" Seatbelt .exe <group>\"
Or command groups except specific commands \" Seatbelt .exe <group> -Command\"
\" Seatbelt .exe -group=all\" runs all commands
\" Seatbelt .exe -group=user\" runs the following commands:
azuread, Certificates, CertificateThumbprints, ChromiumPresence, CloudCredentials,
CloudSyncProviders, CredEnum, dir, DpapiMasterKeys,
ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence,
IdleTime, IEFavorites, IETabs, IEUrls,
KeePass, MappedDrives, MTPuTTY, OfficeMRUs,
OneNote, OracleSQLDeveloper, PowerShellHistory, PuttyHostKeys,
PuttySessions, RDCManFiles, RDPSavedConnections, SecPackageCreds,
SlackDownloads, SlackPresence, SlackWorkspaces, SuperPutty,
TokenGroups, WindowsCredentialFiles, WindowsVault
\" Seatbelt .exe -group=system\" runs the following commands:
AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints,
CredGuard, DNSCache, DotNet, EnvironmentPath,
EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings,
LAPS, LastShutdown, LocalGPOs, LocalGroups,
LocalUsers, LogonSessions, LSASettings, McAfeeConfigs,
NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings,
OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
Processes, PSSessionSettings, RDPSessions, RDPsettings,
SCCM, SecureBoot, Services, Sysmon,
TcpConnections, TokenPrivileges, UAC, UdpConnections,
UserRightAssignments, WifiProfile, WindowsAutoLogon, WindowsDefender,
WindowsEventForwarding, WindowsFirewall, WMI, WMIEventConsumer,
WMIEventFilter, WMIFilterBinding, WSUS
\" Seatbelt .exe -group=slack\" runs the following commands:
SlackDownloads, SlackPresence, SlackWorkspaces
\" Seatbelt .exe -group=chromium\" runs the following commands:
ChromiumBookmarks, ChromiumHistory, ChromiumPresence
\" Seatbelt .exe -group=remote\" runs the following commands:
AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials,
DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables,
ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes,
InterestingProcesses, KeePass, LastShutdown, LocalGroups,
LocalUsers, LogonEvents, LogonSessions, LSASettings,
MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions,
RDPSavedConnections, RDPSessions, RDPsettings, SecureBoot,
Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall
\" Seatbelt .exe -group=misc\" runs the following commands:
ChromiumBookmarks, ChromiumHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
InstalledProducts, InterestingFiles, LogonEvents, LOLBAS,
McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents,
Printers, ProcessCreationEvents, ProcessOwners, RecycleBin,
reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex,
SecurityPackages, SysmonEvents
Examples:
\' Seatbelt .exe <Command> [Command2] ...\' will run one or more specified checks only
\' Seatbelt .exe <Command> -full\' will return complete results for a command without any filtering.
\' Seatbelt .exe \"<Command> [argument]\"\' will pass an argument to a command that supports it (note the quotes).
\' Seatbelt .exe -group=all\' will run ALL enumeration checks, can be combined with \"-full\".
\' Seatbelt .exe -group=all -AuditPolicies\' will run all enumeration checks EXCEPT AuditPolicies, can be combined with \"-full\".
\' Seatbelt .exe <Command> -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\\USER -password=PASSWORD]\' will run an applicable check remotely
\' Seatbelt .exe -group=remote -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\\USER -password=PASSWORD]\' will run remote specific checks
\' Seatbelt .exe -group=system -outputfile=\"C:\\Temp\\out.txt\"\' will run system checks and output to a .txt file.
\' Seatbelt .exe -group=user -q -outputfile=\"C:\\Temp\\out.json\"\' will run in quiet mode with user checks and output to a .json file.
注意:搜索目标用户如果不升级,将为当前用户运行,并为所有用户升级。
指挥组
注意:默认情况下,许多命令进行某种类型的过滤。提供-full参数可防止过滤输出。另外,命令组all运行所有当前检查。
例如,以下命令将运行所有检查并返回所有输出:
Seatbelt .exe -group=all -full
系统
运行检查该系统有关该系统的有趣数据。
执行以下: Seatbelt .exe -group=system
| 命令 | 描述 |
|---|---|
| Amsiproviders | 提供者注册了AMSI |
| 防病毒软件 | 注册防病毒软件(通过WMI) |
| Appleocker | Appleocker设置,如果安装 |
| 可容纳 | 列出当前的ARP表和适配器信息(相当于ARP -A) |
| 审计 | 列举经典和高级审核政策设置 |
| 审计中的审计 | 通过注册表的审核设置 |
| 汽车 | 自动运行可执行文件/脚本/程序 |
| 证书 | 用户和机器个人证书文件 |
| 证书 | 系统上所有证书商店证书的指标 |
| 信誉 | 凭证配置 |
| DNSCACHE | DNS缓存条目(通过WMI) |
| dotnet | dotnet版本 |
| 环境路径 | 当前环境%路径$文件夹和SDDL信息 |
| 环境变量 | 当前的用户环境变量 |
| hotfixes | 安装的hotfix(通过WMI) |
| 有趣的程序 | “有趣的”过程 – 防御产品和管理工具 |
| 互联网 | 包括代理配置在内的互联网设置 |
| 圈 | 圈设置,如果安装 |
| LastShutdown | 返回最后一个系统关闭的日期(通过注册表) |
| localgpos | 本地组策略设置应用于机器/本地用户 |
| LocalGroups | 非空的本地群体“完整”显示所有组(参数==枚举计算) |
| 地方用户 | 本地用户,无论他们是活动/禁用,而PWD上一组 |
| 登录 | 来自安全事件日志的登录事件(事件ID 4624)。默认为10天,参数==最后X天。 |
| lsasettings | LSA设置(包括auth软件包) |
| McAfeeconfigs | 查找McAfee配置文件 |
| 名为Pipes | 命名管名和任何可读的ACL信息 |
| NetworkProfiles | Windows网络配置文件 |
| 网络共享 | 网络共享机器暴露的(通过WMI) |
| NTLMSettings | NTLM身份验证设置 |
| 可选功能 | 托多 |
| Osinfo | 基本的操作系统信息(即体系结构,OS版本等) |
| 驱动器 | 基于系统事件日志1、12、13、42和6008的重新启动和睡眠时间表。默认为7天,参数==最后X天。 |
| Powershell | PowerShell版本和安全设置 |
| 过程 | 使用不包含“ Microsoft”的文件信息公司名称运行流程,“完整”列举了所有进程 |
| pssessionsettings | 列举注册表中的PS会话设置 |
| rdpsess | 当前传入的RDP会话(参数==枚举计算) |
| rdpsettings | 远程桌面服务器/客户端设置 |
| SCCM | 系统中心配置管理器(SCCM)设置,如果适用 |
| 服务 | 使用不包含“ Microsoft”的文件信息公司名称的服务,“完整”转储所有进程 |
| 系统 | 注册表的Sysmon配置 |
| TCPConnections | 当前的TCP连接及其相关的流程和服务 |
| TokenPrivileges | 当前启用了令牌特权(例如Sedebugprivilege/等)。 |
| UAC | UAC系统政策通过注册表 |
| UDPConnections | 当前的UDP连接以及相关的流程和服务 |
| UserrightAssignments | 配置的用户权利分配(例如sedenynetworklogonright,seshutdownprivilege等)参数==枚举 |
| Wifiprofile | 托多 |
| Windowsautologon | 注册表自我信息 |
| WindowsDefender | Windows Defender设置(包括排除位置) |
| WindowSseventForwarding | Windows事件转发(WEF)设置通过注册表 |
| Windowsfirewall | 非标准防火墙规则,“完整”转储全部(参数==允许/拒绝/tcp/udp/in/out/out/domain/private/public) |
| WmieventConsumer | 列出WMI活动消费者 |
| WmieventFilter | 列出WMI事件过滤器 |
| wmifilterbinding | 将WMI过滤器列为消费者绑定 |
| WSUS | Windows Server Update Services(WSUS)设置,如果适用 |
用户
运行检查该检查有关当前登录的用户(如果未升高)或所有用户(如果升高)的有趣数据。
执行以下: Seatbelt .exe -group=user
| 命令 | 描述 |
|---|---|
| 证书 | 用户和机器个人证书文件 |
| 证书 | 系统上所有证书商店证书的指标 |
| Chromiumpresence | 检查是否存在有趣的Chrome/Edge/Brave/Opera文件 |
| Cloudcredentials | AWS/Google/Azure云凭据文件 |
| Cloudsyncproviders | 托多 |
| 信条 | 使用redenumerate()列举当前用户的保存凭据 |
| dir | 列出文件/文件夹。默认情况下,列出了用户的下载,文档和桌面文件夹(参数== <Directory> <depth> <regex> |
| dpapimasterkeys | 列表DPAPI主键 |
| DSREGCMD | 托多 |
| Explorermrus | Explorer最近使用的文件(最近7天,参数==最后X天) |
| 探索 | 最近的资源管理器“运行”命令 |
| filezilla | Filezilla配置文件 |
| Firefoxpresence | 检查有趣的Firefox文件是否存在 |
| 偶像 | 返回自当前用户的最后一个输入以来的秒数。 |
| iefavorites | Internet Explorer的最爱 |
| ietabs | 打开Internet Explorer选项卡 |
| ieurls | Internet Explorer键入URL(最近7天,参数==最后X天) |
| 饲养 | 托多 |
| 绘图 | 用户的映射驱动器(通过WMI) |
| 官员 | 办公室最近使用的文件列表(最近7天) |
| OneNote | 托多 |
| oraclesqldeveloper | 托多 |
| Powershell History | 通过每个本地用户迭代,并尝试阅读其PowerShell控制台历史记录,如果成功将打印 |
| PuttyHostkeys | 保存的Putty SSH主机键 |
| 果酱 | 保存的油灰配置(有趣的字段)和SSH主机键 |
| rdcmanfiles | Windows远程桌面连接管理器设置文件 |
| rdpsavedConnections | 保存在注册表中存储的RDP连接 |
| secpackagecreds | 从安全软件包中获得凭据 |
| Slatesdownloads | 解析任何发现的“放松下载”文件 |
| Slackpresence | 检查是否存在有趣的松弛文件 |
| SlackWorkspaces | 解析任何发现的“ Slack-Workspaces”文件 |
| 超输入 | Superputty配置文件 |
| tokenGroups | 当前令牌的本地和域组 |
| WindowsCredentialFiles | Windows凭证DPAPI BLOBS |
| WindowsVault | 保存在Windows库中的凭据(即从Internet Explorer和Edge登录)。 |
杂项
运行所有其他检查。
执行: Seatbelt .exe -group=misc
| 命令 | 描述 |
|---|---|
| Chromiumbook标记 | 解析任何发现的Chrome/Edge/Brave/Opera书签文件 |
| 铬史 | 解析任何发现的Chrome/Edge/Brave/Opera历史文件 |
| explicitLogoneVents | 来自安全事件日志的显式登录事件(事件ID 4648)。默认为7天,参数==最后X天。 |
| FileInfo | 有关文件的信息(版本信息,时间戳,基本PE信息等。参数==文件路径 |
| Firefoxhistory | 解析任何发现的Firefox历史记录文件 |
| 安装生产 | 通过注册表安装了产品 |
| 有趣的文件 | “有趣的”文件匹配用户文件夹中的各种模式。注意:需要非平凡的时间。 |
| logonevents | 来自安全事件日志的登录事件(事件ID 4624)。默认为10天,参数==最后X天。 |
| 洛巴斯 | 在系统上定位在陆地二进制文件和脚本(LOLBAS)上生活。注意:需要非平凡的时间。 |
| McAfeesitelist | 解密任何找到的McAfee Sitelist.xml配置文件。 |
| Microsoftupdates | 所有Microsoft更新(通过COM) |
| OutlookDownloads | 列出Outlook下载的文件 |
| powershellevents | 使用敏感数据的PowerShell脚本块日志(4104)。 |
| 打印机 | 安装打印机(通过WMI) |
| ProcessCreationEvents | 带有敏感数据的过程创建日志(4688)。 |
| 过程端 | 与所有者一起运行非会议0过程列表。用于远程使用。 |
| 回收金 | 在过去30天内删除了回收箱中的项目 – 仅从用户上下文工作! |
| Reg | 注册表键值(默认情况下为HKLM \\软件)参数== [PATH] [INTDEPTH] [REGEX] [BOOLIGNORERERRORS] |
| rpcmappedendpoints | 当前RPC端点映射 |
| SendiuledTasks | 计划的任务(通过WMI)未由“ Microsoft”撰写,“ Full”转储所有计划的任务 |
| SearchIndex | 查询来自Windows搜索索引,默认术语“ Password”。 (参数(s)== <搜索路径> <staters1,pattern2,…> |
| 安全包装 | 使用EnumerateSecurityPackagesa()枚举当前可用的安全软件包 |
| Sysmonevents | 使用敏感数据的Sysmon过程创建日志(1)。 |
其他命令组
执行: Seatbelt .exe -group=GROUPNAME
| 别名 | 描述 |
|---|---|
| 松弛 | 运行以“ Slack*”开头的模块 |
| 铬 | 运行以“铬*”开头的模块 |
| 偏僻的 | Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials, DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables, ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes, InterestingProcesses, KeePass, LastShutdown, LocalGroups, LocalUsers, LogonEvents, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell, ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon,Windowsdefender,WindowsseventForwarding,Windowsfirewall |
命令参数
接受论点的命令在其描述中指出了它。要将参数传递给命令,请以双引号将命令包裹起来。
例如,以下命令返回过去30天的4624登录事件:
Seatbelt .exe "LogonEvents 30"
以下命令查询注册表的三个级别,仅返回与正则符合正则匹配的键/valueNames/values .*defini.*
Seatbelt .exe "reg \\"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\" 3 .*defini.* true"
输出
Seatbelt可以用-outputfile="C:\\Path\\file.txt"参数将其输出重定向到文件。如果文件路径以.json结尾,则输出将是构造的JSON。
例如,以下命令将输出系统检查结果到TXT文件:
Seatbelt .exe -group=system -outputfile="C:\\Temp\\system.txt"
远程枚举
在“帮助”菜单中使用A +指出的命令可以远程运行另一个系统。这是通过WMI通过WMI类的WMI类和WMI的登记列表进行的。
要列举远程系统,请供应-computername=COMPUTER.DOMAIN.COM可以使用-username=DOMAIN\\USER -password=PASSWORD指定替代用户名和密码
例如,以下命令针对远程系统运行远程注重的检查:
Seatbelt .exe -group=remote -computername=192.168.230.209 -username=THESHIRE\\sam -password="yum \\"po-ta-toes\\""
构建自己的模块
Seatbelt的结构是完全模块化的,可以将其他命令模块放入文件结构中并动态加载。
有一个注释的命令模块模板.\\ Seatbelt \\Commands\\Template.cs构建后,将模块放在逻辑文件位置中,将其包括在Visual Studio Solution Explorer中的项目中,然后编译。
编译说明
我们不打算为Seatbelt释放二进制文件,因此您必须编译自己。
Seatbelt是针对带有C#8.0功能的.NET 3.5和4.0建造的,并且与Visual Studio Community Edition兼容。只需打开项目.sln,选择“释放”并构建即可。要更改目标.NET框架版本,请修改项目的设置并重建项目。
致谢
Seatbelt结合了各种收集物品,代码C#摘要以及整个研究中发现的POC。这些想法,片段和作者在源代码的适当位置中强调,并包括:
- @andrewchiles的hostenum.ps1脚本和 @tifkin_的get-hostprofile.ps1为许多要收集的文物提供了灵感。
- Boboes的代码有关NetLocalGroupgetMembers
- Ambyte的代码将映射的驱动信转换为网络路径
- Igor Korkhov的代码以检索当前令牌组信息
- Robsiklos的片段来确定主机是否是虚拟机
- JGU的摘要在文件/文件夹ACL右边的比较
- Rod Stephens的递归文件枚举模式
- SWDEVMAN81的片段用于枚举当前令牌特权
- 贾里德·阿特金森(Jared Atkinson)的Powershell在Kerberos门票Caches上工作
- DarkMatter08的Kerberos C#摘要
- 大量pinvoke.net样品<3
- 贾里德·希尔(Jared Hill)的很棒的代码投影,使用当地安全局来列举用户会议
- 弗雷德(Fred)查询ARP缓存的代码
- Shuggycouk的片段查询TCP连接表
- Yizhang82的示例使用反射通过C#与COM对象进行交互
- @Djhohnstein的SharpWeb项目
- @djhohnstein的EventLogparser项目
- @cmaddalena的SharpCloud项目,BSD 3条款
- @_rastamouse的沃森项目,GPL许可证
- @_rastamouse关于枚举的工作
- @peewpw的Invoke-wcmdump项目,GPL许可证
- TrustedSec的Honeybadger项目,BSD 3条款
- 中央解决方案的审计用户权利分配项目,无许可证
- @UKSTUFUS的重新申请人启发的收集想法
- Dustin Hurlbut的Paper Microsoft Office 2007,2010年的MRU位置和时间戳解析信息 – 注册表即
- Windows命令列表,用于敏感正则构造
- Ryan Ries的枚举映射RPC端点的代码
- 克里斯·哈斯(Chris Haas)关于EnumerateSecurityPackages()的帖子
- Darkoperator在Honeybadger项目上的工作
- @airzero24在WMI注册中的工作
- Alexandru在RegistryKey.openbasekey上的答案
- Tomas Vera关于JavaScriptSerializer的帖子
- Marc Gravell关于递归列出文件/文件夹的注释
- @Mattifestation的Sysmon Rule Parser
- Spolnik的Simple.CredentialSmanager项目Apache 2许可证
- 这篇有关凭证防护设置的帖子
- 此线程在网络配置文件上
- 马克·麦金农(Mark McKinnon)关于解码数据固定和数据元素连接的ssid值的帖子
- 该规格有关小组策略缓存的帖子
- SA_DDAM213关于回收箱中枚举项目的Stackoverflow帖子
- 基里尔·奥森科夫(Kirill Osenkov)的托管组装检测代码
- SECBUFFER/SECBUFFERDESC课程的单声道项目
- Elad Shamir和他的内部语音项目Vincent Le Toux为他的DentectPasswordviantlminflow项目和Lee Christensen的GetntlMchallenge项目。所有这些都作为secpackagecreds命令的灵感。
- @leftp和 @eksperience的Gopher项目,用于filezilla和superputty命令的灵感
- @funoverip用于原始McAfee Sitelist.xml解密代码
我们试图进行引用的尽职调查,但是如果我们抛弃某人/某物,请告诉我们!
