2022-09-02 09:05:59 +02:00
<!doctype html>
< html lang = "en" >
< center >
< head >
< script src = "https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js" > < / script >
2022-09-09 15:41:05 +02:00
< script src = "https://code.jquery.com/jquery-3.5.1.min.js" > < / script >
< script type = "text/javascript" src = "/static/js/auto-complete.js" > < / script >
< script type = "text/javascript" src = "/static/js/lunr.min.js" > < / script >
< script type = "text/javascript" src = "/static/js/search.js" > < / script >
2022-09-02 09:05:59 +02:00
< link rel = "stylesheet" href = "/static/stylesheet.css" >
< link rel = "stylesheet" href = "/static/auto-complete.css" >
< br >
2022-09-09 15:41:05 +02:00
< title > The Real Hugo< / title >
2022-09-02 09:05:59 +02:00
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
< / head >
< body >
<!-- topmenu -->
< div class = "menu" >
2022-09-09 15:41:05 +02:00
< a href = "/" style = "text-decoration:none" > Husk< / a >
2022-09-02 09:05:59 +02:00
< / div >
< div class = "search-container" >
< label for = "search-by" > < i class = "fas fa-search" > < / i > < / label >
< input data-search-input = "" id = "search-by" type = "search" placeholder = "Search..." autocomplete = "off" >
<!-- button type="submit"><i class="search"></i>🔍</button> -->
< span data-search-clear = "" > < i class = "fas fa-times" > < / i > < / span >
< / div >
< / div >
< div class = "menu" >
< / div >
<!-- br><br -->
< / center >
< p > < / p >
< div class = "columns" >
<!-- Sidebar -->
< div class = "column column-1" >
2022-09-09 15:41:05 +02:00
< ul > < details id = enumeration ontoggle = "linkClick(this); return false;" > < summary > Enumeration< / summary > < ul > < details id = containers ontoggle = "linkClick(this); return false;" > < summary > Containers< / summary > < ul > < / ul > < / details > < details id = docs ontoggle = "linkClick(this); return false;" > < summary > Docs< / summary > < ul > < li > < a href = "/enumeration/docs/aws.html" > aws< / a > < / li > < li > < a href = "/enumeration/docs/cewl.html" > cewl< / a > < / li > < li > < a href = "/enumeration/docs/dns.html" > dns< / a > < / li > < li > < a href = "/enumeration/docs/docker_enumeration.html" > docker_enumeration< / a > < / li > < li > < a href = "/enumeration/docs/ffuf.html" > ffuf< / a > < / li > < li > < a href = "/enumeration/docs/gobuster.html" > gobuster< / a > < / li > < li > < a href = "/enumeration/docs/kerberoast.html" > kerberoast< / a > < / li > < li > < a href = "/enumeration/docs/kubectl.html" > kubectl< / a > < / li > < li > < a href = "/enumeration/docs/ldap.html" > ldap< / a > < / li > < li > < a href = "/enumeration/docs/linux_basics.html" > linux_basics< / a > < / li > < li > < a href = "/enumeration/docs/microk8s.html" > microk8s< / a > < / li > < li > < a href = "/enumeration/docs/nfs.html" > nfs< / a > < / li > < li > < a href = "/enumeration/docs/nikto.html" > nikto< / a > < / li > < li > < a href = "/enumeration/docs/nmap.html" > nmap< / a > < / li > < li > < a href = "/enumeration/docs/port_knocking.html" > port_knocking< / a > < / li > < li > < a href = "/enumeration/docs/rpcclient.html" > rpcclient< / a > < / li > < li > < a href = "/enumeration/docs/rsync.html" > rsync< / a > < / li > < li > < a href = "/enumeration/docs/rustscan.html" > rustscan< / a > < / li > < li > < a href = "/enumeration/docs/shodan.html" > shodan< / a > < / li > < details id = snmp ontoggle = "linkClick(this); return false;" > < summary > Snmp< / summary > < ul > < li > < a href = "/enumeration/docs/snmp/onesixtyone.html" > onesixtyone< / a > < / li > < li > < a href = "/enumeration/docs/snmp/snmpcheck.html" > snmpcheck< / a > < / li > < / ul > < / details > < li > < a href = "/enumeration/docs/websites.html" > websites< / a > < / li > < li > < a href = "/enumeration/docs/wfuzz.html" > wfuzz< / a > < / li > < li > < a href = "/enumeration/docs/wpscan.html" > wpscan< / a > < / li > < / ul > < / details > < details id = network_scanners ontoggle = "linkClick(this); return false;" > < summary > Network_scanners< / summary > < ul > < / ul > < / details > < details id = windows ontoggle = "linkClick(this); return false;" > < summary > Windows< / summary > < ul > < li > < a href = "/enumeration/windows/bloodhound.html" > bloodhound< / a > < / li > < li > < a href = "/enumeration/windows/event_log.html" > event_log< / a > < / li > < li > < a href = "/enumeration/windows/manual_enum.html" > manual_enum< / a > < / li > < li > < a href = "/enumeration/windows/powershell.html" > powershell< / a > < / li > < li > < a href = "/enumeration/windows/rpcclient.html" > rpcclient< / a > < / li > < li > < a href = "/enumeration/windows/sysinternals.html" > sysinternals< / a > < / li > < li > < a href = "/enumeration/windows/sysmon.html" > sysmon< / a > < / li > < li > < a href = "/enumeration/windows/vss.html" > vss< / a > < / li > < / ul > < / details > < / ul > < / details > < details id = exploit ontoggle = "linkClick(this); return false;" > < summary > Exploit< / summary > < ul > < details id = CPUs ontoggle = "linkClick(this); return false;" > < summary > CPUs< / summary > < ul > < li > < a href = "/exploit/CPUs/meltdown.html" > meltdown< / a > < / li > < / ul > < / details > < details id = binaries ontoggle = "linkClick(this); return false;" > < summary > Binaries< / summary > < ul > < li > < a href = "/exploit/binaries/Shellcode.html" > Shellcode< / a > < / li > < li > < a href = "/exploit/binaries/aslr.html" > aslr< / a > < / li > < details id = buffer_overflow ontoggle = "linkClick(this); return false;" > < summary > Buffer_overflow< / summary > < ul > < details id = docs ontoggle = "linkClick(this); return false;" > < summary > Docs< / summary > < ul > < li > < a href = "/exploit/binaries/buffer_overflow/docs/amd64.html" > amd64< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/amd64_instructions.html" > amd64_instructions< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/buffer_overflow.html" > buffer_overflow< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html" > cut_stack_in_half< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html" > pwntools_specifics< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html" > ret_address_reuse< / a > < / li > < / ul > < / details > < li > < a href = "/exploit/binaries/buffer_overflow/ropping.html" > ropping< / a > < / li > < / ul > < / details > < details id = canary_bypass ontoggle = "l
2022-09-02 09:05:59 +02:00
< / ul >
< / div >
< div class = "column column-2" >
< span class = "body" >
< style > p r e { l i n e - h e i g h t : 1 2 5 % ; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */< / style >
< div class = "column column-3" >
< ul >
< li > < a href = "#changelog" > Changelog< / a > < ul >
< li > < a href = "#111-2020-11-06" > [1.1.1] - 2020-11-06< / a > < ul >
< li > < a href = "#added" > Added< / a > < / li >
< li > < a href = "#fixed" > Fixed< / a > < / li >
< / ul >
< / li >
< li > < a href = "#110-2020-09-30" > [1.1.0] - 2020-09-30< / a > < ul >
< li > < a href = "#added_1" > Added< / a > < / li >
< li > < a href = "#changed" > Changed< / a > < / li >
< li > < a href = "#fixed_1" > Fixed< / a > < / li >
< / ul >
< / li >
< li > < a href = "#100-2020-05-26" > [1.0.0] - 2020-05-26< / a > < ul >
< li > < a href = "#added_2" > Added< / a > < / li >
< li > < a href = "#changed_1" > Changed< / a > < / li >
< li > < a href = "#fixed_2" > Fixed< / a > < / li >
< li > < a href = "#removed" > Removed< / a > < / li >
< / ul >
< / li >
< li > < a href = "#020-2018-08-20" > [0.2.0] - 2018-08-20< / a > < ul >
< li > < a href = "#added_3" > Added< / a > < / li >
< li > < a href = "#changed_2" > Changed< / a > < / li >
< / ul >
< / li >
< li > < a href = "#010-2018-07-24" > [0.1.0] - 2018-07-24< / a > < / li >
< / ul >
< / li >
< / ul >
< / div >
< h1 id = "changelog" > Changelog< / h1 >
< p > All notable changes to this project will be documented in this file.< / p >
< p > The format is based on < a href = "https://keepachangelog.com/en/1.0.0/" > Keep a Changelog< / a > ,
and this project adheres to < a href = "https://semver.org/spec/v2.0.0.html" > Semantic Versioning< / a > .< / p >
< h2 id = "111-2020-11-06" > [1.1.1] - 2020-11-06< / h2 >
< h3 id = "added" > Added< / h3 >
< ul >
< li >
< p > Added remote support to the following commands:< / p >
< ul >
< li > PowerShell, DotNet< / li >
< li > FirefoxPresence, FirefoxHistory< / li >
< li > ChromePresence/ChromeHistory/ChromeBookmarks< / li >
< li > InternetExplorerFavorites, IEUrls< / li >
< li > SlackDownloads, SlackPresence, SlackWorkspaces< / li >
< li > CloudCredentials, FileZilla, OutlookDownloads, RDCManFiles< / li >
< li > SuperPutty, LocalUsers, LocalGroups, PowerShellHistory< / li >
< li > Credguard, InstalledProducts, AppLocker, AuditPolicyRegistry< / li >
< li > DNSCache, PSSessionSettings, OSInfo, EnvironmentVariables, DpapiMasterKeys< / li >
< / ul >
< / li >
< li >
< p > Implemented remote event log support:< / p >
< ul >
< li > ExplicitLogonEvents, LogonEvents, PoweredOnEvents, PowerShellEvents, ProcessCreationEvents, SysmonEvents< / li >
< / ul >
< / li >
< li >
< p > Chrome* modules now converted to Chromium support:< / p >
< ul >
< li > Chrome, Edge, Brave, Opera< / li >
< / ul >
< / li >
< li >
< p > Added IBM Bluemix enumeration to CloudCredentials< / p >
< / li >
< / ul >
< h3 id = "fixed" > Fixed< / h3 >
< ul >
< li > Better error handling in various modules< / li >
< li > OS version number collection on Windows 10< / li >
< li > McAfeeSiteList null pointer exception< / li >
< li > Interpretation of uac/tokenfilter/filteradmintoken values< / li >
< li > Nullable type issues< / li >
< li > WindowsFirewall filtering< / li >
< / ul >
< h2 id = "110-2020-09-30" > [1.1.0] - 2020-09-30< / h2 >
< h3 id = "added_1" > Added< / h3 >
< ul >
< li > Added the following commands:< ul >
< li > Hotfixes - installed hotfixes (via WMI)< / li >
< li > MicrosoftUpdates - all Microsoft updates (via COM)< / li >
< li > HuntLolbas - hunt for living-off-the-land binaries (from @NotoriousRebel)< / li >
< li > PowerShellHistory - searches PowerShell console history files for sensitive regex matches (adapted from @NotoriousRebel)< / li >
< li > RDPSettings - Remote Desktop Server/Client Settings< / li >
< li > SecPackageCreds - obtains credentials from security packages (InternalMonologue for the current user)< / li >
< li > FileZilla - files user FileZilla configuration files/passwords< / li >
< li > SuperPutty - files user SuperPutty configuration files< / li >
< li > McAfeeSiteList - finds/decrypts McAfee SiteList.xml files< / li >
< li > McAfeeConfigs- finds McAfee configuration files< / li >
< / ul >
< / li >
< / ul >
< h3 id = "changed" > Changed< / h3 >
< ul >
< li > Added CLR version enumeration to "DotNet" and "PowerShell" commands< / li >
< li > Updated LSASettings to detect restricted admin mode< / li >
< li > Added ZoneMapKey & Auth settings to "InternetSettings" (Francis Lacoste)< / li >
< li > Added support for ByteArrays in "WindowsVault"< / li >
< li > Redid assembly detection to (hopefully) prevent image load events< / li >
< li > Added version/description fields to processes and services< / li >
< li > Added ASR rules to "WindowsDefender" command< / li >
< / ul >
< h3 id = "fixed_1" > Fixed< / h3 >
< ul >
< li > Big fix for event log searching< / li >
< li > Fix for sensitive command line scraping< / li >
< li > Code cleanup/dead code removal< / li >
< li > Allow empty companyname the Services command< / li >
< li > Better exception handling< / li >
< li > Various fixes/expansions for the "WindowsVault" command< / li >
< li > Added disposing of output sinks< / li >
< li > Other misc. bug fixes< / li >
< / ul >
< h2 id = "100-2020-05-26" > [1.0.0] - 2020-05-26< / h2 >
< h3 id = "added_2" > Added< / h3 >
< ul >
< li > Added the following commands:< ul >
< li > NTLMSettings, SCCM, WSUS, UserRightAssignments, IdleTime, FileInfo, NamedPipes, NetworkProfile< / li >
< li > AMSIProviders, RPCMappedEndpoints, LocalUsers, CredGuard, LocalGPOs, OutlookDownloads< / li >
< li > AppLocker (thanks @_RastaMouse! https://github.com/GhostPack/Seatbelt/pull/15)< / li >
< li > InstalledProducts and Printers commands, with DACLs included for printers< / li >
< li > SearchIndex - module to search the Windows Search Indexer< / li >
< li > WMIEventFilter/WMIEventConsumer/WMIEventConsumer commands< / li >
< li > ScheduledTasks command (via WMI for win8+)< / li >
< li > AuditPolicies/AuditSettings - classic and advanced audit policy settings< / li >
< li > EnvironmentPath - %ENV:PATH% folder enumeration, along with DACLs< / li >
< li > ProcessCreation - from @djhohnstein's EventLogParser project. Expanded sensitive regexes.< / li >
< li > CredEnum - use CredEnumerate() to enumerate the credentials from the user's credential set (thanks @djhohnstein and @peewpw)< / li >
< li > SecurityPackages - uses EnumerateSecurityPackages() to enumerate available security packages< / li >
< li > WindowsDefender - exclusions for paths/extensions/processes for Windows Defender< / li >
< li > DotNet - detects .NET versions and whether AMSI is enabled/can by bypassed (similar to 'PowerShell')< / li >
< li > ProcessOwners - simplified enumeration of non-session 0 processes/owners that can function remotely< / li >
< li > dir< ul >
< li > Allows recursively enumerating directories and searching for files based on a regex< / li >
< li > Lists user folders by default< / li >
< li > Usage: "dir [path] [depth] [searchRegex] [ignoreErrors? true/false]"< / li >
< li > Default: "dir C:\users\ 2 \(Documents|Downloads|Desktop) false"< ul >
< li > Shows files in users' documents/downloads/desktop folders < / li >
< / ul >
< / li >
< / ul >
< / li >
< li > reg< ul >
< li > Allows recursively listing and searching for registry values on the current machine and remotely (if remote registry is enabled).< / li >
< / ul >
< / li >
< li > Added additional defensive process checks thanks to @swarleysez, @Ne0nd0g, and @leechristensen. See https://github.com/GhostPack/Seatbelt/pull/17 and https://github.com/GhostPack/Seatbelt/pull/19.< / li >
< li > Added Xen virtual machine detections thanks to @rasta-mouse. See https://github.com/GhostPack/Seatbelt/pull/18< / li >
< / ul >
< / li >
< li > Added the following command aliases:< ul >
< li > "Remote" for common commands to run remotely< / li >
< li > "Slack" to run Slack-specific modules< / li >
< li > "Chrome" to run Chrome-specific modules< / li >
< / ul >
< / li >
< li > Added in ability to give commands arguments (to be expanded in the future). Syntax: < code > Seatbelt.exe "PoweredOnEvents 30"< / code > < / li >
< li > Added remote support for WMI/registry enumeration modules that are marked with a +< ul >
< li > Usage: computername=COMPUTER.DOMAIN.COM [username=DOMAIN\USER password=PASSWORD]< / li >
< / ul >
< / li >
< li > Added the "-q" command-line flag to not print the logo< / li >
< li > Added ability to output to a file with the the "-o < file > " parameter< ul >
< li > Providing a file that ends in .json produces JSON-structured output!< / li >
< / ul >
< / li >
< li > Added in the architecture for different output sinks. Still need to convert a lot of cmdlets to the new format.< / li >
< li > Added a module template.< / li >
< li > Added CHANGELOG.md.< / li >
< / ul >
< h3 id = "changed_1" > Changed< / h3 >
< ul >
< li > Externalized all commands into their own class/file< / li >
< li > Cleaned up some of the registry querying code< / li >
< li > Commands can now be case-insensitive< / li >
< li > Seatbelt's help message is now dynamically created< / li >
< li > Renamed RebootSchedule to PoweredOnEvents< ul >
< li > Now enumerates events for system startup/shutdown, unexpected shutdown, and sleeping/awaking.< / li >
< / ul >
< / li >
< li > Modified the output of the Logon and ExplicitLogon event commands to be easier to read/analyze< / li >
< li > LogonEvents, ExplicitLogonEvents, and PoweredOnEvents take an argument of how many days back to collect logs for. Example: Seatbelt.exe "LogonEvents 50"< / li >
< li > Added Added timezone, locale information, MachineGuid, Build number and UBR (if present) to OSInfo command< / li >
< li > Refactored registry enumeration code< / li >
< li > Putty command now lists if agent forwarding is enabled< / li >
< li > Renamed BasicOSInfo to OSInfo< / li >
< li > Simplified IsLocalAdmin code< / li >
< li > Added the member type to localgroupmembership output< / li >
< li > Simplified the RDPSavedConnections code< / li >
< li > Formatted the output of RDPSavedConnections to be prettier< / li >
< li > Formatted the output of RecentFiles to be prettier< / li >
< li > Modified logonevents default so that it only outputs the past day on servers< / li >
< li > Re-wrote the PowerShell command. Added AMSI information and hints for bypassing.< / li >
< li > Add NTLM/Kerberos informational alerts to the LogonEvents command< / li >
< li > Changed the output format of DpapiMasterKeys< / li >
< li > Re-wrote the Registry helper code< / li >
< li > Refactored the helper code< / li >
< li > Incorprated < a href = "https://github.com/mark-s" > @mark-s's< / a > code to speed up the interestingfiles command. See < a href = "https://github.com/GhostPack/Seatbelt/pull/16" > #16< / a > < / li >
< li > Added SDDL to the "fileinfo" command< / li >
< li > Added MRUs for all office applications to the RecentFiles command< / li >
< li > RecentFiles now has a paramater that restricts how old the documents are. "RecentFiles 20" - Shows files accessed in the last 20 days.< / li >
< li > Renamed RegistryValue command to "reg"< / li >
< li > Search terms in the "reg" command now match keys, value names, and values.< / li >
< li > Updated the "reg" commands arguments.< ul >
< li > Usage: "reg < HIVE [ \ PATH \ TO \ KEY ] > [depth] [searchTerm] [ignoreErrors]"< / li >
< li > Defaults: "reg HKLM\Software 1 default true"< / li >
< / ul >
< / li >
< li > Added generic GetSecurityInfos command into SecurityUtil< / li >
< li > Formatting tweak for DPAPIMasterkeys< / li >
< li > WindowsVaults output filtering< / li >
< li > Renamed RecentFiles to ExplorerMRUs, broke out functionality for ExplorerMRUs and OfficeMRUs< / li >
< li > Broke IETriage command into IEUrls and IEFavorites< / li >
< li > Changed FirefoxCommand to FirefoxHistory< / li >
< li > Changed ChromePresence and FirefoxPresence to display last modified timestamps for the history/cred/etc. files< / li >
< li > Split ChromeCommand into ChromeHistoryCommand and ChromeBookmarksCommand< / li >
< li > Broke PuttyCommand into PuttyHostKeys and PuttySessions< / li >
< li > Added SDDL field to InterestingFiles command< / li >
< li > Modified IdleTime to display the current user and time in h:m:s:ms format< / li >
< li > Moved Firewall enumeration to the registry (instead of the COM object). Thanks @Max_68!< / li >
< li > Changed TokenGroups output formatting< / li >
< li > Renamed localgroupmemberships to localgroups< / li >
< li > Changed network firewall enumeration to display "non-builtin" rules instead of deny. Added basic filtering.< / li >
< li > Added IsDotNet property to the FileInfo command< / li >
< li > Renamed "NonstandardProcesses" and "NonstandardServices" to "Processes" and "Services", respectively< / li >
< li > LocalGroups now enumerates all (by default non-empty) local groups and memberships, along with comments< / li >
< li > Added a "modules" argument to the "Processes" command to display non-Microsoft loaded processes< / li >
< li > Notify operator when LSA Protected Mode is enabled (RunAsPPL)< / li >
< li > Updated the EnvironmentVariables command to distinguish between user/system/current process/volatile variables< / li >
< li > Added a user filter to ExplicitLogonEvents. Usage: < code > ExplicitLogonEvents < days> < targetUserRegex> < / code > < / li >
< li > Added version check for Chrome (v80+)< / li >
< li > Added analysis messages for the logonevents command< / li >
< li > Rewrote and expanded README.md< / li >
< / ul >
< h3 id = "fixed_2" > Fixed< / h3 >
< ul >
< li > Some timestamp converting code in the ticket extraction section< / li >
< li > Fixed Chrome bookmark command (threw an exception with folders)< / li >
< li > Fixed reboot schedule (xpath query wasn't precise enough, leading to exceptions)< / li >
< li > Fixed an exception that was being thrown in the CloudCredential command< / li >
< li > NonstandardServices command< ul >
< li > Fixed a bug that occurred during enumeration< / li >
< li > Added ServiceDll and User fields< / li >
< li > Partially fixed path parsing in NonstandardServices with some help from OJ (@TheColonial)! See https://github.com/GhostPack/Seatbelt/pull/14< / li >
< li > Cleaned up the code< / li >
< / ul >
< / li >
< li > Fixed a bug in localgroupmembership< / li >
< li > Check if it's a Server before running the AntiVirus check (the WMI class isn't on servers)< / li >
< li > Fixed a bug in WindowsCredentialFiles so it wouldn't output null bytes< / li >
< li > Fixed a null reference bug in the PowerShell command< / li >
< li > Fixed the OS version comparisons in WindowsVault command< / li >
< li > Fixed a DWORD parsing bug in the registry util class for big (i.e. negative int) values< / li >
< li > ARPTable bug fix/error handling< / li >
< li > Fixed PuttySession HKCU v. HKU bug< / li >
< li > Fixed a terminating exception bug in the Processes command when obtaining file version info< / li >
< li > More additional bug fixes than we can count > _< < / li >
< / ul >
< h3 id = "removed" > Removed< / h3 >
< ul >
< li > Removed the UserFolder command (replaced by DirectoryList command)< / li >
< / ul >
< h2 id = "020-2018-08-20" > [0.2.0] - 2018-08-20< / h2 >
< h3 id = "added_3" > Added< / h3 >
< ul >
< li > @djhohnstein's vault enumeration< / li >
< / ul >
< h3 id = "changed_2" > Changed< / h3 >
< ul >
< li > @ClementNotin/@cnotin's various fixes< / li >
< / ul >
< h2 id = "010-2018-07-24" > [0.1.0] - 2018-07-24< / h2 >
< ul >
< li > Initial release< / li >
< / ul >
< / span >
< / div >
< / div >
< div id = "footer" >
< p > < / p >
< center >
© Stefan Friese
< / center >
< / div >
< script >
2022-09-09 15:41:05 +02:00
function linkClick(obj) {
2022-09-02 09:05:59 +02:00
if (obj.open) {
2022-09-09 15:41:05 +02:00
//console.log('open');
2022-09-02 09:05:59 +02:00
if (sessionStorage.getItem(obj.id) & & !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
2022-09-09 15:41:05 +02:00
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
2022-09-02 09:05:59 +02:00
} else {
2022-09-09 15:41:05 +02:00
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
2022-09-02 09:05:59 +02:00
2022-09-09 15:41:05 +02:00
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length ; i + + ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
2022-09-02 09:05:59 +02:00
< / script >
2022-09-09 15:41:05 +02:00
< script async src = "https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type = "text/javascript" > < / script >
2022-09-02 09:05:59 +02:00
< script type = "text/x-mathjax-config" >
2022-09-09 15:41:05 +02:00
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
< / script >
2022-09-02 09:05:59 +02:00
< / body >
< / html >
