Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
Go to file
harmj0y d3de731cee Updated LSASettings to detect restricted admin mode
Updated the output formatter in the LSASettings command to detect if restricted admin mode is enabled
2020-05-29 11:26:03 -07:00
.github/ISSUE_TEMPLATE Update issue templates 2020-05-27 08:14:46 -07:00
Seatbelt Updated LSASettings to detect restricted admin mode 2020-05-29 11:26:03 -07:00
.gitignore Create .gitignore with common VS exclusions 2018-07-25 14:07:35 +02:00
CHANGELOG.md Version 1.0.0 Release 2020-05-26 16:21:09 -07:00
LICENSE Version 1.0.0 Release 2020-05-26 16:21:09 -07:00
README.md Update README link to latest Visual Studio download 2020-05-27 01:04:46 -07:00
Seatbelt.sln Version 1.0.0 Release 2020-05-26 16:21:09 -07:00

README.md

Seatbelt


Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

@andrewchiles' HostEnum.ps1 script and @tifkin_'s Get-HostProfile.ps1 provided inspiration for many of the artifacts to collect.

@harmj0y and @tifkin_ are the primary authors of this implementation.

Seatbelt is licensed under the BSD 3-Clause license.

Table of Contents

Command Line Usage

                            %&&@@@&&
                            &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%
                            &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
    %%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
    #%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
    #%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
    #####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
    #######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
    ###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
    #####%######################  %%%..                       @////(((&%%%%%%%################
                            &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*
                            &%%&&&%%%%%        v1.0.0         ,(((&%%%%%%%%%%%%%%%%%,
                             #%%%%##,


    Available commands (+ means remote usage is supported):

        + AMSIProviders          - Providers registered for AMSI
        + AntiVirus              - Registered antivirus (via WMI)
          AppLocker              - AppLocker settings, if installed
          ARPTable               - Lists the current ARP table and adapter information (equivalent to arp -a)
          AuditPolicies          - Enumerates classic and advanced audit policy settings
        + AuditPolicyRegistry    - Audit settings via the registry
        + AutoRuns               - Auto run executables/scripts/programs
          ChromeBookmarks        - Parses any found Chrome bookmark files
          ChromeHistory          - Parses any found Chrome history files
          ChromePresence         - Checks if interesting Google Chrome files exist
          CloudCredentials       - AWS/Google/Azure cloud credential files
          CredEnum               - Enumerates the current user's saved credentials using CredEnumerate()
          CredGuard              - CredentialGuard configuration
          dir                    - Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == [directory] [depth] [regex] [boolIgnoreErrors]
        + DNSCache               - DNS cache entries (via WMI)
        + DotNet                 - DotNet versions
          DpapiMasterKeys        - List DPAPI master keys
          EnvironmentPath        - Current environment %PATH$ folders and SDDL information
          EnvironmentVariables   - Current user environment variables
          ExplicitLogonEvents    - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
          ExplorerMRUs           - Explorer most recently used files (last 7 days, argument == last X days)
        + ExplorerRunCommands    - Recent Explorer "run" commands
          FileInfo               - Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
          FirefoxHistory         - Parses any found FireFox history files
          FirefoxPresence        - Checks if interesting Firefox files exist
          IdleTime               - Returns the number of seconds since the current user's last input.
          IEFavorites            - Internet Explorer favorites
          IETabs                 - Open Internet Explorer tabs
          IEUrls                 - Internet Explorer typed URLs (last 7 days, argument == last X days)
          InstalledProducts      - Installed products via the registry
          InterestingFiles       - "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
        + InterestingProcesses   - "Interesting" processes - defensive products and admin tools
          InternetSettings       - Internet settings including proxy configs
        + LAPS                   - LAPS settings, if installed
        + LastShutdown           - Returns the DateTime of the last system shutdown (via the registry).
          LocalGPOs              - Local Group Policy settings applied to the machine/local users
        + LocalGroups            - Non-empty local groups, "-full" displays all groups (argument == computername to enumerate)
        + LocalUsers             - Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)
          LogonEvents            - Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
        + LogonSessions          - Windows logon sessions
        + LSASettings            - LSA settings (including auth packages)
        + MappedDrives           - Users' mapped drives (via WMI)
          NamedPipes             - Named pipe names and any readable ACL information.
        + NetworkProfiles        - Windows network profiles
        + NetworkShares          - Network shares exposed by the machine (via WMI)
        + NTLMSettings           - NTLM authentication settings
          OfficeMRUs             - Office most recently used file list (last 7 days)
          OSInfo                 - Basic OS info (i.e. architecture, OS version, etc.)
          OutlookDownloads       - List files downloaded by Outlook
          PoweredOnEvents        - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
        + PowerShell             - PowerShell versions and security settings
          PowerShellEvents       - PowerShell script block logs (4104) with sensitive data.
          Printers               - Installed Printers (via WMI)
          ProcessCreationEvents  - Process creation logs (4688) with sensitive data.
          Processes              - Running processes with file info company names that don't contain 'Microsoft', "-full" enumerates all processes
        + ProcessOwners          - Running non-session 0 process list with owners. For remote use.
        + PSSessionSettings      - Enumerates PS Session Settings from the registry
        + PuttyHostKeys          - Saved Putty SSH host keys
        + PuttySessions          - Saved Putty configuration (interesting fields) and SSH host keys
          RDCManFiles            - Windows Remote Desktop Connection Manager settings files
        + RDPSavedConnections    - Saved RDP connections stored in the registry
        + RDPSessions            - Current incoming RDP sessions (argument == computername to enumerate)
          RecycleBin             - Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
          reg                    - Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
          RPCMappedEndpoints     - Current RPC endpoints mapped
        + SCCM                   - System Center Configuration Manager (SCCM) settings, if applicable
        + ScheduledTasks         - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks
          SearchIndex            - Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>
          SecurityPackages       - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
          Services               - Services with file info company names that don't contain 'Microsoft', "-full" dumps all processes
          SlackDownloads         - Parses any found 'slack-downloads' files
          SlackPresence          - Checks if interesting Slack files exist
          SlackWorkspaces        - Parses any found 'slack-workspaces' files
        + Sysmon                 - Sysmon configuration from the registry
          SysmonEvents           - Sysmon process creation logs (1) with sensitive data.
          TcpConnections         - Current TCP connections and their associated processes and services
          TokenGroups            - The current token's local and domain groups
          TokenPrivileges        - Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
        + UAC                    - UAC system policies via the registry
          UdpConnections         - Current UDP connections and associated processes and services
          UserRightAssignments   - Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
        + WindowsAutoLogon       - Registry autologon information
          WindowsCredentialFiles - Windows credential DPAPI blobs
        + WindowsDefender        - Windows Defender settings (including exclusion locations)
        + WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry
        + WindowsFirewall        - Non-standard firewall rules, "-full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
          WindowsVault           - Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
          WMIEventConsumer       - Lists WMI Event Consumers
          WMIEventFilter         - Lists WMI Event Filters
          WMIFilterBinding       - Lists WMI Filter to Consumer Bindings
        + WSUS                   - Windows Server Update Services (WSUS) settings, if applicable


    Seatbelt has the following command groups: All, User, System, Slack, Chrome, Remote, Misc

        You can invoke command groups with "Seatbelt.exe <group>"

       "Seatbelt.exe -group=all" runs all commands

       "Seatbelt.exe -group=user" runs the following commands:

            ChromePresence, CloudCredentials, CredEnum, dir, DpapiMasterKeys,
            ExplorerMRUs, ExplorerRunCommands, FirefoxPresence, IdleTime,
            IEFavorites, IETabs, IEUrls, MappedDrives,
            OfficeMRUs, PuttyHostKeys, PuttySessions, RDCManFiles,
            RDPSavedConnections, SlackDownloads, SlackPresence, SlackWorkspaces,
            TokenGroups, WindowsCredentialFiles, WindowsVault

       "Seatbelt.exe -group=system" runs the following commands:

            AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
            AuditPolicyRegistry, AutoRuns, CredGuard, DNSCache,
            DotNet, EnvironmentPath, EnvironmentVariables, InterestingProcesses,
            InternetSettings, LAPS, LastShutdown, LocalGPOs,
            LocalGroups, LocalUsers, LogonSessions, LSASettings,
            NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings,
            OSInfo, PoweredOnEvents, PowerShell, Printers,
            Processes, PSSessionSettings, RDPSessions, SCCM,
            Services, Sysmon, TcpConnections, TokenPrivileges,
            UAC, UdpConnections, UserRightAssignments, WindowsAutoLogon,
            WindowsDefender, WindowsEventForwarding, WindowsFirewall, WMIEventConsumer,
            WMIEventFilter, WMIFilterBinding, WSUS

       "Seatbelt.exe -group=slack" runs the following commands:

            SlackDownloads, SlackPresence, SlackWorkspaces

       "Seatbelt.exe -group=chrome" runs the following commands:

            ChromeBookmarks, ChromeHistory, ChromePresence

       "Seatbelt.exe -group=remote" runs the following commands:

            AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, InterestingProcesses,
            LastShutdown, LogonSessions, LSASettings, MappedDrives,
            NetworkProfiles, NetworkShares, NTLMSettings, PowerShell,
            ProcessOwners, PuttyHostKeys, PuttySessions, RDPSavedConnections,
            RDPSessions, Sysmon, WindowsDefender, WindowsEventForwarding,
            WindowsFirewall

       "Seatbelt.exe -group=misc" runs the following commands:

            ChromeBookmarks, ChromeHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
            InstalledProducts, InterestingFiles, LogonEvents, OutlookDownloads,
            PowerShellEvents, ProcessCreationEvents, ProcessOwners, RecycleBin,
            reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex,
            SecurityPackages, SysmonEvents


    Examples:
        'Seatbelt.exe <Command> [Command2] ...' will run one or more specified checks only
        'Seatbelt.exe <Command> -full' will return complete results for a command without any filtering.
        'Seatbelt.exe "<Command> [argument]"' will pass an argument to a command that supports it (note the quotes).
        'Seatbelt.exe -group=all' will run ALL enumeration checks, can be combined with "-full".
        'Seatbelt.exe <Command> -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\USER -password=PASSWORD]' will run an applicable check remotely
        'Seatbelt.exe -group=remote -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\USER -password=PASSWORD]' will run remote specific checks
        'Seatbelt.exe -group=system -outputfile="C:\Temp\out.txt"' will run system checks and output to a .txt file.
        'Seatbelt.exe -group=user -q -outputfile="C:\Temp\out.json"' will run in quiet mode with user checks and output to a .json file.

Note: searches that target users will run for the current user if not-elevated and for ALL users if elevated.

A more detailed wiki is coming...

Command Groups

Note: many commands do some type of filtering by default. Supplying the -full argument prevents filtering output. Also, the command group all will run all current checks.

For example, the following command will run ALL checks and returns ALL output:

Seatbelt.exe -group=all -full

system

Runs checks that mine interesting data about the system.

Executed with: Seatbelt.exe -group=system

Command Description
AMSIProviders Providers registered for AMSI
AntiVirus Registered antivirus (via WMI)
AppLocker AppLocker settings, if installed
ARPTable Lists the current ARP table and adapter information(equivalent to arp -a)
AuditPolicies Enumerates classic and advanced audit policy settings
AuditSettings Audit settings via the registry
AutoRuns Auto run executables/scripts/programs
CredGuard CredentialGuard configuration
DNSCache DNS cache entries (via WMI)
DotNet DotNet versions
EnvironmentPath Current environment %PATH$ folders and SDDL information
EnvironmentVariables Current user environment variables
InterestingProcesses "Interesting" processes - defensive products and admin tools
InternetSettings Internet settings including proxy configs
LAPS LAPS settings, if installed
LastShutdown Returns the DateTime of the last system shutdown (via the registry)
LocalGPOs Local Group Policy settings applied to the machine/local users
LocalGroups Non-empty local groups, "full" displays all groups (argument == computername to enumerate)
LocalUsers Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)
LogonSessions Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
LSASettings LSA settings (including auth packages)
NamedPipes Named pipe names and any readable ACL information
NetworkProfiles Windows network profiles
NetworkShares Network shares exposed by the machine (via WMI)
NTLMSettings NTLM authentication settings
OSInfo Basic OS info (i.e. architecture, OS version, etc.)
PoweredOnEvents Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
PowerShell PowerShell versions and security settings
Processes Running processes with file info company names that don't contain 'Microsoft', "full" enumerates all processes
PSSessionSettings Enumerates PS Session Settings from the registry
RDPSessions Current incoming RDP sessions (argument == computername to enumerate)
SCCM System Center Configuration Manager (SCCM) settings, if applicable
Services Services with file info company names that don't contain 'Microsoft', "full" dumps all processes
Sysmon Sysmon configuration from the registry
TcpConnections Current TCP connections and their associated processes and services
TokenPrivileges Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
UAC UAC system policies via the registry
UdpConnections Current UDP connections and associated processes and services
UserRightAssignments Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
WindowsAutoLogon Registry autologon information
WindowsDefender Windows Defender settings (including exclusion locations)
WindowsEventForwarding Windows Event Forwarding (WEF) settings via the registry
WindowsFirewall Non-standard firewall rules, "full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
WMIEventConsumer Lists WMI Event Consumers
WMIEventFilter Lists WMI Event Filters
WMIFilterBinding Lists WMI Filter to Consumer Bindings
WSUS Windows Server Update Services (WSUS) settings, if applicable

user

Runs checks that mine interesting data about the currently logged on user (if not elevated) or ALL users (if elevated).

Executed with: Seatbelt.exe -group=user

Command Description
ChromePresence Checks if interesting Google Chrome files exist
CloudCredentials AWS/Google/Azure cloud credential files
CredEnum Enumerates the current user's saved credentials using CredEnumerate()
dir Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == <directory> <depth> <regex>
DpapiMasterKeys List DPAPI master keys
ExplorerMRUs Explorer most recently used files (last 7 days, argument == last X days)
FirefoxPresence Checks if interesting Firefox files exist
IdleTime Returns the number of seconds since the current user's last input.
IEFavorites Internet Explorer favorites
IETabs Open Internet Explorer tabs
IEUrls Internet Explorer typed URLs (last 7 days, argument == last X days)
MappedDrives Users' mapped drives (via WMI)
OfficeMRUs Office most recently used file list (last 7 days)
PuttyHostKeys Saved Putty SSH host keys
PuttySessions Saved Putty configuration (interesting fields) and SSH host keys
RDCManFiles Windows Remote Desktop Connection Manager settings files
RDPSavedConnections Saved RDP connections stored in the registry
RecentRunCommands Recent Explorer "run" commands
SlackPresence Checks if interesting Slack files exist
TokenGroups The current token's local and domain groups
WindowsCredentialFiles Windows credential DPAPI blobs
WindowsVault Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).

misc

Runs all miscellaneous checks.

Executed with: Seatbelt.exe -group=misc

Command Description
ChromeBookmarks Parses any found Chrome bookmark files
ChromeHistory Parses any found Chrome history files
ExplicitLogonEvents Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
FileInfo Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
FirefoxHistory Parses any found FireFox history files
InstalledProducts Installed products via the registry
InterestingFiles "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
LogonEvents Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
OutlookDownloads List files downloaded by Outlook
PowerShellEvents PowerShell script block logs (4104) with sensitive data.
Printers Installed Printers (via WMI)
ProcessCreation Process creation logs (4688) with sensitive data.
ProcessOwners Running non-session 0 process list with owners. For remote use.
RecycleBin Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
reg Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
RPCMappedEndpoints Current RPC endpoints mapped
ScheduledTasks Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "full" dumps all Scheduled tasks
SearchIndex Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>
SecurityPackages Enumerates the security packages currently available using EnumerateSecurityPackagesA()
SlackDownloads Parses any found 'slack-downloads' files
SlackWorkspaces Parses any found 'slack-workspaces' files
SysmonEvents Sysmon process creation logs (1) with sensitive data.

Additional Command Groups

Executed with: Seatbelt.exe -group=GROUPNAME

Alias Description
Slack Runs modules that start with "Slack*"
Chrome Runs modules that start with "Chrome*"
Remote Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, AuditSettings, DotNet, InterestingProcesses, LastShutdown, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, PowerShell, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RecentRunCommands, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall

Command Arguments

Command that accept arguments have it noted in their description. To pass an argument to a command, enclose the command an arguments in double quotes.

For example, the following command returns 4624 logon events for the last 30 days:

Seatbelt.exe "LogonEvents 30"

The following command queries a registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.*, and ignoring any errors that occur.

Seatbelt.exe "reg \"HKLM\SOFTWARE\Microsoft\Windows Defender\" 3 .*defini.* true"

Output

Seatbelt can redirect its output to a file with the -outputfile="C:\Path\file.txt" argument. If the file path ends in .json, the output will be structured json.

For example, the following command will output the results of system checks to a txt file:

Seatbelt.exe -group=system -outputfile="C:\Temp\system.txt"

Remote Enumeration

Commands noted with a + in the help menu can be run remotely against another system. This is performed over WMI via queries for WMI classes and WMI's StdRegProv for registry enumeration.

To enumerate a remote system, supply -computername=COMPUTER.DOMAIN.COM - an alternate username and password can be specified with -username=DOMAIN\USER -password=PASSWORD

For example, the following command runs remote-focused checks against a remote system:

Seatbelt.exe -group=remote -computername=dc.theshire.local -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\""

Building Your Own Modules

Seatbelt's structure is completely modular, allowing for additional command modules to be dropped into the file structure and loaded up dynamically.

There is a commented command module template at .\Seatbelt\Commands\Template.cs for reference. Once built, drop the module in the logical file location, include it in the project in the Visual Studio Solution Explorer, and compile.

Compile Instructions

We are not planning on releasing binaries for Seatbelt, so you will have to compile yourself.

Seatbelt has been built against .NET 3.5 and 4.0 with C# 8.0 features and is compatible with Visual Studio Community Edition. Simply open up the project .sln, choose "release", and build.

Acknowledgments

Seatbelt incorporates various collection items, code C# snippets, and bits of PoCs found throughout research for its capabilities. These ideas, snippets, and authors are highlighted in the appropriate locations in the source code, and include:

We've tried to do our due diligence for citations, but if we've left someone/something out, please let us know!