stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/post exploitation/Seatbelt/CHANGELOG.html

523 lines
54 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
<!-- mathjax -->
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
<title>In the Open</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
<a href="/" style="text-decoration:none">In the Open</a>
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
<ul><details id=crypto ontoggle="linkClick(this); return false;" ><summary>Crypto</summary><ul><details id=openssl ontoggle="linkClick(this); return false;" ><summary>Openssl</summary><ul><li><a href="/crypto/openssl/openssl.html">openssl</a></li><li><a href="/crypto/openssl/openssl_engine.html">openssl_engine</a></li></ul></details><li><a href="/crypto/rsa.html">rsa</a></li></ul></details><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exfiltration ontoggle="linkClick(this); return false;" ><summary>Exfiltration</summary><ul><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exfiltration/dns/dns.html">dns</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exfiltration/linux/nc.html">nc</a></li><li><a href="/exfiltration/linux/wget.html">wget</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/exfiltration/windows/evil-winrm.html">evil-winrm</a></li><li><a href="/exfiltration/windows/loot.html">loot</a></li><li><a href="/exfiltration/windows/smb_connection.html">smb_connection</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#changelog">Changelog</a><ul>
<li><a href="#111-2020-11-06">[1.1.1] - 2020-11-06</a><ul>
<li><a href="#added">Added</a></li>
<li><a href="#fixed">Fixed</a></li>
</ul>
</li>
<li><a href="#110-2020-09-30">[1.1.0] - 2020-09-30</a><ul>
<li><a href="#added_1">Added</a></li>
<li><a href="#changed">Changed</a></li>
<li><a href="#fixed_1">Fixed</a></li>
</ul>
</li>
<li><a href="#100-2020-05-26">[1.0.0] - 2020-05-26</a><ul>
<li><a href="#added_2">Added</a></li>
<li><a href="#changed_1">Changed</a></li>
<li><a href="#fixed_2">Fixed</a></li>
<li><a href="#removed">Removed</a></li>
</ul>
</li>
<li><a href="#020-2018-08-20">[0.2.0] - 2018-08-20</a><ul>
<li><a href="#added_3">Added</a></li>
<li><a href="#changed_2">Changed</a></li>
</ul>
</li>
<li><a href="#010-2018-07-24">[0.1.0] - 2018-07-24</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="changelog">Changelog</h1>
<p>All notable changes to this project will be documented in this file.</p>
<p>The format is based on <a href="https://keepachangelog.com/en/1.0.0/">Keep a Changelog</a>,
and this project adheres to <a href="https://semver.org/spec/v2.0.0.html">Semantic Versioning</a>.</p>
<h2 id="111-2020-11-06">[1.1.1] - 2020-11-06</h2>
<h3 id="added">Added</h3>
<ul>
<li>
<p>Added remote support to the following commands:</p>
<ul>
<li>PowerShell, DotNet</li>
<li>FirefoxPresence, FirefoxHistory</li>
<li>ChromePresence/ChromeHistory/ChromeBookmarks</li>
<li>InternetExplorerFavorites, IEUrls</li>
<li>SlackDownloads, SlackPresence, SlackWorkspaces</li>
<li>CloudCredentials, FileZilla, OutlookDownloads, RDCManFiles</li>
<li>SuperPutty, LocalUsers, LocalGroups, PowerShellHistory</li>
<li>Credguard, InstalledProducts, AppLocker, AuditPolicyRegistry</li>
<li>DNSCache, PSSessionSettings, OSInfo, EnvironmentVariables, DpapiMasterKeys</li>
</ul>
</li>
<li>
<p>Implemented remote event log support:</p>
<ul>
<li>ExplicitLogonEvents, LogonEvents, PoweredOnEvents, PowerShellEvents, ProcessCreationEvents, SysmonEvents</li>
</ul>
</li>
<li>
<p>Chrome* modules now converted to Chromium support:</p>
<ul>
<li>Chrome, Edge, Brave, Opera</li>
</ul>
</li>
<li>
<p>Added IBM Bluemix enumeration to CloudCredentials</p>
</li>
</ul>
<h3 id="fixed">Fixed</h3>
<ul>
<li>Better error handling in various modules</li>
<li>OS version number collection on Windows 10</li>
<li>McAfeeSiteList null pointer exception</li>
<li>Interpretation of uac/tokenfilter/filteradmintoken values</li>
<li>Nullable type issues</li>
<li>WindowsFirewall filtering</li>
</ul>
<h2 id="110-2020-09-30">[1.1.0] - 2020-09-30</h2>
<h3 id="added_1">Added</h3>
<ul>
<li>Added the following commands:<ul>
<li>Hotfixes - installed hotfixes (via WMI)</li>
<li>MicrosoftUpdates - all Microsoft updates (via COM)</li>
<li>HuntLolbas - hunt for living-off-the-land binaries (from @NotoriousRebel)</li>
<li>PowerShellHistory - searches PowerShell console history files for sensitive regex matches (adapted from @NotoriousRebel)</li>
<li>RDPSettings - Remote Desktop Server/Client Settings</li>
<li>SecPackageCreds - obtains credentials from security packages (InternalMonologue for the current user)</li>
<li>FileZilla - files user FileZilla configuration files/passwords</li>
<li>SuperPutty - files user SuperPutty configuration files</li>
<li>McAfeeSiteList - finds/decrypts McAfee SiteList.xml files</li>
<li>McAfeeConfigs- finds McAfee configuration files</li>
</ul>
</li>
</ul>
<h3 id="changed">Changed</h3>
<ul>
<li>Added CLR version enumeration to "DotNet" and "PowerShell" commands</li>
<li>Updated LSASettings to detect restricted admin mode</li>
<li>Added ZoneMapKey &amp; Auth settings to "InternetSettings" (Francis Lacoste)</li>
<li>Added support for ByteArrays in "WindowsVault"</li>
<li>Redid assembly detection to (hopefully) prevent image load events</li>
<li>Added version/description fields to processes and services</li>
<li>Added ASR rules to "WindowsDefender" command</li>
</ul>
<h3 id="fixed_1">Fixed</h3>
<ul>
<li>Big fix for event log searching</li>
<li>Fix for sensitive command line scraping</li>
<li>Code cleanup/dead code removal</li>
<li>Allow empty companyname the Services command</li>
<li>Better exception handling</li>
<li>Various fixes/expansions for the "WindowsVault" command</li>
<li>Added disposing of output sinks</li>
<li>Other misc. bug fixes</li>
</ul>
<h2 id="100-2020-05-26">[1.0.0] - 2020-05-26</h2>
<h3 id="added_2">Added</h3>
<ul>
<li>Added the following commands:<ul>
<li>NTLMSettings, SCCM, WSUS, UserRightAssignments, IdleTime, FileInfo, NamedPipes, NetworkProfile</li>
<li>AMSIProviders, RPCMappedEndpoints, LocalUsers, CredGuard, LocalGPOs, OutlookDownloads</li>
<li>AppLocker (thanks @_RastaMouse! https://github.com/GhostPack/Seatbelt/pull/15)</li>
<li>InstalledProducts and Printers commands, with DACLs included for printers</li>
<li>SearchIndex - module to search the Windows Search Indexer</li>
<li>WMIEventFilter/WMIEventConsumer/WMIEventConsumer commands</li>
<li>ScheduledTasks command (via WMI for win8+)</li>
<li>AuditPolicies/AuditSettings - classic and advanced audit policy settings</li>
<li>EnvironmentPath - %ENV:PATH% folder enumeration, along with DACLs</li>
<li>ProcessCreation - from @djhohnstein's EventLogParser project. Expanded sensitive regexes.</li>
<li>CredEnum - use CredEnumerate() to enumerate the credentials from the user's credential set (thanks @djhohnstein and @peewpw)</li>
<li>SecurityPackages - uses EnumerateSecurityPackages() to enumerate available security packages</li>
<li>WindowsDefender - exclusions for paths/extensions/processes for Windows Defender</li>
<li>DotNet - detects .NET versions and whether AMSI is enabled/can by bypassed (similar to 'PowerShell')</li>
<li>ProcessOwners - simplified enumeration of non-session 0 processes/owners that can function remotely</li>
<li>dir<ul>
<li>Allows recursively enumerating directories and searching for files based on a regex</li>
<li>Lists user folders by default</li>
<li>Usage: "dir [path] [depth] [searchRegex] [ignoreErrors? true/false]"</li>
<li>Default: "dir C:\users\ 2 \(Documents|Downloads|Desktop) false"<ul>
<li>Shows files in users' documents/downloads/desktop folders </li>
</ul>
</li>
</ul>
</li>
<li>reg<ul>
<li>Allows recursively listing and searching for registry values on the current machine and remotely (if remote registry is enabled).</li>
</ul>
</li>
<li>Added additional defensive process checks thanks to @swarleysez, @Ne0nd0g, and @leechristensen. See https://github.com/GhostPack/Seatbelt/pull/17 and https://github.com/GhostPack/Seatbelt/pull/19.</li>
<li>Added Xen virtual machine detections thanks to @rasta-mouse. See https://github.com/GhostPack/Seatbelt/pull/18</li>
</ul>
</li>
<li>Added the following command aliases:<ul>
<li>"Remote" for common commands to run remotely</li>
<li>"Slack" to run Slack-specific modules</li>
<li>"Chrome" to run Chrome-specific modules</li>
</ul>
</li>
<li>Added in ability to give commands arguments (to be expanded in the future). Syntax: <code>Seatbelt.exe "PoweredOnEvents 30"</code></li>
<li>Added remote support for WMI/registry enumeration modules that are marked with a +<ul>
<li>Usage: computername=COMPUTER.DOMAIN.COM [username=DOMAIN\USER password=PASSWORD]</li>
</ul>
</li>
<li>Added the "-q" command-line flag to not print the logo</li>
<li>Added ability to output to a file with the the "-o <file>" parameter<ul>
<li>Providing a file that ends in .json produces JSON-structured output!</li>
</ul>
</li>
<li>Added in the architecture for different output sinks. Still need to convert a lot of cmdlets to the new format.</li>
<li>Added a module template.</li>
<li>Added CHANGELOG.md.</li>
</ul>
<h3 id="changed_1">Changed</h3>
<ul>
<li>Externalized all commands into their own class/file</li>
<li>Cleaned up some of the registry querying code</li>
<li>Commands can now be case-insensitive</li>
<li>Seatbelt's help message is now dynamically created</li>
<li>Renamed RebootSchedule to PoweredOnEvents<ul>
<li>Now enumerates events for system startup/shutdown, unexpected shutdown, and sleeping/awaking.</li>
</ul>
</li>
<li>Modified the output of the Logon and ExplicitLogon event commands to be easier to read/analyze</li>
<li>LogonEvents, ExplicitLogonEvents, and PoweredOnEvents take an argument of how many days back to collect logs for. Example: Seatbelt.exe "LogonEvents 50"</li>
<li>Added Added timezone, locale information, MachineGuid, Build number and UBR (if present) to OSInfo command</li>
<li>Refactored registry enumeration code</li>
<li>Putty command now lists if agent forwarding is enabled</li>
<li>Renamed BasicOSInfo to OSInfo</li>
<li>Simplified IsLocalAdmin code</li>
<li>Added the member type to localgroupmembership output</li>
<li>Simplified the RDPSavedConnections code</li>
<li>Formatted the output of RDPSavedConnections to be prettier</li>
<li>Formatted the output of RecentFiles to be prettier</li>
<li>Modified logonevents default so that it only outputs the past day on servers</li>
<li>Re-wrote the PowerShell command. Added AMSI information and hints for bypassing.</li>
<li>Add NTLM/Kerberos informational alerts to the LogonEvents command</li>
<li>Changed the output format of DpapiMasterKeys</li>
<li>Re-wrote the Registry helper code</li>
<li>Refactored the helper code</li>
<li>Incorprated <a href="https://github.com/mark-s">@mark-s's</a> code to speed up the interestingfiles command. See <a href="https://github.com/GhostPack/Seatbelt/pull/16">#16</a></li>
<li>Added SDDL to the "fileinfo" command</li>
<li>Added MRUs for all office applications to the RecentFiles command</li>
<li>RecentFiles now has a paramater that restricts how old the documents are. "RecentFiles 20" - Shows files accessed in the last 20 days.</li>
<li>Renamed RegistryValue command to "reg"</li>
<li>Search terms in the "reg" command now match keys, value names, and values.</li>
<li>Updated the "reg" commands arguments.<ul>
<li>Usage: "reg <HIVE[\PATH\TO\KEY]> [depth] [searchTerm] [ignoreErrors]"</li>
<li>Defaults: "reg HKLM\Software 1 default true"</li>
</ul>
</li>
<li>Added generic GetSecurityInfos command into SecurityUtil</li>
<li>Formatting tweak for DPAPIMasterkeys</li>
<li>WindowsVaults output filtering</li>
<li>Renamed RecentFiles to ExplorerMRUs, broke out functionality for ExplorerMRUs and OfficeMRUs</li>
<li>Broke IETriage command into IEUrls and IEFavorites</li>
<li>Changed FirefoxCommand to FirefoxHistory</li>
<li>Changed ChromePresence and FirefoxPresence to display last modified timestamps for the history/cred/etc. files</li>
<li>Split ChromeCommand into ChromeHistoryCommand and ChromeBookmarksCommand</li>
<li>Broke PuttyCommand into PuttyHostKeys and PuttySessions</li>
<li>Added SDDL field to InterestingFiles command</li>
<li>Modified IdleTime to display the current user and time in h:m:s:ms format</li>
<li>Moved Firewall enumeration to the registry (instead of the COM object). Thanks @Max_68!</li>
<li>Changed TokenGroups output formatting</li>
<li>Renamed localgroupmemberships to localgroups</li>
<li>Changed network firewall enumeration to display "non-builtin" rules instead of deny. Added basic filtering.</li>
<li>Added IsDotNet property to the FileInfo command</li>
<li>Renamed "NonstandardProcesses" and "NonstandardServices" to "Processes" and "Services", respectively</li>
<li>LocalGroups now enumerates all (by default non-empty) local groups and memberships, along with comments</li>
<li>Added a "modules" argument to the "Processes" command to display non-Microsoft loaded processes</li>
<li>Notify operator when LSA Protected Mode is enabled (RunAsPPL)</li>
<li>Updated the EnvironmentVariables command to distinguish between user/system/current process/volatile variables</li>
<li>Added a user filter to ExplicitLogonEvents. Usage: <code>ExplicitLogonEvents &lt;days&gt; &lt;targetUserRegex&gt;</code></li>
<li>Added version check for Chrome (v80+)</li>
<li>Added analysis messages for the logonevents command</li>
<li>Rewrote and expanded README.md</li>
</ul>
<h3 id="fixed_2">Fixed</h3>
<ul>
<li>Some timestamp converting code in the ticket extraction section</li>
<li>Fixed Chrome bookmark command (threw an exception with folders)</li>
<li>Fixed reboot schedule (xpath query wasn't precise enough, leading to exceptions)</li>
<li>Fixed an exception that was being thrown in the CloudCredential command</li>
<li>NonstandardServices command<ul>
<li>Fixed a bug that occurred during enumeration</li>
<li>Added ServiceDll and User fields</li>
<li>Partially fixed path parsing in NonstandardServices with some help from OJ (@TheColonial)! See https://github.com/GhostPack/Seatbelt/pull/14</li>
<li>Cleaned up the code</li>
</ul>
</li>
<li>Fixed a bug in localgroupmembership</li>
<li>Check if it's a Server before running the AntiVirus check (the WMI class isn't on servers)</li>
<li>Fixed a bug in WindowsCredentialFiles so it wouldn't output null bytes</li>
<li>Fixed a null reference bug in the PowerShell command</li>
<li>Fixed the OS version comparisons in WindowsVault command</li>
<li>Fixed a DWORD parsing bug in the registry util class for big (i.e. negative int) values</li>
<li>ARPTable bug fix/error handling</li>
<li>Fixed PuttySession HKCU v. HKU bug</li>
<li>Fixed a terminating exception bug in the Processes command when obtaining file version info</li>
<li>More additional bug fixes than we can count &gt;_&lt;</li>
</ul>
<h3 id="removed">Removed</h3>
<ul>
<li>Removed the UserFolder command (replaced by DirectoryList command)</li>
</ul>
<h2 id="020-2018-08-20">[0.2.0] - 2018-08-20</h2>
<h3 id="added_3">Added</h3>
<ul>
<li>@djhohnstein's vault enumeration</li>
</ul>
<h3 id="changed_2">Changed</h3>
<ul>
<li>@ClementNotin/@cnotin's various fixes</li>
</ul>
<h2 id="010-2018-07-24">[0.1.0] - 2018-07-24</h2>
<ul>
<li>Initial release</li>
</ul>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
function linkClick(obj) {
if (obj.open) {
console.log('open');
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
} else {
console.log('closed');
sessionStorage.removeItem(obj.id);
}
// if (obj.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === obj.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", obj.id);
// console.log(obj);
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
}
//if ( sessionStorage.getItem("opened")) {
// var item = sessionStorage.getItem("opened")
// document.getElementById(item)['open'] = 'open';
//}
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
// const detailsElement = document.querySelector('.details-sidebar');
// detailsElement.addEventListener('toggle', event => {
// if (event.target.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === detailsElement.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", detailsElement.id);
// console.log(detailsElement);
//
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
// });
//
// async function fetchIndexJSON() {
// const response = await fetch('/index.json');
// const index = await response.json();
// return index;
// }
// // Extract the `q` query parameter
//var queryStringRegex = /[\?&]q=([^&]+)/g;
//var matches = queryStringRegex.exec(window.location.search);
//if(matches && matches[1]) {
// var value = decodeURIComponent(matches[1].replace(/\+/g, '%20'));
//
//
// // fetchIndexJSON()
// // .then(index => { console.log(index['index']);});
// // Load the posts to search
// fetch('/index').then(function(posts) {
// // Remember to include Fuse.js before this script.
//
// var fuse = new Fuse(posts, {
// keys: ['title', 'tags', 'content'] // What we're searching
// });
//
// // Run the search
// var results = fuse.search(value);
// //console.log(results);
//
// // Generate markup for the posts, implement SearchResults however you want.
// // var $results = SearchResults(results);
//
// // Add the element to the empty <div> from before.
//// $('#searchResults').append($results);
// });
//}
</script>
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@2/MathJax.js"></script>
<script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
</body>
</html>