stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/post exploitation/Seatbelt/README.html

692 lines
151 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
<!-- mathjax -->
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
<title>In the Open</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
<a href="/" style="text-decoration:none">In the Open</a>
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
<ul><details id=crypto ontoggle="linkClick(this); return false;" ><summary>Crypto</summary><ul><details id=openssl ontoggle="linkClick(this); return false;" ><summary>Openssl</summary><ul><li><a href="/crypto/openssl/openssl.html">openssl</a></li><li><a href="/crypto/openssl/openssl_engine.html">openssl_engine</a></li></ul></details><li><a href="/crypto/rsa.html">rsa</a></li></ul></details><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exfiltration ontoggle="linkClick(this); return false;" ><summary>Exfiltration</summary><ul><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exfiltration/dns/dns.html">dns</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exfiltration/linux/nc.html">nc</a></li><li><a href="/exfiltration/linux/wget.html">wget</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/exfiltration/windows/evil-winrm.html">evil-winrm</a></li><li><a href="/exfiltration/windows/loot.html">loot</a></li><li><a href="/exfiltration/windows/smb_connection.html">smb_connection</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#seatbelt">Seatbelt</a><ul>
<li><a href="#table-of-contents">Table of Contents</a></li>
<li><a href="#command-line-usage">Command Line Usage</a></li>
<li><a href="#command-groups">Command Groups</a><ul>
<li><a href="#system">system</a></li>
<li><a href="#user">user</a></li>
<li><a href="#misc">misc</a></li>
<li><a href="#additional-command-groups">Additional Command Groups</a></li>
</ul>
</li>
<li><a href="#command-arguments">Command Arguments</a></li>
<li><a href="#output">Output</a></li>
<li><a href="#remote-enumeration">Remote Enumeration</a></li>
<li><a href="#building-your-own-modules">Building Your Own Modules</a></li>
<li><a href="#compile-instructions">Compile Instructions</a></li>
<li><a href="#acknowledgments">Acknowledgments</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="seatbelt">Seatbelt</h1>
<hr />
<p>Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.</p>
<p><a href="https://twitter.com/andrewchiles">@andrewchiles</a>' <a href="https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1">HostEnum.ps1</a> script and <a href="https://twitter.com/tifkin_">@tifkin_</a>'s <a href="https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1">Get-HostProfile.ps1</a> provided inspiration for many of the artifacts to collect.</p>
<p><a href="https://twitter.com/harmj0y">@harmj0y</a> and <a href="https://twitter.com/tifkin_">@tifkin_</a> are the primary authors of this implementation.</p>
<p>Seatbelt is licensed under the BSD 3-Clause license.</p>
<h2 id="table-of-contents">Table of Contents</h2>
<ul>
<li><a href="#seatbelt">Seatbelt</a></li>
<li><a href="#table-of-contents">Table of Contents</a></li>
<li><a href="#command-line-usage">Command Line Usage</a></li>
<li><a href="#command-groups">Command Groups</a><ul>
<li><a href="#system">system</a></li>
<li><a href="#user">user</a></li>
<li><a href="#misc">misc</a></li>
<li><a href="#additional-command-groups">Additional Command Groups</a></li>
</ul>
</li>
<li><a href="#command-arguments">Command Arguments</a></li>
<li><a href="#output">Output</a></li>
<li><a href="#remote-enumeration">Remote Enumeration</a></li>
<li><a href="#building-your-own-modules">Building Your Own Modules</a></li>
<li><a href="#compile-instructions">Compile Instructions</a></li>
<li><a href="#acknowledgments">Acknowledgments</a></li>
</ul>
<h2 id="command-line-usage">Command Line Usage</h2>
<div class="codehilite"><pre><span></span><code><span class="w"> </span><span class="o">%&amp;&amp;</span><span class="err">@@@</span><span class="o">&amp;&amp;</span><span class="w"> </span>
<span class="w"> </span><span class="o">&amp;&amp;&amp;&amp;&amp;&amp;&amp;%%%</span><span class="p">,</span><span class="w"> </span><span class="c1">#&amp;&amp;@@@@@@%%%%%%###############% </span><span class="w"></span>
<span class="w"> </span><span class="o">&amp;%&amp;</span><span class="w"> </span><span class="o">%&amp;%%</span><span class="w"> </span><span class="o">&amp;////</span><span class="p">(((</span><span class="o">&amp;%%%%%</span><span class="c1">#%################//((((###%%%%%%%%%%%%%%%</span><span class="w"></span>
<span class="o">%%%%%%%%%%%</span><span class="c1">######%%%#%%####% &amp;%%**# @////(((&amp;%%%%%%######################(((((((((((((((((((</span><span class="w"></span>
<span class="c1">#%#%%%%%%%#######%#%%####### %&amp;%,,,,,,,,,,,,,,,, @////(((&amp;%%%%%#%#####################(((((((((((((((((((</span><span class="w"></span>
<span class="c1">#%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&amp;%%%%%%%######################(#(((#(#((((((((((</span><span class="w"></span>
<span class="c1">#####%%%#################### &amp;%%...... ... .. @////(((&amp;%%%%%%%###############%######((#(#(####((((((((</span><span class="w"></span>
<span class="c1">#######%##########%######### %%%...... ... .. @////(((&amp;%%%%%#########################(#(#######((#####</span><span class="w"></span>
<span class="c1">###%##%%#################### &amp;%%............... @////(((&amp;%%%%%%%%##############%#######(#########((#####</span><span class="w"></span>
<span class="c1">#####%###################### %%%.. @////(((&amp;%%%%%%%################ </span><span class="w"></span>
<span class="w"> </span><span class="o">&amp;%&amp;</span><span class="w"> </span><span class="o">%%%%%</span><span class="w"> </span><span class="n">Seatbelt</span><span class="w"> </span><span class="o">%////</span><span class="p">(((</span><span class="o">&amp;%%%%%%%%</span><span class="c1">#############* </span><span class="w"></span>
<span class="w"> </span><span class="o">&amp;%%&amp;&amp;&amp;%%%%%</span><span class="w"> </span><span class="n">v1</span><span class="o">.</span><span class="mf">1.1</span><span class="w"> </span><span class="p">,(((</span><span class="o">&amp;%%%%%%%%%%%%%%%%%</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="c1">#%%%%##, </span><span class="w"></span>
<span class="n">Available</span><span class="w"> </span><span class="n">commands</span><span class="w"> </span><span class="p">(</span><span class="o">+</span><span class="w"> </span><span class="n">means</span><span class="w"> </span><span class="k">remote</span><span class="w"> </span><span class="n">usage</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">supported</span><span class="p">):</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">AMSIProviders</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Providers</span><span class="w"> </span><span class="n">registered</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">AMSI</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">AntiVirus</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Registered</span><span class="w"> </span><span class="n">antivirus</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">AppLocker</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">AppLocker</span><span class="w"> </span><span class="n">settings</span><span class="p">,</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">installed</span><span class="w"></span>
<span class="w"> </span><span class="n">ARPTable</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Lists</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">current</span><span class="w"> </span><span class="n">ARP</span><span class="w"> </span><span class="n">table</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">adapter</span><span class="w"> </span><span class="n">information</span><span class="w"> </span><span class="p">(</span><span class="n">equivalent</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">arp</span><span class="w"> </span><span class="o">-</span><span class="n">a</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">AuditPolicies</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Enumerates</span><span class="w"> </span><span class="n">classic</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">advanced</span><span class="w"> </span><span class="n">audit</span><span class="w"> </span><span class="n">policy</span><span class="w"> </span><span class="n">settings</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">AuditPolicyRegistry</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Audit</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">AutoRuns</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Auto</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">executables</span><span class="o">/</span><span class="n">scripts</span><span class="o">/</span><span class="n">programs</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ChromiumBookmarks</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Parses</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="n">Chrome</span><span class="o">/</span><span class="n">Edge</span><span class="o">/</span><span class="n">Brave</span><span class="o">/</span><span class="n">Opera</span><span class="w"> </span><span class="n">bookmark</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ChromiumHistory</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Parses</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="n">Chrome</span><span class="o">/</span><span class="n">Edge</span><span class="o">/</span><span class="n">Brave</span><span class="o">/</span><span class="n">Opera</span><span class="w"> </span><span class="n">history</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ChromiumPresence</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Checks</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">interesting</span><span class="w"> </span><span class="n">Chrome</span><span class="o">/</span><span class="n">Edge</span><span class="o">/</span><span class="n">Brave</span><span class="o">/</span><span class="n">Opera</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">exist</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">CloudCredentials</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">AWS</span><span class="o">/</span><span class="n">Google</span><span class="o">/</span><span class="n">Azure</span><span class="o">/</span><span class="n">Bluemix</span><span class="w"> </span><span class="n">cloud</span><span class="w"> </span><span class="n">credential</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">CloudSyncProviders</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">All</span><span class="w"> </span><span class="n">configured</span><span class="w"> </span><span class="n">Office</span><span class="w"> </span><span class="mi">365</span><span class="w"> </span><span class="n">endpoints</span><span class="w"> </span><span class="p">(</span><span class="n">tenants</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">teamsites</span><span class="p">)</span><span class="w"> </span><span class="n">which</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">synchronised</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">OneDrive</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">CredEnum</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Enumerates</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">current</span><span class="w"> </span><span class="n">user</span><span class="s1">&#39;s saved credentials using CredEnumerate()</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">CredGuard</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">CredentialGuard</span><span class="w"> </span><span class="n">configuration</span><span class="w"></span>
<span class="w"> </span><span class="n">dir</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Lists</span><span class="w"> </span><span class="n">files</span><span class="o">/</span><span class="n">folders</span><span class="o">.</span><span class="w"> </span><span class="n">By</span><span class="w"> </span><span class="n">default</span><span class="p">,</span><span class="w"> </span><span class="n">lists</span><span class="w"> </span><span class="n">users</span><span class="s1">&#39; downloads, documents, and desktop folders (arguments == [directory] [depth] [regex] [boolIgnoreErrors]</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">DNSCache</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">DNS</span><span class="w"> </span><span class="n">cache</span><span class="w"> </span><span class="n">entries</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">DotNet</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">DotNet</span><span class="w"> </span><span class="n">versions</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">DpapiMasterKeys</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">List</span><span class="w"> </span><span class="n">DPAPI</span><span class="w"> </span><span class="k">master</span><span class="w"> </span><span class="n">keys</span><span class="w"></span>
<span class="w"> </span><span class="n">EnvironmentPath</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">environment</span><span class="w"> </span><span class="o">%</span><span class="n">PATH</span><span class="o">$</span><span class="w"> </span><span class="n">folders</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">SDDL</span><span class="w"> </span><span class="n">information</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">EnvironmentVariables</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">environment</span><span class="w"> </span><span class="n">variables</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ExplicitLogonEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Explicit</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="n">events</span><span class="w"> </span><span class="p">(</span><span class="n">Event</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="mi">4648</span><span class="p">)</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">event</span><span class="w"> </span><span class="nb">log</span><span class="o">.</span><span class="w"> </span><span class="n">Default</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="n">days</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">ExplorerMRUs</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="n">most</span><span class="w"> </span><span class="n">recently</span><span class="w"> </span><span class="n">used</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="p">(</span><span class="n">last</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="n">days</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ExplorerRunCommands</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Recent</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="s2">&quot;run&quot;</span><span class="w"> </span><span class="n">commands</span><span class="w"></span>
<span class="w"> </span><span class="n">FileInfo</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Information</span><span class="w"> </span><span class="n">about</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="p">(</span><span class="n">version</span><span class="w"> </span><span class="n">information</span><span class="p">,</span><span class="w"> </span><span class="n">timestamps</span><span class="p">,</span><span class="w"> </span><span class="n">basic</span><span class="w"> </span><span class="n">PE</span><span class="w"> </span><span class="n">info</span><span class="p">,</span><span class="w"> </span><span class="n">etc</span><span class="o">.</span><span class="w"> </span><span class="n">argument</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="n">path</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">FileZilla</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">FileZilla</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">FirefoxHistory</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Parses</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="n">FireFox</span><span class="w"> </span><span class="n">history</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">FirefoxPresence</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Checks</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">interesting</span><span class="w"> </span><span class="n">Firefox</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">exist</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">Hotfixes</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Installed</span><span class="w"> </span><span class="n">hotfixes</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">IdleTime</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Returns</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">seconds</span><span class="w"> </span><span class="n">since</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">current</span><span class="w"> </span><span class="n">user</span><span class="s1">&#39;s last input.</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">IEFavorites</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="n">favorites</span><span class="w"></span>
<span class="w"> </span><span class="n">IETabs</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Open</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="n">tabs</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">IEUrls</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="n">typed</span><span class="w"> </span><span class="n">URLs</span><span class="w"> </span><span class="p">(</span><span class="n">last</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="n">days</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">InstalledProducts</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Installed</span><span class="w"> </span><span class="n">products</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="n">InterestingFiles</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="s2">&quot;Interesting&quot;</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">matching</span><span class="w"> </span><span class="n">various</span><span class="w"> </span><span class="n">patterns</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">user</span><span class="s1">&#39;s folder. Note: takes non-trivial time.</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">InterestingProcesses</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="s2">&quot;Interesting&quot;</span><span class="w"> </span><span class="n">processes</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">defensive</span><span class="w"> </span><span class="n">products</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">admin</span><span class="w"> </span><span class="n">tools</span><span class="w"></span>
<span class="w"> </span><span class="n">InternetSettings</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="n">including</span><span class="w"> </span><span class="n">proxy</span><span class="w"> </span><span class="n">configs</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">zones</span><span class="w"> </span><span class="n">configuration</span><span class="w"></span>
<span class="w"> </span><span class="n">KeePass</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Finds</span><span class="w"> </span><span class="n">KeePass</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LAPS</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">LAPS</span><span class="w"> </span><span class="n">settings</span><span class="p">,</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">installed</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LastShutdown</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Returns</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">DateTime</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">system</span><span class="w"> </span><span class="n">shutdown</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="p">)</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">LocalGPOs</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Local</span><span class="w"> </span><span class="n">Group</span><span class="w"> </span><span class="n">Policy</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="n">applied</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">machine</span><span class="o">/</span><span class="n">local</span><span class="w"> </span><span class="n">users</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LocalGroups</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Non</span><span class="o">-</span><span class="n">empty</span><span class="w"> </span><span class="n">local</span><span class="w"> </span><span class="n">groups</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;-full&quot;</span><span class="w"> </span><span class="n">displays</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="n">groups</span><span class="w"> </span><span class="p">(</span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">computername</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">enumerate</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LocalUsers</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Local</span><span class="w"> </span><span class="n">users</span><span class="p">,</span><span class="w"> </span><span class="n">whether</span><span class="w"> </span><span class="n">they</span><span class="s1">&#39;re active/disabled, and pwd last set (argument == computername to enumerate)</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LogonEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="n">events</span><span class="w"> </span><span class="p">(</span><span class="n">Event</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="mi">4624</span><span class="p">)</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">event</span><span class="w"> </span><span class="nb">log</span><span class="o">.</span><span class="w"> </span><span class="n">Default</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="n">days</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LogonSessions</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">logon</span><span class="w"> </span><span class="n">sessions</span><span class="w"></span>
<span class="w"> </span><span class="n">LOLBAS</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Locates</span><span class="w"> </span><span class="n">Living</span><span class="w"> </span><span class="n">Off</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">Land</span><span class="w"> </span><span class="n">Binaries</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">Scripts</span><span class="w"> </span><span class="p">(</span><span class="n">LOLBAS</span><span class="p">)</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">system</span><span class="o">.</span><span class="w"> </span><span class="n">Note</span><span class="p">:</span><span class="w"> </span><span class="n">takes</span><span class="w"> </span><span class="n">non</span><span class="o">-</span><span class="n">trivial</span><span class="w"> </span><span class="n">time</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LSASettings</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">LSA</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="p">(</span><span class="n">including</span><span class="w"> </span><span class="n">auth</span><span class="w"> </span><span class="n">packages</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">MappedDrives</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Users</span><span class="s1">&#39; mapped drives (via WMI)</span>
<span class="w"> </span><span class="n">McAfeeConfigs</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Finds</span><span class="w"> </span><span class="n">McAfee</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="n">McAfeeSiteList</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Decrypt</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="n">McAfee</span><span class="w"> </span><span class="n">SiteList</span><span class="o">.</span><span class="n">xml</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">files</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">MicrosoftUpdates</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">All</span><span class="w"> </span><span class="n">Microsoft</span><span class="w"> </span><span class="n">updates</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">COM</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">NamedPipes</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Named</span><span class="w"> </span><span class="n">pipe</span><span class="w"> </span><span class="n">names</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">readable</span><span class="w"> </span><span class="n">ACL</span><span class="w"> </span><span class="n">information</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">NetworkProfiles</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">network</span><span class="w"> </span><span class="n">profiles</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">NetworkShares</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Network</span><span class="w"> </span><span class="n">shares</span><span class="w"> </span><span class="n">exposed</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">machine</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">NTLMSettings</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">NTLM</span><span class="w"> </span><span class="n">authentication</span><span class="w"> </span><span class="n">settings</span><span class="w"></span>
<span class="w"> </span><span class="n">OfficeMRUs</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Office</span><span class="w"> </span><span class="n">most</span><span class="w"> </span><span class="n">recently</span><span class="w"> </span><span class="n">used</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="n">list</span><span class="w"> </span><span class="p">(</span><span class="n">last</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="n">days</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">OracleSQLDeveloper</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Finds</span><span class="w"> </span><span class="n">Oracle</span><span class="w"> </span><span class="n">SQLDeveloper</span><span class="w"> </span><span class="n">connections</span><span class="o">.</span><span class="n">xml</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">OSInfo</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Basic</span><span class="w"> </span><span class="n">OS</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="p">(</span><span class="n">i</span><span class="o">.</span><span class="n">e</span><span class="o">.</span><span class="w"> </span><span class="n">architecture</span><span class="p">,</span><span class="w"> </span><span class="n">OS</span><span class="w"> </span><span class="n">version</span><span class="p">,</span><span class="w"> </span><span class="n">etc</span><span class="o">.</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">OutlookDownloads</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">List</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">downloaded</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">Outlook</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PoweredOnEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Reboot</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">sleep</span><span class="w"> </span><span class="n">schedule</span><span class="w"> </span><span class="n">based</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">System</span><span class="w"> </span><span class="n">event</span><span class="w"> </span><span class="nb">log</span><span class="w"> </span><span class="n">EIDs</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">12</span><span class="p">,</span><span class="w"> </span><span class="mi">13</span><span class="p">,</span><span class="w"> </span><span class="mi">42</span><span class="p">,</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="mf">6008.</span><span class="w"> </span><span class="n">Default</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="n">days</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PowerShell</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">PowerShell</span><span class="w"> </span><span class="n">versions</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">settings</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PowerShellEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">PowerShell</span><span class="w"> </span><span class="n">script</span><span class="w"> </span><span class="n">block</span><span class="w"> </span><span class="n">logs</span><span class="w"> </span><span class="p">(</span><span class="mi">4104</span><span class="p">)</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">sensitive</span><span class="w"> </span><span class="n">data</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PowerShellHistory</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Searches</span><span class="w"> </span><span class="n">PowerShell</span><span class="w"> </span><span class="n">console</span><span class="w"> </span><span class="n">history</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">sensitive</span><span class="w"> </span><span class="n">regex</span><span class="w"> </span><span class="n">matches</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">Printers</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Installed</span><span class="w"> </span><span class="n">Printers</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ProcessCreationEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Process</span><span class="w"> </span><span class="n">creation</span><span class="w"> </span><span class="n">logs</span><span class="w"> </span><span class="p">(</span><span class="mi">4688</span><span class="p">)</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">sensitive</span><span class="w"> </span><span class="n">data</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">Processes</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Running</span><span class="w"> </span><span class="n">processes</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="n">company</span><span class="w"> </span><span class="n">names</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">don</span><span class="s1">&#39;t contain &#39;</span><span class="n">Microsoft</span><span class="s1">&#39;, &quot;-full&quot; enumerates all processes</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ProcessOwners</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Running</span><span class="w"> </span><span class="n">non</span><span class="o">-</span><span class="n">session</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">process</span><span class="w"> </span><span class="n">list</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">owners</span><span class="o">.</span><span class="w"> </span><span class="n">For</span><span class="w"> </span><span class="k">remote</span><span class="w"> </span><span class="n">use</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PSSessionSettings</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Enumerates</span><span class="w"> </span><span class="n">PS</span><span class="w"> </span><span class="n">Session</span><span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PuttyHostKeys</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Saved</span><span class="w"> </span><span class="n">Putty</span><span class="w"> </span><span class="n">SSH</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="n">keys</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PuttySessions</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Saved</span><span class="w"> </span><span class="n">Putty</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="p">(</span><span class="n">interesting</span><span class="w"> </span><span class="n">fields</span><span class="p">)</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">SSH</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="n">keys</span><span class="w"></span>
<span class="w"> </span><span class="n">RDCManFiles</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Remote</span><span class="w"> </span><span class="n">Desktop</span><span class="w"> </span><span class="n">Connection</span><span class="w"> </span><span class="n">Manager</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">RDPSavedConnections</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Saved</span><span class="w"> </span><span class="n">RDP</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="n">stored</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">RDPSessions</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">incoming</span><span class="w"> </span><span class="n">RDP</span><span class="w"> </span><span class="n">sessions</span><span class="w"> </span><span class="p">(</span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">computername</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">enumerate</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">RDPsettings</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Remote</span><span class="w"> </span><span class="n">Desktop</span><span class="w"> </span><span class="n">Server</span><span class="o">/</span><span class="n">Client</span><span class="w"> </span><span class="n">Settings</span><span class="w"></span>
<span class="w"> </span><span class="n">RecycleBin</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Items</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">Recycle</span><span class="w"> </span><span class="n">Bin</span><span class="w"> </span><span class="n">deleted</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="n">days</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">only</span><span class="w"> </span><span class="n">works</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="n">context</span><span class="o">!</span><span class="w"></span>
<span class="w"> </span><span class="n">reg</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Registry</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">values</span><span class="w"> </span><span class="p">(</span><span class="n">HKLM</span>\<span class="n">Software</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">default</span><span class="p">)</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="p">[</span><span class="n">Path</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="n">intDepth</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="n">Regex</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="n">boolIgnoreErrors</span><span class="p">]</span><span class="w"></span>
<span class="w"> </span><span class="n">RPCMappedEndpoints</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">RPC</span><span class="w"> </span><span class="n">endpoints</span><span class="w"> </span><span class="n">mapped</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SCCM</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">System</span><span class="w"> </span><span class="n">Center</span><span class="w"> </span><span class="n">Configuration</span><span class="w"> </span><span class="n">Manager</span><span class="w"> </span><span class="p">(</span><span class="n">SCCM</span><span class="p">)</span><span class="w"> </span><span class="n">settings</span><span class="p">,</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">applicable</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ScheduledTasks</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Scheduled</span><span class="w"> </span><span class="n">tasks</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">aren</span><span class="s1">&#39;t authored by &#39;</span><span class="n">Microsoft</span><span class="s1">&#39;, &quot;-full&quot; dumps all Scheduled tasks</span>
<span class="w"> </span><span class="n">SearchIndex</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Query</span><span class="w"> </span><span class="n">results</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Search</span><span class="w"> </span><span class="n">Index</span><span class="p">,</span><span class="w"> </span><span class="n">default</span><span class="w"> </span><span class="n">term</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="s1">&#39;passsword&#39;</span><span class="o">.</span><span class="w"> </span><span class="p">(</span><span class="n">argument</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="o">&lt;</span><span class="n">search</span><span class="w"> </span><span class="n">path</span><span class="o">&gt;</span><span class="w"> </span><span class="o">&lt;</span><span class="n">pattern1</span><span class="p">,</span><span class="n">pattern2</span><span class="p">,</span><span class="o">...&gt;</span><span class="w"></span>
<span class="w"> </span><span class="n">SecPackageCreds</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Obtains</span><span class="w"> </span><span class="n">credentials</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">packages</span><span class="w"></span>
<span class="w"> </span><span class="n">SecurityPackages</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Enumerates</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">packages</span><span class="w"> </span><span class="n">currently</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="n">using</span><span class="w"> </span><span class="n">EnumerateSecurityPackagesA</span><span class="p">()</span><span class="w"></span>
<span class="w"> </span><span class="n">Services</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Services</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="n">company</span><span class="w"> </span><span class="n">names</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">don</span><span class="s1">&#39;t contain &#39;</span><span class="n">Microsoft</span><span class="s1">&#39;, &quot;-full&quot; dumps all processes</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SlackDownloads</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Parses</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="s1">&#39;slack-downloads&#39;</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SlackPresence</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Checks</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">interesting</span><span class="w"> </span><span class="n">Slack</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">exist</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SlackWorkspaces</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Parses</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="s1">&#39;slack-workspaces&#39;</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SuperPutty</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">SuperPutty</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">Sysmon</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Sysmon</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SysmonEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Sysmon</span><span class="w"> </span><span class="n">process</span><span class="w"> </span><span class="n">creation</span><span class="w"> </span><span class="n">logs</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">sensitive</span><span class="w"> </span><span class="n">data</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">TcpConnections</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">TCP</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">their</span><span class="w"> </span><span class="n">associated</span><span class="w"> </span><span class="n">processes</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">services</span><span class="w"></span>
<span class="w"> </span><span class="n">TokenGroups</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">current</span><span class="w"> </span><span class="n">token</span><span class="s1">&#39;s local and domain groups</span>
<span class="w"> </span><span class="n">TokenPrivileges</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Currently</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">token</span><span class="w"> </span><span class="n">privileges</span><span class="w"> </span><span class="p">(</span><span class="n">e</span><span class="o">.</span><span class="n">g</span><span class="o">.</span><span class="w"> </span><span class="n">SeDebugPrivilege</span><span class="o">/</span><span class="n">etc</span><span class="o">.</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">UAC</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">UAC</span><span class="w"> </span><span class="n">system</span><span class="w"> </span><span class="n">policies</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="n">UdpConnections</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">UDP</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">associated</span><span class="w"> </span><span class="n">processes</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">services</span><span class="w"></span>
<span class="w"> </span><span class="n">UserRightAssignments</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Configured</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="n">Right</span><span class="w"> </span><span class="n">Assignments</span><span class="w"> </span><span class="p">(</span><span class="n">e</span><span class="o">.</span><span class="n">g</span><span class="o">.</span><span class="w"> </span><span class="n">SeDenyNetworkLogonRight</span><span class="p">,</span><span class="w"> </span><span class="n">SeShutdownPrivilege</span><span class="p">,</span><span class="w"> </span><span class="n">etc</span><span class="o">.</span><span class="p">)</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">computername</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">enumerate</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">WindowsAutoLogon</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Registry</span><span class="w"> </span><span class="n">autologon</span><span class="w"> </span><span class="n">information</span><span class="w"></span>
<span class="w"> </span><span class="n">WindowsCredentialFiles</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">credential</span><span class="w"> </span><span class="n">DPAPI</span><span class="w"> </span><span class="n">blobs</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">WindowsDefender</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Defender</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="p">(</span><span class="n">including</span><span class="w"> </span><span class="n">exclusion</span><span class="w"> </span><span class="n">locations</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">WindowsEventForwarding</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Event</span><span class="w"> </span><span class="n">Forwarding</span><span class="w"> </span><span class="p">(</span><span class="n">WEF</span><span class="p">)</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">WindowsFirewall</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Non</span><span class="o">-</span><span class="n">standard</span><span class="w"> </span><span class="n">firewall</span><span class="w"> </span><span class="n">rules</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;-full&quot;</span><span class="w"> </span><span class="n">dumps</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="p">(</span><span class="n">arguments</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">allow</span><span class="o">/</span><span class="n">deny</span><span class="o">/</span><span class="n">tcp</span><span class="o">/</span><span class="n">udp</span><span class="o">/</span><span class="ow">in</span><span class="o">/</span><span class="n">out</span><span class="o">/</span><span class="n">domain</span><span class="o">/</span><span class="n">private</span><span class="o">/</span><span class="n">public</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">WindowsVault</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Credentials</span><span class="w"> </span><span class="n">saved</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Vault</span><span class="w"> </span><span class="p">(</span><span class="n">i</span><span class="o">.</span><span class="n">e</span><span class="o">.</span><span class="w"> </span><span class="n">logins</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">Edge</span><span class="p">)</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">WMIEventConsumer</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Lists</span><span class="w"> </span><span class="n">WMI</span><span class="w"> </span><span class="n">Event</span><span class="w"> </span><span class="n">Consumers</span><span class="w"></span>
<span class="w"> </span><span class="n">WMIEventFilter</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Lists</span><span class="w"> </span><span class="n">WMI</span><span class="w"> </span><span class="n">Event</span><span class="w"> </span><span class="n">Filters</span><span class="w"></span>
<span class="w"> </span><span class="n">WMIFilterBinding</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Lists</span><span class="w"> </span><span class="n">WMI</span><span class="w"> </span><span class="n">Filter</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">Consumer</span><span class="w"> </span><span class="n">Bindings</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">WSUS</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Server</span><span class="w"> </span><span class="n">Update</span><span class="w"> </span><span class="n">Services</span><span class="w"> </span><span class="p">(</span><span class="n">WSUS</span><span class="p">)</span><span class="w"> </span><span class="n">settings</span><span class="p">,</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">applicable</span><span class="w"></span>
<span class="n">Seatbelt</span><span class="w"> </span><span class="n">has</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">groups</span><span class="p">:</span><span class="w"> </span><span class="n">All</span><span class="p">,</span><span class="w"> </span><span class="n">User</span><span class="p">,</span><span class="w"> </span><span class="n">System</span><span class="p">,</span><span class="w"> </span><span class="n">Slack</span><span class="p">,</span><span class="w"> </span><span class="n">Chromium</span><span class="p">,</span><span class="w"> </span><span class="n">Remote</span><span class="p">,</span><span class="w"> </span><span class="n">Misc</span><span class="w"></span>
<span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">invoke</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">groups</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="s2">&quot;Seatbelt.exe &lt;group&gt;&quot;</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=all&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="n">commands</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=user&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">ChromiumPresence</span><span class="p">,</span><span class="w"> </span><span class="n">CloudCredentials</span><span class="p">,</span><span class="w"> </span><span class="n">CloudSyncProviders</span><span class="p">,</span><span class="w"> </span><span class="n">CredEnum</span><span class="p">,</span><span class="w"> </span><span class="n">dir</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">DpapiMasterKeys</span><span class="p">,</span><span class="w"> </span><span class="n">ExplorerMRUs</span><span class="p">,</span><span class="w"> </span><span class="n">ExplorerRunCommands</span><span class="p">,</span><span class="w"> </span><span class="n">FileZilla</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">FirefoxPresence</span><span class="p">,</span><span class="w"> </span><span class="n">IdleTime</span><span class="p">,</span><span class="w"> </span><span class="n">IEFavorites</span><span class="p">,</span><span class="w"> </span><span class="n">IETabs</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">IEUrls</span><span class="p">,</span><span class="w"> </span><span class="n">KeePass</span><span class="p">,</span><span class="w"> </span><span class="n">MappedDrives</span><span class="p">,</span><span class="w"> </span><span class="n">OfficeMRUs</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">OracleSQLDeveloper</span><span class="p">,</span><span class="w"> </span><span class="n">PowerShellHistory</span><span class="p">,</span><span class="w"> </span><span class="n">PuttyHostKeys</span><span class="p">,</span><span class="w"> </span><span class="n">PuttySessions</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">RDCManFiles</span><span class="p">,</span><span class="w"> </span><span class="n">RDPSavedConnections</span><span class="p">,</span><span class="w"> </span><span class="n">SecPackageCreds</span><span class="p">,</span><span class="w"> </span><span class="n">SlackDownloads</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">SlackPresence</span><span class="p">,</span><span class="w"> </span><span class="n">SlackWorkspaces</span><span class="p">,</span><span class="w"> </span><span class="n">SuperPutty</span><span class="p">,</span><span class="w"> </span><span class="n">TokenGroups</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">WindowsCredentialFiles</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsVault</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=system&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">AMSIProviders</span><span class="p">,</span><span class="w"> </span><span class="n">AntiVirus</span><span class="p">,</span><span class="w"> </span><span class="n">AppLocker</span><span class="p">,</span><span class="w"> </span><span class="n">ARPTable</span><span class="p">,</span><span class="w"> </span><span class="n">AuditPolicies</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">AuditPolicyRegistry</span><span class="p">,</span><span class="w"> </span><span class="n">AutoRuns</span><span class="p">,</span><span class="w"> </span><span class="n">CredGuard</span><span class="p">,</span><span class="w"> </span><span class="n">DNSCache</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">DotNet</span><span class="p">,</span><span class="w"> </span><span class="n">EnvironmentPath</span><span class="p">,</span><span class="w"> </span><span class="n">EnvironmentVariables</span><span class="p">,</span><span class="w"> </span><span class="n">Hotfixes</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">InterestingProcesses</span><span class="p">,</span><span class="w"> </span><span class="n">InternetSettings</span><span class="p">,</span><span class="w"> </span><span class="n">LAPS</span><span class="p">,</span><span class="w"> </span><span class="n">LastShutdown</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">LocalGPOs</span><span class="p">,</span><span class="w"> </span><span class="n">LocalGroups</span><span class="p">,</span><span class="w"> </span><span class="n">LocalUsers</span><span class="p">,</span><span class="w"> </span><span class="n">LogonSessions</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">LSASettings</span><span class="p">,</span><span class="w"> </span><span class="n">McAfeeConfigs</span><span class="p">,</span><span class="w"> </span><span class="n">NamedPipes</span><span class="p">,</span><span class="w"> </span><span class="n">NetworkProfiles</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">NetworkShares</span><span class="p">,</span><span class="w"> </span><span class="n">NTLMSettings</span><span class="p">,</span><span class="w"> </span><span class="n">OSInfo</span><span class="p">,</span><span class="w"> </span><span class="n">PoweredOnEvents</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">PowerShell</span><span class="p">,</span><span class="w"> </span><span class="n">Processes</span><span class="p">,</span><span class="w"> </span><span class="n">PSSessionSettings</span><span class="p">,</span><span class="w"> </span><span class="n">RDPSessions</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">RDPsettings</span><span class="p">,</span><span class="w"> </span><span class="n">SCCM</span><span class="p">,</span><span class="w"> </span><span class="n">Services</span><span class="p">,</span><span class="w"> </span><span class="n">Sysmon</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">TcpConnections</span><span class="p">,</span><span class="w"> </span><span class="n">TokenPrivileges</span><span class="p">,</span><span class="w"> </span><span class="n">UAC</span><span class="p">,</span><span class="w"> </span><span class="n">UdpConnections</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">UserRightAssignments</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsAutoLogon</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsDefender</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsEventForwarding</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">WindowsFirewall</span><span class="p">,</span><span class="w"> </span><span class="n">WMIEventConsumer</span><span class="p">,</span><span class="w"> </span><span class="n">WMIEventFilter</span><span class="p">,</span><span class="w"> </span><span class="n">WMIFilterBinding</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">WSUS</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=slack&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">SlackDownloads</span><span class="p">,</span><span class="w"> </span><span class="n">SlackPresence</span><span class="p">,</span><span class="w"> </span><span class="n">SlackWorkspaces</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=chromium&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">ChromiumBookmarks</span><span class="p">,</span><span class="w"> </span><span class="n">ChromiumHistory</span><span class="p">,</span><span class="w"> </span><span class="n">ChromiumPresence</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=remote&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">AMSIProviders</span><span class="p">,</span><span class="w"> </span><span class="n">AntiVirus</span><span class="p">,</span><span class="w"> </span><span class="n">AuditPolicyRegistry</span><span class="p">,</span><span class="w"> </span><span class="n">ChromiumPresence</span><span class="p">,</span><span class="w"> </span><span class="n">CloudCredentials</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">DNSCache</span><span class="p">,</span><span class="w"> </span><span class="n">DotNet</span><span class="p">,</span><span class="w"> </span><span class="n">DpapiMasterKeys</span><span class="p">,</span><span class="w"> </span><span class="n">EnvironmentVariables</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">ExplicitLogonEvents</span><span class="p">,</span><span class="w"> </span><span class="n">ExplorerRunCommands</span><span class="p">,</span><span class="w"> </span><span class="n">FileZilla</span><span class="p">,</span><span class="w"> </span><span class="n">Hotfixes</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">InterestingProcesses</span><span class="p">,</span><span class="w"> </span><span class="n">KeePass</span><span class="p">,</span><span class="w"> </span><span class="n">LastShutdown</span><span class="p">,</span><span class="w"> </span><span class="n">LocalGroups</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">LocalUsers</span><span class="p">,</span><span class="w"> </span><span class="n">LogonEvents</span><span class="p">,</span><span class="w"> </span><span class="n">LogonSessions</span><span class="p">,</span><span class="w"> </span><span class="n">LSASettings</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">MappedDrives</span><span class="p">,</span><span class="w"> </span><span class="n">NetworkProfiles</span><span class="p">,</span><span class="w"> </span><span class="n">NetworkShares</span><span class="p">,</span><span class="w"> </span><span class="n">NTLMSettings</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">OSInfo</span><span class="p">,</span><span class="w"> </span><span class="n">PoweredOnEvents</span><span class="p">,</span><span class="w"> </span><span class="n">PowerShell</span><span class="p">,</span><span class="w"> </span><span class="n">ProcessOwners</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">PSSessionSettings</span><span class="p">,</span><span class="w"> </span><span class="n">PuttyHostKeys</span><span class="p">,</span><span class="w"> </span><span class="n">PuttySessions</span><span class="p">,</span><span class="w"> </span><span class="n">RDPSavedConnections</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">RDPSessions</span><span class="p">,</span><span class="w"> </span><span class="n">RDPsettings</span><span class="p">,</span><span class="w"> </span><span class="n">Sysmon</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsDefender</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">WindowsEventForwarding</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsFirewall</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=misc&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">ChromiumBookmarks</span><span class="p">,</span><span class="w"> </span><span class="n">ChromiumHistory</span><span class="p">,</span><span class="w"> </span><span class="n">ExplicitLogonEvents</span><span class="p">,</span><span class="w"> </span><span class="n">FileInfo</span><span class="p">,</span><span class="w"> </span><span class="n">FirefoxHistory</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">InstalledProducts</span><span class="p">,</span><span class="w"> </span><span class="n">InterestingFiles</span><span class="p">,</span><span class="w"> </span><span class="n">LogonEvents</span><span class="p">,</span><span class="w"> </span><span class="n">LOLBAS</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">McAfeeSiteList</span><span class="p">,</span><span class="w"> </span><span class="n">MicrosoftUpdates</span><span class="p">,</span><span class="w"> </span><span class="n">OutlookDownloads</span><span class="p">,</span><span class="w"> </span><span class="n">PowerShellEvents</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">Printers</span><span class="p">,</span><span class="w"> </span><span class="n">ProcessCreationEvents</span><span class="p">,</span><span class="w"> </span><span class="n">ProcessOwners</span><span class="p">,</span><span class="w"> </span><span class="n">RecycleBin</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">reg</span><span class="p">,</span><span class="w"> </span><span class="n">RPCMappedEndpoints</span><span class="p">,</span><span class="w"> </span><span class="n">ScheduledTasks</span><span class="p">,</span><span class="w"> </span><span class="n">SearchIndex</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">SecurityPackages</span><span class="p">,</span><span class="w"> </span><span class="n">SysmonEvents</span><span class="w"></span>
<span class="n">Examples</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe &lt;Command&gt; [Command2] ...&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">one</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="n">more</span><span class="w"> </span><span class="n">specified</span><span class="w"> </span><span class="n">checks</span><span class="w"> </span><span class="n">only</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe &lt;Command&gt; -full&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">complete</span><span class="w"> </span><span class="n">results</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">without</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">filtering</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe &quot;&lt;Command&gt; [argument]&quot;&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="k">pass</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">supports</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="p">(</span><span class="n">note</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">quotes</span><span class="p">)</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe -group=all&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">ALL</span><span class="w"> </span><span class="n">enumeration</span><span class="w"> </span><span class="n">checks</span><span class="p">,</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">combined</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="s2">&quot;-full&quot;</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe &lt;Command&gt; -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\USER -password=PASSWORD]&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">applicable</span><span class="w"> </span><span class="n">check</span><span class="w"> </span><span class="n">remotely</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe -group=remote -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\USER -password=PASSWORD]&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="k">remote</span><span class="w"> </span><span class="n">specific</span><span class="w"> </span><span class="n">checks</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe -group=system -outputfile=&quot;C:\Temp\out.txt&quot;&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">system</span><span class="w"> </span><span class="n">checks</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">output</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="o">.</span><span class="n">txt</span><span class="w"> </span><span class="n">file</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe -group=user -q -outputfile=&quot;C:\Temp\out.json&quot;&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">quiet</span><span class="w"> </span><span class="n">mode</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="n">checks</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">output</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="o">.</span><span class="n">json</span><span class="w"> </span><span class="n">file</span><span class="o">.</span><span class="w"></span>
</code></pre></div>
<p><strong>Note:</strong> searches that target users will run for the current user if not-elevated and for ALL users if elevated.</p>
<p><strong>A more detailed wiki is coming...</strong></p>
<h2 id="command-groups">Command Groups</h2>
<p><strong>Note:</strong> many commands do some type of filtering by default. Supplying the <code>-full</code> argument prevents filtering output. Also, the command group <code>all</code> will run all current checks.</p>
<p>For example, the following command will run ALL checks and returns ALL output:</p>
<p><code>Seatbelt.exe -group=all -full</code></p>
<h3 id="system">system</h3>
<p>Runs checks that mine interesting data about the system.</p>
<p>Executed with: <code>Seatbelt.exe -group=system</code></p>
<p>| Command | Description |
| ----------- | ----------- |
| AMSIProviders | Providers registered for AMSI |
| AntiVirus | Registered antivirus (via WMI) |
| AppLocker | AppLocker settings, if installed |
| ARPTable | Lists the current ARP table and adapter information(equivalent to arp -a) |
| AuditPolicies | Enumerates classic and advanced audit policy settings |
| AuditPolicyRegistry | Audit settings via the registry |
| AutoRuns | Auto run executables/scripts/programs |
| CredGuard | CredentialGuard configuration |
| DNSCache | DNS cache entries (via WMI) |
| DotNet | DotNet versions |
| EnvironmentPath | Current environment %PATH$ folders and SDDL information |
| EnvironmentVariables | Current user environment variables |
| Hotfixes | Installed hotfixes (via WMI) |
| InterestingProcesses | "Interesting" processes - defensive products and admin tools |
| InternetSettings | Internet settings including proxy configs |
| LAPS | LAPS settings, if installed |
| LastShutdown | Returns the DateTime of the last system shutdown (via the registry) |
| LocalGPOs | Local Group Policy settings applied to the machine/local users |
| LocalGroups | Non-empty local groups, "full" displays all groups (argument == computername to enumerate) |
| LocalUsers | Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate) |
| LogonSessions | Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. |
| LSASettings | LSA settings (including auth packages) |
| McAfeeConfigs | Finds McAfee configuration files |
| NamedPipes | Named pipe names and any readable ACL information |
| NetworkProfiles | Windows network profiles |
| NetworkShares | Network shares exposed by the machine (via WMI) |
| NTLMSettings | NTLM authentication settings |
| OSInfo | Basic OS info (i.e. architecture, OS version, etc.) |
| PoweredOnEvents | Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days. |
| PowerShell | PowerShell versions and security settings |
| Processes | Running processes with file info company names that don't contain 'Microsoft', "full" enumerates all processes |
| PSSessionSettings | Enumerates PS Session Settings from the registry |
| RDPSessions | Current incoming RDP sessions (argument == computername to enumerate) |
| RDPsettings | Remote Desktop Server/Client Settings |
| SCCM | System Center Configuration Manager (SCCM) settings, if applicable |
| Services | Services with file info company names that don't contain 'Microsoft', "full" dumps all processes |
| Sysmon | Sysmon configuration from the registry |
| TcpConnections | Current TCP connections and their associated processes and services |
| TokenPrivileges | Currently enabled token privileges (e.g. SeDebugPrivilege/etc.) |
| UAC | UAC system policies via the registry |
| UdpConnections | Current UDP connections and associated processes and services |
| UserRightAssignments | Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate |
| WindowsAutoLogon | Registry autologon information |
| WindowsDefender | Windows Defender settings (including exclusion locations) |
| WindowsEventForwarding | Windows Event Forwarding (WEF) settings via the registry |
| WindowsFirewall | Non-standard firewall rules, "full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public) |
| WMIEventConsumer | Lists WMI Event Consumers |
| WMIEventFilter | Lists WMI Event Filters |
| WMIFilterBinding | Lists WMI Filter to Consumer Bindings |
| WSUS | Windows Server Update Services (WSUS) settings, if applicable |</p>
<h3 id="user">user</h3>
<p>Runs checks that mine interesting data about the currently logged on user (if not elevated) or ALL users (if elevated).</p>
<p>Executed with: <code>Seatbelt.exe -group=user</code></p>
<p>| Command | Description |
| ----------- | ----------- |
| ChromePresence | Checks if interesting Google Chrome files exist |
| CloudCredentials | AWS/Google/Azure cloud credential files |
| CredEnum | Enumerates the current user's saved credentials using CredEnumerate() |
| dir | Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == \&lt;directory&gt; \&lt;depth&gt; \&lt;regex&gt; |
| DpapiMasterKeys | List DPAPI master keys |
| ExplorerMRUs | Explorer most recently used files (last 7 days, argument == last X days) |
| ExplorerRunCommands | Recent Explorer "run" commands |
| FileZilla | FileZilla configuration files |
| FirefoxPresence | Checks if interesting Firefox files exist |
| IdleTime | Returns the number of seconds since the current user's last input. |
| IEFavorites | Internet Explorer favorites |
| IETabs | Open Internet Explorer tabs |
| IEUrls| Internet Explorer typed URLs (last 7 days, argument == last X days) |
| MappedDrives | Users' mapped drives (via WMI) |
| OfficeMRUs | Office most recently used file list (last 7 days) |
| PowerShellHistory | Iterates through every local user and attempts to read their PowerShell console history if successful will print it |
| PuttyHostKeys | Saved Putty SSH host keys |
| PuttySessions | Saved Putty configuration (interesting fields) and SSH host keys |
| RDCManFiles | Windows Remote Desktop Connection Manager settings files |
| RDPSavedConnections | Saved RDP connections stored in the registry |
| SecPackageCreds | Obtains credentials from security packages |
| SlackDownloads | Parses any found 'slack-downloads' files |
| SlackPresence | Checks if interesting Slack files exist |
| SlackWorkspaces | Parses any found 'slack-workspaces' files |
| SuperPutty | SuperPutty configuration files |
| TokenGroups | The current token's local and domain groups |
| WindowsCredentialFiles | Windows credential DPAPI blobs |
| WindowsVault | Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge). |</p>
<h3 id="misc">misc</h3>
<p>Runs all miscellaneous checks.</p>
<p>Executed with: <code>Seatbelt.exe -group=misc</code></p>
<p>| Command | Description |
| ----------- | ----------- |
| ChromeBookmarks | Parses any found Chrome bookmark files |
| ChromeHistory | Parses any found Chrome history files |
| ExplicitLogonEvents | Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days. |
| FileInfo | Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s) |
| FirefoxHistory | Parses any found FireFox history files |
| HuntLolbas | Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time. |
| InstalledProducts | Installed products via the registry |
| InterestingFiles | "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time. |
| LogonEvents | Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. |
| McAfeeSiteList | Decrypt any found McAfee SiteList.xml configuration files. |
| MicrosoftUpdates | All Microsoft updates (via COM) |
| OutlookDownloads | List files downloaded by Outlook |
| PowerShellEvents | PowerShell script block logs (4104) with sensitive data. |
| Printers | Installed Printers (via WMI) |
| ProcessCreationEvents | Process creation logs (4688) with sensitive data. |
| ProcessOwners | Running non-session 0 process list with owners. For remote use. |
| RecycleBin | Items in the Recycle Bin deleted in the last 30 days - only works from a user context! |
| reg | Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors] |
| RPCMappedEndpoints | Current RPC endpoints mapped |
| ScheduledTasks | Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "full" dumps all Scheduled tasks |
| SearchIndex | Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == \&lt;search path&gt; \&lt;pattern1,pattern2,...&gt; |
| SecurityPackages | Enumerates the security packages currently available using EnumerateSecurityPackagesA() |
| SysmonEvents | Sysmon process creation logs (1) with sensitive data. |</p>
<h3 id="additional-command-groups">Additional Command Groups</h3>
<p>Executed with: <code>Seatbelt.exe -group=GROUPNAME</code></p>
<p>| Alias | Description |
| ----------- | ----------- |
| Slack | Runs modules that start with "Slack<em>" |
| Chrome | Runs modules that start with "Chrome</em>" |
| Remote | Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes, InterestingProcesses, LastShutdown, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall |</p>
<h2 id="command-arguments">Command Arguments</h2>
<p>Command that accept arguments have it noted in their description. To pass an argument to a command, enclose the command an arguments in double quotes.</p>
<p>For example, the following command returns 4624 logon events for the last 30 days:</p>
<p><code>Seatbelt.exe "LogonEvents 30"</code></p>
<p>The following command queries a registry three levels deep, returning only keys/valueNames/values that match the regex <code>.*defini.*</code>, and ignoring any errors that occur.</p>
<p><code>Seatbelt.exe "reg \"HKLM\SOFTWARE\Microsoft\Windows Defender\" 3 .*defini.* true"</code></p>
<h2 id="output">Output</h2>
<p>Seatbelt can redirect its output to a file with the <code>-outputfile="C:\Path\file.txt"</code> argument. If the file path ends in .json, the output will be structured json.</p>
<p>For example, the following command will output the results of system checks to a txt file:</p>
<p><code>Seatbelt.exe -group=system -outputfile="C:\Temp\system.txt"</code></p>
<h2 id="remote-enumeration">Remote Enumeration</h2>
<p>Commands noted with a + in the help menu can be run remotely against another system. This is performed over WMI via queries for WMI classes and WMI's StdRegProv for registry enumeration.</p>
<p>To enumerate a remote system, supply <code>-computername=COMPUTER.DOMAIN.COM</code> - an alternate username and password can be specified with <code>-username=DOMAIN\USER -password=PASSWORD</code></p>
<p>For example, the following command runs remote-focused checks against a remote system:</p>
<p><code>Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\""</code></p>
<h2 id="building-your-own-modules">Building Your Own Modules</h2>
<p>Seatbelt's structure is completely modular, allowing for additional command modules to be dropped into the file structure and loaded up dynamically.</p>
<p>There is a commented command module template at <code>.\Seatbelt\Commands\Template.cs</code> for reference. Once built, drop the module in the logical file location, include it in the project in the Visual Studio Solution Explorer, and compile.</p>
<h2 id="compile-instructions">Compile Instructions</h2>
<p>We are not planning on releasing binaries for Seatbelt, so you will have to compile yourself.</p>
<p>Seatbelt has been built against .NET 3.5 and 4.0 with C# 8.0 features and is compatible with <a href="https://visualstudio.microsoft.com/downloads/">Visual Studio Community Edition</a>. Simply open up the project .sln, choose "release", and build. To change the target .NET framework version, <a href="https://github.com/GhostPack/Seatbelt/issues/27">modify the project's settings</a> and rebuild the project.</p>
<h2 id="acknowledgments">Acknowledgments</h2>
<p>Seatbelt incorporates various collection items, code C# snippets, and bits of PoCs found throughout research for its capabilities. These ideas, snippets, and authors are highlighted in the appropriate locations in the source code, and include:</p>
<ul>
<li><a href="https://twitter.com/andrewchiles">@andrewchiles</a>' <a href="https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1">HostEnum.ps1</a> script and <a href="https://twitter.com/tifkin_">@tifkin_</a>'s <a href="https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1">Get-HostProfile.ps1</a> provided inspiration for many of the artifacts to collect.</li>
<li><a href="https://stackoverflow.com/questions/33935825/pinvoke-netlocalgroupgetmembers-runs-into-fatalexecutionengineerror/33939889#33939889">Boboes' code concerning NetLocalGroupGetMembers</a></li>
<li><a href="https://gist.github.com/ambyte/01664dc7ee576f69042c">ambyte's code for converting a mapped drive letter to a network path</a></li>
<li><a href="https://stackoverflow.com/questions/2146153/how-to-get-the-logon-sid-in-c-sharp/2146418#2146418">Igor Korkhov's code to retrieve current token group information</a></li>
<li><a href="https://stackoverflow.com/questions/498371/how-to-detect-if-my-application-is-running-in-a-virtual-machine/11145280#11145280">RobSiklos' snippet to determine if a host is a virtual machine</a></li>
<li><a href="https://stackoverflow.com/questions/1410127/c-sharp-test-if-user-has-write-access-to-a-folder/21996345#21996345">JGU's snippet on file/folder ACL right comparison</a></li>
<li><a href="http://csharphelper.com/blog/2015/06/find-files-that-match-multiple-patterns-in-c/">Rod Stephens' pattern for recursive file enumeration</a></li>
<li><a href="https://stackoverflow.com/questions/4349743/setting-size-of-token-privileges-luid-and-attributes-array-returned-by-gettokeni">SwDevMan81's snippet for enumerating current token privileges</a></li>
<li><a href="https://github.com/Invoke-IR/ACE/blob/master/ACE-Management/PS-ACE/Scripts/ACE_Get-KerberosTicketCache.ps1">Jared Atkinson's PowerShell work on Kerberos ticket caches</a></li>
<li><a href="https://www.dreamincode.net/forums/topic/135033-increment-memory-pointer-issue/">darkmatter08's Kerberos C# snippet</a></li>
<li>Numerous <a href="https://www.pinvoke.net/">PInvoke.net</a> samples &lt;3</li>
<li><a href="https://www.codeproject.com/Articles/18179/Using-the-Local-Security-Authority-to-Enumerate-Us">Jared Hill's awesome CodeProject to use Local Security Authority to Enumerate User Sessions</a></li>
<li><a href="https://social.technet.microsoft.com/Forums/lync/en-US/e949b8d6-17ad-4afc-88cd-0019a3ac9df9/powershell-alternative-to-arp-a?forum=ITCG">Fred's code on querying the ARP cache</a></li>
<li><a href="https://stackoverflow.com/questions/577433/which-pid-listens-on-a-given-port-in-c-sharp/577660#577660">ShuggyCoUk's snippet on querying the TCP connection table</a></li>
<li><a href="https://gist.github.com/yizhang82/a1268d3ea7295a8a1496e01d60ada816">yizhang82's example of using reflection to interact with COM objects through C#</a></li>
<li><a href="https://twitter.com/djhohnstein">@djhohnstein</a>'s <a href="https://github.com/djhohnstein/SharpWeb/blob/master/Edge/SharpEdge.cs">SharpWeb project</a></li>
<li><a href="https://twitter.com/djhohnstein">@djhohnstein</a>'s <a href="https://github.com/djhohnstein/EventLogParser">EventLogParser project</a></li>
<li><a href="https://twitter.com/cmaddalena">@cmaddalena</a>'s <a href="https://github.com/chrismaddalena/SharpCloud">SharpCloud project</a>, BSD 3-Clause</li>
<li><a href="https://twitter.com/_RastaMouse">@_RastaMouse</a>'s <a href="https://github.com/rasta-mouse/Watson/">Watson project</a>, GPL License</li>
<li><a href="https://twitter.com/_RastaMouse">@_RastaMouse</a>'s <a href="https://rastamouse.me/2018/09/enumerating-applocker-config/">Work on AppLocker enumeration</a></li>
<li><a href="https://twitter.com/peewpw">@peewpw</a>'s <a href="https://github.com/peewpw/Invoke-WCMDump/blob/master/Invoke-WCMDump.ps1">Invoke-WCMDump project</a>, GPL License</li>
<li>TrustedSec's <a href="https://github.com/trustedsec/HoneyBadger/tree/master/modules/post/windows/gather">HoneyBadger project</a>, BSD 3-Clause</li>
<li>CENTRAL Solutions's <a href="https://www.centrel-solutions.com/support/tools.aspx?feature=auditrights">Audit User Rights Assignment Project</a>, No license</li>
<li>Collection ideas inspired from <a href="https://twitter.com/ukstufus">@ukstufus</a>'s <a href="https://github.com/stufus/reconerator">Reconerator</a></li>
<li>Office MRU locations and timestamp parsing information from Dustin Hurlbut's paper <a href="https://ad-pdf.s3.amazonaws.com/Microsoft_Office_2007-2010_Registry_ArtifactsFINAL.pdf">Microsoft Office 2007, 2010 - Registry Artifacts</a></li>
<li>The <a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands">Windows Commands list</a>, used for sensitive regex construction</li>
<li><a href="https://stackoverflow.com/questions/21805038/how-do-i-pinvoke-rpcmgmtepeltinqnext">Ryan Ries' code for enumeration mapped RPC endpoints</a></li>
<li><a href="https://stackoverflow.com/a/5941873">Chris Haas' post on EnumerateSecurityPackages()</a></li>
<li><a href="carlos_perez">darkoperator</a>'s work <a href="https://github.com/trustedsec/HoneyBadger">on the HoneyBadger project</a></li>
<li><a href="https://twitter.com/airzero24">@airzero24</a>'s work on <a href="https://github.com/airzero24/WMIReg">WMI Registry enumeration</a></li>
<li>Alexandru's answer on <a href="https://stackoverflow.com/questions/26217199/what-are-some-alternatives-to-registrykey-openbasekey-in-net-3-5">RegistryKey.OpenBaseKey alternatives</a></li>
<li>Tomas Vera's <a href="http://www.tomasvera.com/programming/using-javascriptserializer-to-parse-json-objects/">post on JavaScriptSerializer</a></li>
<li>Marc Gravell's <a href="https://stackoverflow.com/a/929418">note on recursively listing files/folders</a></li>
<li><a href="https://twitter.com/mattifestation">@mattifestation</a>'s <a href="https://github.com/mattifestation/PSSysmonTools/blob/master/PSSysmonTools/Code/SysmonRuleParser.ps1#L589-L595">Sysmon rule parser</a></li>
<li>Some inspiration from spolnik's <a href="https://github.com/spolnik/Simple.CredentialsManager">Simple.CredentialsManager project</a>, Apache 2 license</li>
<li><a href="https://www.tenforums.com/tutorials/68926-verify-if-device-guard-enabled-disabled-windows-10-a.html">This post on Credential Guard settings</a></li>
<li><a href="https://social.technet.microsoft.com/Forums/windows/en-US/b0e13a16-51a6-4aca-8d44-c85e097f882b/nametype-in-nla-information-for-a-network-profile">This thread</a> on network profile information</li>
<li>Mark McKinnon's post on <a href="http://cfed-ttf.blogspot.com/2009/08/decoding-datecreated-and.html">decoding the DateCreated and DateLastConnected SSID values</a></li>
<li>This Specops <a href="https://specopssoft.com/blog/things-work-group-policy-caching/">post on group policy caching</a></li>
<li>sa_ddam213's StackOverflow post on <a href="https://stackoverflow.com/questions/18071412/list-filenames-in-the-recyclebin-with-c-sharp-without-using-any-external-files">enumerating items in the Recycle Bin</a></li>
<li>Kirill Osenkov's <a href="https://stackoverflow.com/a/15608028">code for managed assembly detection</a></li>
<li>The <a href="https://github.com/mono/linux-packaging-mono/blob/d356d2b7db91d62b80a61eeb6fbc70a402ac3cac/external/corefx/LICENSE.TXT">Mono project</a> for the SecBuffer/SecBufferDesc classes</li>
<li><a href="https://twitter.com/elad_shamir">Elad Shamir</a> and his <a href="https://github.com/eladshamir/Internal-Monologue/">Internal-Monologue</a> project, <a href="https://twitter.com/mysmartlogon">Vincent Le Toux</a> for his <a href="https://github.com/vletoux/DetectPasswordViaNTLMInFlow/">DetectPasswordViaNTLMInFlow</a> project, and Lee Christensen for this <a href="https://github.com/leechristensen/GetNTLMChallenge/">GetNTLMChallenge</a> project. All of these served as inspiration int he SecPackageCreds command.</li>
<li>@leftp and @eksperience's <a href="https://github.com/EncodeGroup/Gopher">Gopher project</a> for inspiration for the FileZilla and SuperPutty commands</li>
<li>@funoverip for the original McAfee SiteList.xml decryption code</li>
</ul>
<p>We've tried to do our due diligence for citations, but if we've left someone/something out, please let us know!</p>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
function linkClick(obj) {
if (obj.open) {
console.log('open');
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
} else {
console.log('closed');
sessionStorage.removeItem(obj.id);
}
// if (obj.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === obj.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", obj.id);
// console.log(obj);
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
}
//if ( sessionStorage.getItem("opened")) {
// var item = sessionStorage.getItem("opened")
// document.getElementById(item)['open'] = 'open';
//}
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
// const detailsElement = document.querySelector('.details-sidebar');
// detailsElement.addEventListener('toggle', event => {
// if (event.target.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === detailsElement.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", detailsElement.id);
// console.log(detailsElement);
//
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
// });
//
// async function fetchIndexJSON() {
// const response = await fetch('/index.json');
// const index = await response.json();
// return index;
// }
// // Extract the `q` query parameter
//var queryStringRegex = /[\?&]q=([^&]+)/g;
//var matches = queryStringRegex.exec(window.location.search);
//if(matches && matches[1]) {
// var value = decodeURIComponent(matches[1].replace(/\+/g, '%20'));
//
//
// // fetchIndexJSON()
// // .then(index => { console.log(index['index']);});
// // Load the posts to search
// fetch('/index').then(function(posts) {
// // Remember to include Fuse.js before this script.
//
// var fuse = new Fuse(posts, {
// keys: ['title', 'tags', 'content'] // What we're searching
// });
//
// // Run the search
// var results = fuse.search(value);
// //console.log(results);
//
// // Generate markup for the posts, implement SearchResults however you want.
// // var $results = SearchResults(results);
//
// // Add the element to the empty <div> from before.
//// $('#searchResults').append($results);
// });
//}
</script>
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@2/MathJax.js"></script>
<script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
</body>
</html>