stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/post exploitation/Seatbelt/README.html

616 lines
144 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
<title>The Real Hugo</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
<a href="/" style="text-decoration:none">Husk</a>
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="linkClick(this); return false;" ><summary>Canary_bypass</summary><ul><li><a href="/exploit/binaries/canary_bypass/canary_bypass.html">canary_bypass</a></li></ul></details><details id=format_string ontoggle="linkClick(this); return false;" ><summary>Format_string</summary><ul><li><a href="/exploit/binaries/format_string/format_string.html">format_string</a></li></ul></details><details id=integral_promotion ontoggle="linkClick(this); return false;" ><summary>Integral_promotion</summary><ul><li><a href="/exploit/binaries/integral_promotion/integral_promotion.html">integral_promotion</a></li></ul></details><li><a href="/exploit/binaries/plt_got.html">plt_got</a></li><li><a href="/exploit/binaries/r2.html">r2</a></li><li><a href="/exploit/binaries/ret2libc.html">ret2libc</a></li></ul></details><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exploit/dns/zone_transfer.html">zone_transfer</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><li><a href="/exploit/hashes/collision.html">collision</a></li></ul></details><details id=imagemagick ontoggle="linkClick(this); return false;" ><summary>Imagemagick</summary><ul><li><a href="/exploit/imagemagick/imagetragick.html">imagetragick</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><details id=OGNL ontoggle="linkClick(this); return false;" ><summary>OGNL</summary><ul><li><a href="/exploit/java/OGNL/cve_2022_26134.html">cve_2022_26134</a></li></ul></details><li><a href="/exploit/java/ghidra_debug.html">ghidra_debug</a></li><li><a href="/exploit/java/ghostcat.html">ghostcat</a></li><li><a href="/exploit/java/log4shell.html">log4shell</a></li><li><a href="/exploit/java/spring4shell.html">spring4shell</a></li></ul></details><details id=level3_hypervisor ontoggle="linkClick(this); return false;" ><summary>Level3_hypervisor</summary><ul><details id=docker_sec ontoggle="linkClick(this); return false;" ><summary>Docker_sec</summary><ul><li><a href="/exploit/level3_hypervisor/docker_sec/docker.html">docker</a></li></ul></details><li><a href="/exploit/level3_hypervisor/kubernetes.html">kubernetes</a></li><li><a href="/exploit/level3_hypervisor/lxc.html">lxc</a></li><li><a href="/exploit/level3_hypervisor/microk8s.html">microk8s</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exploit/linux/capabilities.html">capabilities</a></li><details id=dirty_pipe ontoggle="linkClick(this); return false;" ><summary>Dirty_pipe</summary><ul><li><a href="/exploit/linux/dirty_pipe/dirty_pipe.html">dirty_pipe</a></li></ul></details><li><a href="/exploit/linux/exiftool.html">exiftool</a></li><li><a href="/exploit/linux/groups.html">groups</a></li><li><a href="/exploit/linux/ld_preload.html">ld_preload</a></li><li><a href="/exploit/linux/nfs_rootsquash.html">nfs_rootsquash</a></li><li><a href="/exploit/linux/overlayfs.html">overlayfs</a></li><details id=pkexec ontoggle="linkClick(this); return false;" ><summary>Pkexec</summary><ul><li><a href="/exploit/linux/pkexec/CVE_2021_4034.html">CVE_2021_4034</a></li></ul></details><li><a href="/exploit/linux/polkit.html">polkit</a></li><li><a href="/exploit/linux/racing_conditions.html">racing_conditions</a></li><li><a href="/exploit/linux/setcap.html">setcap</a></li><li><a href="/exploit/linux/shared_object_injection.html">shared_object_injection</a></li><li><a href="/exploit/linux/shell_shock.html">shell_shock</a></li><details id=sudo ontoggle="linkClick(this); return false;" ><summary>Sudo</summary><ul><li><a href="/exploit/linux/sudo/CVE_2019_14287.html">CVE_2019_14287</a></li><li><a href="/exploit/linux/sudo/CVE_2019_18634.html">CVE_2019_18634</a></li><li><a href="/exploit/linux/sudo/baron_samedit.html">baron_samedit</a></li><li><a href="/exploit/linux/sudo/tokens.html">tokens</a></li></ul></details><li><a href="/exploit/linux/wildard_exploitation.html">wildard_exploitation</a></li></ul></details><details id=macOS ontoggle="linkClick(this); return false;" ><summary>MacOS</summary><ul></ul></details><details id=network ontoggle="linkClick(this); return false;" ><summary>Network</summary><ul><li><a href="/exploit/network/mac_spoofing.html">mac_spoofing</a></li></ul></details><details id=padding ontoggle="linkClick(this); return false;" ><summary>Padding</summary><ul><li><a href="/exploit/padding/padbuster.html">padbuster</a></li></ul></details><details id=python ontoggle="linkClick(this); return false;" ><summary>Python</summary><ul><li><a href="/exploit/python/code_injection.html">code_injection</a></li><li><a href="/exploit/python/jail_escape.html">jail_escape</a></li><li><a href="/exploit/python/lib_hijack.html">lib_hijack</a></li><li><a href="/exploit/python/pickle.html">pickle</a></li><li><a href="/exploit/python/pwntools.html">pwntools</a></li><li><a href="/exploit/python/pyc.html">pyc</a></li><li><a href="/exploit/python/scapy.html">scapy</a></li></ul></details><details id=samba ontoggle="linkClick(this); return false;" ><summary>Samba</summary><ul><li><a href="/exploit/samba/smbmap.html">smbmap</a></li></ul></details><details id=sqli ontoggle="linkClick(this); return false;" ><summary>Sqli</summary><ul><li><a href="/exploit/sqli/mssql.html">mssql</a></li><li><a href="/exploit/sqli/no_sqli.html">no_sqli</a></li><li><a href="/exploit/sqli/sqli.html">sqli</a></li><li><a href="/exploit/sqli/sqlmap.html">sqlmap</a></li></ul></details><details id=ssl_tls ontoggle="linkClick(this); return false;" ><summary>Ssl_tls</summary><ul><li><a href="/exploit/ssl_tls/heartbleed.html">heartbleed</a></li></ul></details><details id=web ontoggle="linkClick(this); return false;" ><summary>Web</summary><ul><details id=bypass_rate_limiting ontoggle="linkClick(this); return false;" ><summary>Bypass_rate_limiting</summary><ul><li><a href="/exploit/web/bypass_rate_limiting/bypass_rate_limiting.html">bypass_rate_limiting</a></li></ul></details><li><a href="/exploit/web/command_injection.html">command_injection</a></li><details id=content_security_policy ontoggle="linkClick(this); return false;" ><summary>Content_security_policy</summary><ul><li><a href="/exploit/web/content_security_policy/content_security_policy.html">content_security_policy</a></li></ul></details><li><a href="/exploit/web/cookie_tampering.html">cookie_tampering</a></li><li><a href="/exploit/web/csrf.html">csrf</a></li><details id=forced_browsing ontoggle="linkClick(this); return false;" ><summary>Forced_browsing</summary><ul><li><a href="/exploit/web/forced_browsing/forced_browsing.html">forced_browsing</a></li></ul></details><li><a href="/exploit/web/http_header_injection.html">http_header_injection</a></li><details id=idor ontoggle="linkClick(this); return false;" ><summary>Idor</summary><ul><li><a href="/exploit/web/idor/idor.html">idor</a></li></ul></details><details id=javascript ontoggle="linkClick(this); return false;" ><summary>Javascript</summary><ul><li><a href="/exploit/web/javascript/bypass_filters.html">bypass_filters</a></li><li><a href="/exploit/web/javascript/prototype_pollution.html">prototype_pollution</a></li></ul></details><details id=jwt ontoggle="linkClick(this); return false;" ><summary>Jwt</summary><ul><li><a href="/exploit/web/jwt/jwt.html">jwt</a></li></ul></details><li><a href="/exploit/web/local_file_inclusion.html">local_file_inclusion</a></li><li><a href="/exploit/web/methodology.html">methodology</a></li><details id=nodejs ontoggle="linkClick(this); return false;" ><summary>Nodejs</summary><ul><li><a href="/exploit/web/nodejs/deserialization.html">deserialization</a></li></ul></details><details id=php ontoggle="linkClick(this); return false;" ><summary>Php</summary><ul><li><a href="/exploit/web/php/command_injection.html">command_injection</a></li><li><a href="/exploit/web/php/password_reset.html">password_reset</a></li><li><a href="/exploit/web/php/php_base64_filter.html">php_base64_filter</a></li><li><a href="/exploit/web/php/php_image_exif.html">php_image_exif</a></li><li><a href="/exploit/web/php/php_user_agent_rce.html">php_user_agent_rce</a></li><li><a href="/exploit/web/php/preload_lib.html">preload_lib</a></li><li><a href="/exploit/web/php/unserialize.html">unserialize</a></li></ul></details><li><a href="/exploit/web/re_registration.html">re_registration</a></li><li><a href="/exploit/web/remote_file_inclusion.html">remote_file_inclusion</a></li><details id=ssrf ontoggle="linkClick(this); return false;" ><summary>Ssrf</summary><ul><li><a href="/exploit/web/ssrf/iframe.html">iframe</a></li><li><a href="/exploit/web/ssrf/ssrf.html">ssrf</a></li></ul></details><details id=ssti ontoggle="linkClick(this); return false;" ><summary>Ssti</summary><ul><li><a href="/exploit/web/ssti/ssti.html">ssti</a></li></ul></details><li><a href="/exploit/web/url_forgery.html">url_forgery</a></li><li><a href="/exploit/web/wordpress.html">wordpress</a></li><li><a href="/exploit/web/xpath.html">xpath</a></li><li><a href="/exploit/web/xss.html">xss</a></li><details id=xxe ontoggle="linkClick(this); return false;" ><summary>Xxe</summary><ul><li><a href="/exploit/web/xxe/wp_xxe_.html">wp_xxe_</a></li><li><a href="/exploit/web/xxe/xml_external_entity.html">xml_external_entity</a></li></ul></details></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=Portable Executables ontoggle="linkClick(this); return false;" ><summary>Portable Executables</summary><ul><li><a href="/exploit/windows/Portable Executables/Shellcode.html">Shellcode</a></li></ul></details><details id=dll_hijacking ontoggle="linkClick(this); return false;" ><summary>Dll_hijacking</summary><ul><li><a href="/exploit/windows/dll_hijacking/dll_hijacking.html">dll_hijacking</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/windows/docs/always_installed_elevated.html">always_installed_elevated</a></li><li><a href="/exploit/windows/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/exploit/windows/docs/dpapi.html">dpapi</a></li><li><a href="/exploit/windows/docs/impacket.html">impacket</a></li><li><a href="/exploit/windows/docs/llmnr.html">llmnr</a></li><li><a href="/exploit/windows/docs/lnk_exploit.html">lnk_exploit</a></li><li><a href="/exploit/windows/docs/pass_the_hash.html">pass_the_hash</a></li><li><a href="/exploit/windows/docs/password_in_registry.html">password_in_registry</a></li><li><a href="/exploit/windows/docs/potatoes.html">potatoes</a></li><li><a href="/exploit/windows/docs/printnightmare.html">printnightmare</a></li><li><a href="/exploit/windows/docs/responder.html">responder</a></li><li><a href="/exploit/windows/docs/unquoted_path.html">unquoted_path</a></li></ul></details><details id=macros ontoggle="linkClick(this); return false;" ><summary>Macros</summary><ul><li><a href="/exploit/windows/macros/macros.html">macros</a></li></ul></details><details id=payloads ontoggle="linkClick(this); return false;" ><summary>Payloads</summary><ul><li><a href="/exploit/windows/payloads/windows_scripting_host.html">windows_scripting_host</a></li></ul></details><details id=print_nightmare ontoggle="linkClick(this); return false;" ><summary>Print_nightmare</summary><ul><details id=CVE-2021-1675 ontoggle="linkClick(this); return false;" ><summary>CVE-2021-1675</summary><ul><details id=nightmare-dll ontoggle="linkClick(this); return false;" ><summary>Nightmare-dll</summary><ul></ul></details></ul></details><li><a href="/exploit/windows/print_nightmare/print_nightmare.html">print_nightmare</a></li></ul></details><details id=process_injection ontoggle="linkClick(this); return false;" ><summary>Process_injection</summary><ul><li><a href="/exploit/windows/process_injection/dll_injection.html">dll_injection</a></li><li><a href="/exploit/windows/process_injection/process_hollowing.html">process_hollowing</a></li><li><a href="/exploit/windows/process_injection/shellcode_injection.html">shellcode_injection</a></li><li><a href="/exploit/windows/process_injection/thread_hijacking.html">thread_hijacking</a></li></ul></details><details id=service_escalation ontoggle="linkClick(this); return false;" ><summary>Service_escalation</summary><ul><li><a href="/exploit/windows/service_escalation/service_escalation.html">service_escalation</a></li></ul></details><details id=zero_logon ontoggle="linkClick(this); return false;" ><summary>Zero_logon</summary><ul><li><a href="/exploit/windows/zero_logon/zero_logon.html">zero_logon</a></li></ul></details></ul></details><details id=yaml ontoggle="linkClick(this); return false;" ><summary>Yaml</summary><ul><li><a href="/exploit/yaml/deserialization.html">deserialization</a></li></ul></details></ul></details><details id=forensics ontoggle="linkClick(this); return false;" ><summary>Forensics</summary><ul><li><a href="/forensics/ios.html">ios</a></li><li><a href="/forensics/kape.html">kape</a></li><li><a href="/forensics/ntfs.html">ntfs</a></li><li><a href="/forensics/oletools.html">oletools</a></li><li><a href="/forensics/volatility.html">volatility</a></li><li><a href="/forensics/windows_registry.html">windows_registry</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><details id=bruteforce ontoggle="linkClick(this); return false;" ><summary>Bruteforce</summary><ul><li><a href="/hashes/bruteforce/patator.html">patator</a></li></ul></details><li><a href="/hashes/generate_wordlists.html">generate_wordlists</a></li><li><a href="/hashes/haiti.html">haiti</a></li><li><a href="/hashes/hashcat_utils.html">hashcat_utils</a></li><details id=password_cracking ontoggle="linkClick(this); return false;" ><summary>Password_cracking</summary><ul><li><a href="/hashes/password_cracking/hydra.html">hydra</a></li><li><a href="/hashes/password_cracking/john.html">john</a></li><li><a href="/hashes/password_cracking/smb_challenge.html">smb_challenge</a></li><li><a href="/hashes/password_cracking/sucrack.html">sucrack</a></li><li><a href="/hashes/password_cracking/vnc.html">vnc</a></li></ul></details><details id=password_guessing ontoggle="linkClick(this); return false;" ><summary>Password_guessing</summary><ul><li><a href="/hashes/password_guessing/standard_passwords.html">standard_passwords</a></li></ul></details></ul></details><details id=persistence ontoggle="linkClick(this); return false;" ><summary>Persistence</summary><ul><li><a href="/persistence/bashrc.html">bashrc</a></li><li><a href="/persistence/crontab.html">crontab</a></li><li><a href="/persistence/meterpreter.html">meterpreter</a></li><li><a href="/persistence/persistence.html">persistence</a></li><li><a href="/persistence/wmi.html">wmi</a></li></ul></details><details id=post exploitation ontoggle="linkClick(this); return false;" ><summary>Post exploitation</summary><ul><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=.github ontoggle="linkClick(this); return false;" ><summary>.github</summary><ul><details id=ISSUE_TEMPLATE ontoggle="linkClick(this); return false;" ><summary>ISSUE_TEMPLATE</summary><ul><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/bug_report.html">bug_report</a></li><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/feature_request.html">feature_request</a></li></ul></details></ul></details><li><a href="/post exploitation/Seatbelt/CHANGELOG.html">CHANGELOG</a></li><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=Commands ontoggle="linkClick(this); return false;" ><summary>Commands</summary><ul><details id=Windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=EventLogs ontoggle="linkClick(this); return false;" ><summary>EventLogs</summary><ul></ul></details></ul></details></ul></details><details id=Output ontoggle="linkClick(this); return false;" ><summary>Output</summary><ul></ul></details></ul></details></ul></details><details id=bc_security ontoggle="linkClick(this); return false;" ><summary>Bc_security</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/docs/c2.html">c2</a></li><li><a href="/post exploitation/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/post exploitation/docs/empire.html">empire</a></li><li><a href="/post exploitation/docs/ids_ips_evation.html">ids_ips_evation</a></li><li><a href="/post exploitation/docs/linux.html">linux</a></li><li><a href="/post exploitation/docs/metasploit.html">metasploit</a></li><li><a href="/post exploitation/docs/mimikatz.html">mimikatz</a></li><li><a href="/post exploitation/docs/mitm.html">mitm</a></li><li><a href="/post exploitation/docs/nfs_root_squash.html">nfs_root_squash</a></li><li><a href="/post exploitation/docs/powershell.html">powershell</a></li><li><a href="/post exploitation/docs/secretsdump.html">secretsdump</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/docs/windows/Signature-Evasion.html">Signature-Evasion</a></li><li><a href="/post exploitation/docs/windows/antivirus_evasion.html">antivirus_evasion</a></li><li><a href="/post exploitation/docs/windows/applocker.html">applocker</a></li><li><a href="/post exploitation/docs/windows/evade_event_tracing.html">evade_event_tracing</a></li><li><a href="/post exploitation/docs/windows/living_off_the_land.html">living_off_the_land</a></li><li><a href="/post exploitation/docs/windows/pass_the_hash.html">pass_the_hash</a></li><li><a href="/post exploitation/docs/windows/powershell_logs.html">powershell_logs</a></li><li><a href="/post exploitation/docs/windows/registry.html">registry</a></li><li><a href="/post exploitation/docs/windows/sebackupprivilege.html">sebackupprivilege</a></li><li><a href="/post exploitation/docs/windows/user_account_control.html">user_account_control</a></li></ul></details></ul></details><li><a href="/post exploitation/pivoting.html">pivoting</a></li><details id=priv_esc ontoggle="linkClick(this); return false;" ><summary>Priv_esc</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/docs/linux_priv_esc.html">linux_priv_esc</a></li><li><a href="/post exploitation/priv_esc/docs/pspy.html">pspy</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/priv_esc/docs/windows/add_user.html">add_user</a></li><li><a href="/post exploitation/priv_esc/docs/windows/windows_priv_esc.html">windows_priv_esc</a></li></ul></details></ul></details><details id=kernel-exploits ontoggle="linkClick(this); return false;" ><summary>Kernel-exploits</summary><ul></ul></details><details id=privesc-scripts ontoggle="linkClick(this); return false;" ><summary>Privesc-scripts</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/privesc-scripts/docs/get_script_onto_target.html">get_script_onto_target</a></li></ul></details></ul></details><details id=suid ontoggle="linkClick(this); return false;" ><summary>Suid</summary><ul></ul></details></ul></details></ul></details><details id=reverse engineering ontoggle="linkClick(this); return false;" ><summary>Reverse engineering</summary><ul><details id=android ontoggle="linkClick(this); return false;" ><summary>Android</summary><ul><li><a href="/reverse engineering/android/misc.html">misc</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse engineering/docs/deobfuscation.html">deobfuscation</a></li><li><a href="/reverse engineering/docs/dll_reversing.html">dll_reversing</a></li><li><a href="/reverse engineering/docs/firmware.html">firmware</a></li><li><a href="/reverse engineering/docs/function_mangling.html">function_mangling</a></li><li><a href="/reverse engineering/docs/scada.html">scada</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><li><a href="/reverse engineering/java/krakatau.html">krakatau</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/reverse engineering/windows/portable-executable.html">portable-executable</a></li></ul></details></ul></details><details id=reverse shells ontoggle="linkClick(this); return false;" ><summary>Reverse shells</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse shells/docs/evil-winrm.html">evil-winrm</a></li><li><a href="/reverse shells/docs/msfconsole.html">msfconsole</a></li><li><a href="/reverse shells/docs/msfvenom.html">msfvenom</a></li><li><a href="/reverse shells/docs/netcat.html">netcat</a></li><li><a href="/reverse shells/docs/powershell.html">powershell</a></li><li><a href="/reverse shells/docs/shell_upgrade.html">shell_upgrade</a></li><li><a href="/reverse shells/docs/socat.html">socat</a></li><li><a href="/reverse shells/docs/webshell.html">webshell</a></li></ul></details><li><a href="/reverse shells/firewalls.html">firewalls</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul></ul></details></ul></details>
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#seatbelt">Seatbelt</a><ul>
<li><a href="#table-of-contents">Table of Contents</a></li>
<li><a href="#command-line-usage">Command Line Usage</a></li>
<li><a href="#command-groups">Command Groups</a><ul>
<li><a href="#system">system</a></li>
<li><a href="#user">user</a></li>
<li><a href="#misc">misc</a></li>
<li><a href="#additional-command-groups">Additional Command Groups</a></li>
</ul>
</li>
<li><a href="#command-arguments">Command Arguments</a></li>
<li><a href="#output">Output</a></li>
<li><a href="#remote-enumeration">Remote Enumeration</a></li>
<li><a href="#building-your-own-modules">Building Your Own Modules</a></li>
<li><a href="#compile-instructions">Compile Instructions</a></li>
<li><a href="#acknowledgments">Acknowledgments</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="seatbelt">Seatbelt</h1>
<hr />
<p>Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.</p>
<p><a href="https://twitter.com/andrewchiles">@andrewchiles</a>' <a href="https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1">HostEnum.ps1</a> script and <a href="https://twitter.com/tifkin_">@tifkin_</a>'s <a href="https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1">Get-HostProfile.ps1</a> provided inspiration for many of the artifacts to collect.</p>
<p><a href="https://twitter.com/harmj0y">@harmj0y</a> and <a href="https://twitter.com/tifkin_">@tifkin_</a> are the primary authors of this implementation.</p>
<p>Seatbelt is licensed under the BSD 3-Clause license.</p>
<h2 id="table-of-contents">Table of Contents</h2>
<ul>
<li><a href="#seatbelt">Seatbelt</a></li>
<li><a href="#table-of-contents">Table of Contents</a></li>
<li><a href="#command-line-usage">Command Line Usage</a></li>
<li><a href="#command-groups">Command Groups</a><ul>
<li><a href="#system">system</a></li>
<li><a href="#user">user</a></li>
<li><a href="#misc">misc</a></li>
<li><a href="#additional-command-groups">Additional Command Groups</a></li>
</ul>
</li>
<li><a href="#command-arguments">Command Arguments</a></li>
<li><a href="#output">Output</a></li>
<li><a href="#remote-enumeration">Remote Enumeration</a></li>
<li><a href="#building-your-own-modules">Building Your Own Modules</a></li>
<li><a href="#compile-instructions">Compile Instructions</a></li>
<li><a href="#acknowledgments">Acknowledgments</a></li>
</ul>
<h2 id="command-line-usage">Command Line Usage</h2>
<div class="codehilite"><pre><span></span><code><span class="w"> </span><span class="o">%&amp;&amp;</span><span class="err">@@@</span><span class="o">&amp;&amp;</span><span class="w"> </span>
<span class="w"> </span><span class="o">&amp;&amp;&amp;&amp;&amp;&amp;&amp;%%%</span><span class="p">,</span><span class="w"> </span><span class="c1">#&amp;&amp;@@@@@@%%%%%%###############% </span><span class="w"></span>
<span class="w"> </span><span class="o">&amp;%&amp;</span><span class="w"> </span><span class="o">%&amp;%%</span><span class="w"> </span><span class="o">&amp;////</span><span class="p">(((</span><span class="o">&amp;%%%%%</span><span class="c1">#%################//((((###%%%%%%%%%%%%%%%</span><span class="w"></span>
<span class="o">%%%%%%%%%%%</span><span class="c1">######%%%#%%####% &amp;%%**# @////(((&amp;%%%%%%######################(((((((((((((((((((</span><span class="w"></span>
<span class="c1">#%#%%%%%%%#######%#%%####### %&amp;%,,,,,,,,,,,,,,,, @////(((&amp;%%%%%#%#####################(((((((((((((((((((</span><span class="w"></span>
<span class="c1">#%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&amp;%%%%%%%######################(#(((#(#((((((((((</span><span class="w"></span>
<span class="c1">#####%%%#################### &amp;%%...... ... .. @////(((&amp;%%%%%%%###############%######((#(#(####((((((((</span><span class="w"></span>
<span class="c1">#######%##########%######### %%%...... ... .. @////(((&amp;%%%%%#########################(#(#######((#####</span><span class="w"></span>
<span class="c1">###%##%%#################### &amp;%%............... @////(((&amp;%%%%%%%%##############%#######(#########((#####</span><span class="w"></span>
<span class="c1">#####%###################### %%%.. @////(((&amp;%%%%%%%################ </span><span class="w"></span>
<span class="w"> </span><span class="o">&amp;%&amp;</span><span class="w"> </span><span class="o">%%%%%</span><span class="w"> </span><span class="n">Seatbelt</span><span class="w"> </span><span class="o">%////</span><span class="p">(((</span><span class="o">&amp;%%%%%%%%</span><span class="c1">#############* </span><span class="w"></span>
<span class="w"> </span><span class="o">&amp;%%&amp;&amp;&amp;%%%%%</span><span class="w"> </span><span class="n">v1</span><span class="o">.</span><span class="mf">1.1</span><span class="w"> </span><span class="p">,(((</span><span class="o">&amp;%%%%%%%%%%%%%%%%%</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="c1">#%%%%##, </span><span class="w"></span>
<span class="n">Available</span><span class="w"> </span><span class="n">commands</span><span class="w"> </span><span class="p">(</span><span class="o">+</span><span class="w"> </span><span class="n">means</span><span class="w"> </span><span class="k">remote</span><span class="w"> </span><span class="n">usage</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">supported</span><span class="p">):</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">AMSIProviders</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Providers</span><span class="w"> </span><span class="n">registered</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">AMSI</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">AntiVirus</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Registered</span><span class="w"> </span><span class="n">antivirus</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">AppLocker</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">AppLocker</span><span class="w"> </span><span class="n">settings</span><span class="p">,</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">installed</span><span class="w"></span>
<span class="w"> </span><span class="n">ARPTable</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Lists</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">current</span><span class="w"> </span><span class="n">ARP</span><span class="w"> </span><span class="n">table</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">adapter</span><span class="w"> </span><span class="n">information</span><span class="w"> </span><span class="p">(</span><span class="n">equivalent</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">arp</span><span class="w"> </span><span class="o">-</span><span class="n">a</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">AuditPolicies</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Enumerates</span><span class="w"> </span><span class="n">classic</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">advanced</span><span class="w"> </span><span class="n">audit</span><span class="w"> </span><span class="n">policy</span><span class="w"> </span><span class="n">settings</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">AuditPolicyRegistry</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Audit</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">AutoRuns</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Auto</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">executables</span><span class="o">/</span><span class="n">scripts</span><span class="o">/</span><span class="n">programs</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ChromiumBookmarks</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Parses</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="n">Chrome</span><span class="o">/</span><span class="n">Edge</span><span class="o">/</span><span class="n">Brave</span><span class="o">/</span><span class="n">Opera</span><span class="w"> </span><span class="n">bookmark</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ChromiumHistory</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Parses</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="n">Chrome</span><span class="o">/</span><span class="n">Edge</span><span class="o">/</span><span class="n">Brave</span><span class="o">/</span><span class="n">Opera</span><span class="w"> </span><span class="n">history</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ChromiumPresence</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Checks</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">interesting</span><span class="w"> </span><span class="n">Chrome</span><span class="o">/</span><span class="n">Edge</span><span class="o">/</span><span class="n">Brave</span><span class="o">/</span><span class="n">Opera</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">exist</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">CloudCredentials</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">AWS</span><span class="o">/</span><span class="n">Google</span><span class="o">/</span><span class="n">Azure</span><span class="o">/</span><span class="n">Bluemix</span><span class="w"> </span><span class="n">cloud</span><span class="w"> </span><span class="n">credential</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">CloudSyncProviders</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">All</span><span class="w"> </span><span class="n">configured</span><span class="w"> </span><span class="n">Office</span><span class="w"> </span><span class="mi">365</span><span class="w"> </span><span class="n">endpoints</span><span class="w"> </span><span class="p">(</span><span class="n">tenants</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">teamsites</span><span class="p">)</span><span class="w"> </span><span class="n">which</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">synchronised</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">OneDrive</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">CredEnum</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Enumerates</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">current</span><span class="w"> </span><span class="n">user</span><span class="s1">&#39;s saved credentials using CredEnumerate()</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">CredGuard</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">CredentialGuard</span><span class="w"> </span><span class="n">configuration</span><span class="w"></span>
<span class="w"> </span><span class="n">dir</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Lists</span><span class="w"> </span><span class="n">files</span><span class="o">/</span><span class="n">folders</span><span class="o">.</span><span class="w"> </span><span class="n">By</span><span class="w"> </span><span class="n">default</span><span class="p">,</span><span class="w"> </span><span class="n">lists</span><span class="w"> </span><span class="n">users</span><span class="s1">&#39; downloads, documents, and desktop folders (arguments == [directory] [depth] [regex] [boolIgnoreErrors]</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">DNSCache</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">DNS</span><span class="w"> </span><span class="n">cache</span><span class="w"> </span><span class="n">entries</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">DotNet</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">DotNet</span><span class="w"> </span><span class="n">versions</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">DpapiMasterKeys</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">List</span><span class="w"> </span><span class="n">DPAPI</span><span class="w"> </span><span class="k">master</span><span class="w"> </span><span class="n">keys</span><span class="w"></span>
<span class="w"> </span><span class="n">EnvironmentPath</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">environment</span><span class="w"> </span><span class="o">%</span><span class="n">PATH</span><span class="o">$</span><span class="w"> </span><span class="n">folders</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">SDDL</span><span class="w"> </span><span class="n">information</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">EnvironmentVariables</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">environment</span><span class="w"> </span><span class="n">variables</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ExplicitLogonEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Explicit</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="n">events</span><span class="w"> </span><span class="p">(</span><span class="n">Event</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="mi">4648</span><span class="p">)</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">event</span><span class="w"> </span><span class="nb">log</span><span class="o">.</span><span class="w"> </span><span class="n">Default</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="n">days</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">ExplorerMRUs</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="n">most</span><span class="w"> </span><span class="n">recently</span><span class="w"> </span><span class="n">used</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="p">(</span><span class="n">last</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="n">days</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ExplorerRunCommands</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Recent</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="s2">&quot;run&quot;</span><span class="w"> </span><span class="n">commands</span><span class="w"></span>
<span class="w"> </span><span class="n">FileInfo</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Information</span><span class="w"> </span><span class="n">about</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="p">(</span><span class="n">version</span><span class="w"> </span><span class="n">information</span><span class="p">,</span><span class="w"> </span><span class="n">timestamps</span><span class="p">,</span><span class="w"> </span><span class="n">basic</span><span class="w"> </span><span class="n">PE</span><span class="w"> </span><span class="n">info</span><span class="p">,</span><span class="w"> </span><span class="n">etc</span><span class="o">.</span><span class="w"> </span><span class="n">argument</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="n">path</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">FileZilla</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">FileZilla</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">FirefoxHistory</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Parses</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="n">FireFox</span><span class="w"> </span><span class="n">history</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">FirefoxPresence</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Checks</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">interesting</span><span class="w"> </span><span class="n">Firefox</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">exist</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">Hotfixes</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Installed</span><span class="w"> </span><span class="n">hotfixes</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">IdleTime</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Returns</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">seconds</span><span class="w"> </span><span class="n">since</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">current</span><span class="w"> </span><span class="n">user</span><span class="s1">&#39;s last input.</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">IEFavorites</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="n">favorites</span><span class="w"></span>
<span class="w"> </span><span class="n">IETabs</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Open</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="n">tabs</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">IEUrls</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="n">typed</span><span class="w"> </span><span class="n">URLs</span><span class="w"> </span><span class="p">(</span><span class="n">last</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="n">days</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">InstalledProducts</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Installed</span><span class="w"> </span><span class="n">products</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="n">InterestingFiles</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="s2">&quot;Interesting&quot;</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">matching</span><span class="w"> </span><span class="n">various</span><span class="w"> </span><span class="n">patterns</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">user</span><span class="s1">&#39;s folder. Note: takes non-trivial time.</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">InterestingProcesses</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="s2">&quot;Interesting&quot;</span><span class="w"> </span><span class="n">processes</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">defensive</span><span class="w"> </span><span class="n">products</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">admin</span><span class="w"> </span><span class="n">tools</span><span class="w"></span>
<span class="w"> </span><span class="n">InternetSettings</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="n">including</span><span class="w"> </span><span class="n">proxy</span><span class="w"> </span><span class="n">configs</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">zones</span><span class="w"> </span><span class="n">configuration</span><span class="w"></span>
<span class="w"> </span><span class="n">KeePass</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Finds</span><span class="w"> </span><span class="n">KeePass</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LAPS</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">LAPS</span><span class="w"> </span><span class="n">settings</span><span class="p">,</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">installed</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LastShutdown</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Returns</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">DateTime</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">system</span><span class="w"> </span><span class="n">shutdown</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="p">)</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">LocalGPOs</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Local</span><span class="w"> </span><span class="n">Group</span><span class="w"> </span><span class="n">Policy</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="n">applied</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">machine</span><span class="o">/</span><span class="n">local</span><span class="w"> </span><span class="n">users</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LocalGroups</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Non</span><span class="o">-</span><span class="n">empty</span><span class="w"> </span><span class="n">local</span><span class="w"> </span><span class="n">groups</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;-full&quot;</span><span class="w"> </span><span class="n">displays</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="n">groups</span><span class="w"> </span><span class="p">(</span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">computername</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">enumerate</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LocalUsers</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Local</span><span class="w"> </span><span class="n">users</span><span class="p">,</span><span class="w"> </span><span class="n">whether</span><span class="w"> </span><span class="n">they</span><span class="s1">&#39;re active/disabled, and pwd last set (argument == computername to enumerate)</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LogonEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="n">events</span><span class="w"> </span><span class="p">(</span><span class="n">Event</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="mi">4624</span><span class="p">)</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">event</span><span class="w"> </span><span class="nb">log</span><span class="o">.</span><span class="w"> </span><span class="n">Default</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="n">days</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LogonSessions</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">logon</span><span class="w"> </span><span class="n">sessions</span><span class="w"></span>
<span class="w"> </span><span class="n">LOLBAS</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Locates</span><span class="w"> </span><span class="n">Living</span><span class="w"> </span><span class="n">Off</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">Land</span><span class="w"> </span><span class="n">Binaries</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">Scripts</span><span class="w"> </span><span class="p">(</span><span class="n">LOLBAS</span><span class="p">)</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">system</span><span class="o">.</span><span class="w"> </span><span class="n">Note</span><span class="p">:</span><span class="w"> </span><span class="n">takes</span><span class="w"> </span><span class="n">non</span><span class="o">-</span><span class="n">trivial</span><span class="w"> </span><span class="n">time</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">LSASettings</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">LSA</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="p">(</span><span class="n">including</span><span class="w"> </span><span class="n">auth</span><span class="w"> </span><span class="n">packages</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">MappedDrives</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Users</span><span class="s1">&#39; mapped drives (via WMI)</span>
<span class="w"> </span><span class="n">McAfeeConfigs</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Finds</span><span class="w"> </span><span class="n">McAfee</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="n">McAfeeSiteList</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Decrypt</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="n">McAfee</span><span class="w"> </span><span class="n">SiteList</span><span class="o">.</span><span class="n">xml</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">files</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">MicrosoftUpdates</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">All</span><span class="w"> </span><span class="n">Microsoft</span><span class="w"> </span><span class="n">updates</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">COM</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">NamedPipes</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Named</span><span class="w"> </span><span class="n">pipe</span><span class="w"> </span><span class="n">names</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">readable</span><span class="w"> </span><span class="n">ACL</span><span class="w"> </span><span class="n">information</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">NetworkProfiles</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">network</span><span class="w"> </span><span class="n">profiles</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">NetworkShares</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Network</span><span class="w"> </span><span class="n">shares</span><span class="w"> </span><span class="n">exposed</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">machine</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">NTLMSettings</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">NTLM</span><span class="w"> </span><span class="n">authentication</span><span class="w"> </span><span class="n">settings</span><span class="w"></span>
<span class="w"> </span><span class="n">OfficeMRUs</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Office</span><span class="w"> </span><span class="n">most</span><span class="w"> </span><span class="n">recently</span><span class="w"> </span><span class="n">used</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="n">list</span><span class="w"> </span><span class="p">(</span><span class="n">last</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="n">days</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">OracleSQLDeveloper</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Finds</span><span class="w"> </span><span class="n">Oracle</span><span class="w"> </span><span class="n">SQLDeveloper</span><span class="w"> </span><span class="n">connections</span><span class="o">.</span><span class="n">xml</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">OSInfo</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Basic</span><span class="w"> </span><span class="n">OS</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="p">(</span><span class="n">i</span><span class="o">.</span><span class="n">e</span><span class="o">.</span><span class="w"> </span><span class="n">architecture</span><span class="p">,</span><span class="w"> </span><span class="n">OS</span><span class="w"> </span><span class="n">version</span><span class="p">,</span><span class="w"> </span><span class="n">etc</span><span class="o">.</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">OutlookDownloads</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">List</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">downloaded</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">Outlook</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PoweredOnEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Reboot</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">sleep</span><span class="w"> </span><span class="n">schedule</span><span class="w"> </span><span class="n">based</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">System</span><span class="w"> </span><span class="n">event</span><span class="w"> </span><span class="nb">log</span><span class="w"> </span><span class="n">EIDs</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">12</span><span class="p">,</span><span class="w"> </span><span class="mi">13</span><span class="p">,</span><span class="w"> </span><span class="mi">42</span><span class="p">,</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="mf">6008.</span><span class="w"> </span><span class="n">Default</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="n">days</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PowerShell</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">PowerShell</span><span class="w"> </span><span class="n">versions</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">settings</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PowerShellEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">PowerShell</span><span class="w"> </span><span class="n">script</span><span class="w"> </span><span class="n">block</span><span class="w"> </span><span class="n">logs</span><span class="w"> </span><span class="p">(</span><span class="mi">4104</span><span class="p">)</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">sensitive</span><span class="w"> </span><span class="n">data</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PowerShellHistory</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Searches</span><span class="w"> </span><span class="n">PowerShell</span><span class="w"> </span><span class="n">console</span><span class="w"> </span><span class="n">history</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">sensitive</span><span class="w"> </span><span class="n">regex</span><span class="w"> </span><span class="n">matches</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">Printers</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Installed</span><span class="w"> </span><span class="n">Printers</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ProcessCreationEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Process</span><span class="w"> </span><span class="n">creation</span><span class="w"> </span><span class="n">logs</span><span class="w"> </span><span class="p">(</span><span class="mi">4688</span><span class="p">)</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">sensitive</span><span class="w"> </span><span class="n">data</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">Processes</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Running</span><span class="w"> </span><span class="n">processes</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="n">company</span><span class="w"> </span><span class="n">names</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">don</span><span class="s1">&#39;t contain &#39;</span><span class="n">Microsoft</span><span class="s1">&#39;, &quot;-full&quot; enumerates all processes</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ProcessOwners</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Running</span><span class="w"> </span><span class="n">non</span><span class="o">-</span><span class="n">session</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">process</span><span class="w"> </span><span class="n">list</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">owners</span><span class="o">.</span><span class="w"> </span><span class="n">For</span><span class="w"> </span><span class="k">remote</span><span class="w"> </span><span class="n">use</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PSSessionSettings</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Enumerates</span><span class="w"> </span><span class="n">PS</span><span class="w"> </span><span class="n">Session</span><span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PuttyHostKeys</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Saved</span><span class="w"> </span><span class="n">Putty</span><span class="w"> </span><span class="n">SSH</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="n">keys</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">PuttySessions</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Saved</span><span class="w"> </span><span class="n">Putty</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="p">(</span><span class="n">interesting</span><span class="w"> </span><span class="n">fields</span><span class="p">)</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">SSH</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="n">keys</span><span class="w"></span>
<span class="w"> </span><span class="n">RDCManFiles</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Remote</span><span class="w"> </span><span class="n">Desktop</span><span class="w"> </span><span class="n">Connection</span><span class="w"> </span><span class="n">Manager</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">RDPSavedConnections</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Saved</span><span class="w"> </span><span class="n">RDP</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="n">stored</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">RDPSessions</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">incoming</span><span class="w"> </span><span class="n">RDP</span><span class="w"> </span><span class="n">sessions</span><span class="w"> </span><span class="p">(</span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">computername</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">enumerate</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">RDPsettings</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Remote</span><span class="w"> </span><span class="n">Desktop</span><span class="w"> </span><span class="n">Server</span><span class="o">/</span><span class="n">Client</span><span class="w"> </span><span class="n">Settings</span><span class="w"></span>
<span class="w"> </span><span class="n">RecycleBin</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Items</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">Recycle</span><span class="w"> </span><span class="n">Bin</span><span class="w"> </span><span class="n">deleted</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="n">days</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">only</span><span class="w"> </span><span class="n">works</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="n">context</span><span class="o">!</span><span class="w"></span>
<span class="w"> </span><span class="n">reg</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Registry</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">values</span><span class="w"> </span><span class="p">(</span><span class="n">HKLM</span>\<span class="n">Software</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">default</span><span class="p">)</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="p">[</span><span class="n">Path</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="n">intDepth</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="n">Regex</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="n">boolIgnoreErrors</span><span class="p">]</span><span class="w"></span>
<span class="w"> </span><span class="n">RPCMappedEndpoints</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">RPC</span><span class="w"> </span><span class="n">endpoints</span><span class="w"> </span><span class="n">mapped</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SCCM</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">System</span><span class="w"> </span><span class="n">Center</span><span class="w"> </span><span class="n">Configuration</span><span class="w"> </span><span class="n">Manager</span><span class="w"> </span><span class="p">(</span><span class="n">SCCM</span><span class="p">)</span><span class="w"> </span><span class="n">settings</span><span class="p">,</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">applicable</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ScheduledTasks</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Scheduled</span><span class="w"> </span><span class="n">tasks</span><span class="w"> </span><span class="p">(</span><span class="n">via</span><span class="w"> </span><span class="n">WMI</span><span class="p">)</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">aren</span><span class="s1">&#39;t authored by &#39;</span><span class="n">Microsoft</span><span class="s1">&#39;, &quot;-full&quot; dumps all Scheduled tasks</span>
<span class="w"> </span><span class="n">SearchIndex</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Query</span><span class="w"> </span><span class="n">results</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Search</span><span class="w"> </span><span class="n">Index</span><span class="p">,</span><span class="w"> </span><span class="n">default</span><span class="w"> </span><span class="n">term</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="s1">&#39;passsword&#39;</span><span class="o">.</span><span class="w"> </span><span class="p">(</span><span class="n">argument</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="o">&lt;</span><span class="n">search</span><span class="w"> </span><span class="n">path</span><span class="o">&gt;</span><span class="w"> </span><span class="o">&lt;</span><span class="n">pattern1</span><span class="p">,</span><span class="n">pattern2</span><span class="p">,</span><span class="o">...&gt;</span><span class="w"></span>
<span class="w"> </span><span class="n">SecPackageCreds</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Obtains</span><span class="w"> </span><span class="n">credentials</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">packages</span><span class="w"></span>
<span class="w"> </span><span class="n">SecurityPackages</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Enumerates</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">packages</span><span class="w"> </span><span class="n">currently</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="n">using</span><span class="w"> </span><span class="n">EnumerateSecurityPackagesA</span><span class="p">()</span><span class="w"></span>
<span class="w"> </span><span class="n">Services</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Services</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="n">company</span><span class="w"> </span><span class="n">names</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">don</span><span class="s1">&#39;t contain &#39;</span><span class="n">Microsoft</span><span class="s1">&#39;, &quot;-full&quot; dumps all processes</span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SlackDownloads</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Parses</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="s1">&#39;slack-downloads&#39;</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SlackPresence</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Checks</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">interesting</span><span class="w"> </span><span class="n">Slack</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">exist</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SlackWorkspaces</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Parses</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="s1">&#39;slack-workspaces&#39;</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SuperPutty</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">SuperPutty</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">Sysmon</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Sysmon</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">SysmonEvents</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Sysmon</span><span class="w"> </span><span class="n">process</span><span class="w"> </span><span class="n">creation</span><span class="w"> </span><span class="n">logs</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">sensitive</span><span class="w"> </span><span class="n">data</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">TcpConnections</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">TCP</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">their</span><span class="w"> </span><span class="n">associated</span><span class="w"> </span><span class="n">processes</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">services</span><span class="w"></span>
<span class="w"> </span><span class="n">TokenGroups</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">current</span><span class="w"> </span><span class="n">token</span><span class="s1">&#39;s local and domain groups</span>
<span class="w"> </span><span class="n">TokenPrivileges</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Currently</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">token</span><span class="w"> </span><span class="n">privileges</span><span class="w"> </span><span class="p">(</span><span class="n">e</span><span class="o">.</span><span class="n">g</span><span class="o">.</span><span class="w"> </span><span class="n">SeDebugPrivilege</span><span class="o">/</span><span class="n">etc</span><span class="o">.</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">UAC</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">UAC</span><span class="w"> </span><span class="n">system</span><span class="w"> </span><span class="n">policies</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="n">UdpConnections</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">UDP</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">associated</span><span class="w"> </span><span class="n">processes</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">services</span><span class="w"></span>
<span class="w"> </span><span class="n">UserRightAssignments</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Configured</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="n">Right</span><span class="w"> </span><span class="n">Assignments</span><span class="w"> </span><span class="p">(</span><span class="n">e</span><span class="o">.</span><span class="n">g</span><span class="o">.</span><span class="w"> </span><span class="n">SeDenyNetworkLogonRight</span><span class="p">,</span><span class="w"> </span><span class="n">SeShutdownPrivilege</span><span class="p">,</span><span class="w"> </span><span class="n">etc</span><span class="o">.</span><span class="p">)</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">computername</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">enumerate</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">WindowsAutoLogon</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Registry</span><span class="w"> </span><span class="n">autologon</span><span class="w"> </span><span class="n">information</span><span class="w"></span>
<span class="w"> </span><span class="n">WindowsCredentialFiles</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">credential</span><span class="w"> </span><span class="n">DPAPI</span><span class="w"> </span><span class="n">blobs</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">WindowsDefender</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Defender</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="p">(</span><span class="n">including</span><span class="w"> </span><span class="n">exclusion</span><span class="w"> </span><span class="n">locations</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">WindowsEventForwarding</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Event</span><span class="w"> </span><span class="n">Forwarding</span><span class="w"> </span><span class="p">(</span><span class="n">WEF</span><span class="p">)</span><span class="w"> </span><span class="n">settings</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">registry</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">WindowsFirewall</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Non</span><span class="o">-</span><span class="n">standard</span><span class="w"> </span><span class="n">firewall</span><span class="w"> </span><span class="n">rules</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;-full&quot;</span><span class="w"> </span><span class="n">dumps</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="p">(</span><span class="n">arguments</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">allow</span><span class="o">/</span><span class="n">deny</span><span class="o">/</span><span class="n">tcp</span><span class="o">/</span><span class="n">udp</span><span class="o">/</span><span class="ow">in</span><span class="o">/</span><span class="n">out</span><span class="o">/</span><span class="n">domain</span><span class="o">/</span><span class="n">private</span><span class="o">/</span><span class="n">public</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">WindowsVault</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Credentials</span><span class="w"> </span><span class="n">saved</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Vault</span><span class="w"> </span><span class="p">(</span><span class="n">i</span><span class="o">.</span><span class="n">e</span><span class="o">.</span><span class="w"> </span><span class="n">logins</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">Explorer</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">Edge</span><span class="p">)</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="n">WMIEventConsumer</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Lists</span><span class="w"> </span><span class="n">WMI</span><span class="w"> </span><span class="n">Event</span><span class="w"> </span><span class="n">Consumers</span><span class="w"></span>
<span class="w"> </span><span class="n">WMIEventFilter</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Lists</span><span class="w"> </span><span class="n">WMI</span><span class="w"> </span><span class="n">Event</span><span class="w"> </span><span class="n">Filters</span><span class="w"></span>
<span class="w"> </span><span class="n">WMIFilterBinding</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Lists</span><span class="w"> </span><span class="n">WMI</span><span class="w"> </span><span class="n">Filter</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">Consumer</span><span class="w"> </span><span class="n">Bindings</span><span class="w"></span>
<span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">WSUS</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">Server</span><span class="w"> </span><span class="n">Update</span><span class="w"> </span><span class="n">Services</span><span class="w"> </span><span class="p">(</span><span class="n">WSUS</span><span class="p">)</span><span class="w"> </span><span class="n">settings</span><span class="p">,</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">applicable</span><span class="w"></span>
<span class="n">Seatbelt</span><span class="w"> </span><span class="n">has</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">groups</span><span class="p">:</span><span class="w"> </span><span class="n">All</span><span class="p">,</span><span class="w"> </span><span class="n">User</span><span class="p">,</span><span class="w"> </span><span class="n">System</span><span class="p">,</span><span class="w"> </span><span class="n">Slack</span><span class="p">,</span><span class="w"> </span><span class="n">Chromium</span><span class="p">,</span><span class="w"> </span><span class="n">Remote</span><span class="p">,</span><span class="w"> </span><span class="n">Misc</span><span class="w"></span>
<span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">invoke</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">groups</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="s2">&quot;Seatbelt.exe &lt;group&gt;&quot;</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=all&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="n">commands</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=user&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">ChromiumPresence</span><span class="p">,</span><span class="w"> </span><span class="n">CloudCredentials</span><span class="p">,</span><span class="w"> </span><span class="n">CloudSyncProviders</span><span class="p">,</span><span class="w"> </span><span class="n">CredEnum</span><span class="p">,</span><span class="w"> </span><span class="n">dir</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">DpapiMasterKeys</span><span class="p">,</span><span class="w"> </span><span class="n">ExplorerMRUs</span><span class="p">,</span><span class="w"> </span><span class="n">ExplorerRunCommands</span><span class="p">,</span><span class="w"> </span><span class="n">FileZilla</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">FirefoxPresence</span><span class="p">,</span><span class="w"> </span><span class="n">IdleTime</span><span class="p">,</span><span class="w"> </span><span class="n">IEFavorites</span><span class="p">,</span><span class="w"> </span><span class="n">IETabs</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">IEUrls</span><span class="p">,</span><span class="w"> </span><span class="n">KeePass</span><span class="p">,</span><span class="w"> </span><span class="n">MappedDrives</span><span class="p">,</span><span class="w"> </span><span class="n">OfficeMRUs</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">OracleSQLDeveloper</span><span class="p">,</span><span class="w"> </span><span class="n">PowerShellHistory</span><span class="p">,</span><span class="w"> </span><span class="n">PuttyHostKeys</span><span class="p">,</span><span class="w"> </span><span class="n">PuttySessions</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">RDCManFiles</span><span class="p">,</span><span class="w"> </span><span class="n">RDPSavedConnections</span><span class="p">,</span><span class="w"> </span><span class="n">SecPackageCreds</span><span class="p">,</span><span class="w"> </span><span class="n">SlackDownloads</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">SlackPresence</span><span class="p">,</span><span class="w"> </span><span class="n">SlackWorkspaces</span><span class="p">,</span><span class="w"> </span><span class="n">SuperPutty</span><span class="p">,</span><span class="w"> </span><span class="n">TokenGroups</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">WindowsCredentialFiles</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsVault</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=system&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">AMSIProviders</span><span class="p">,</span><span class="w"> </span><span class="n">AntiVirus</span><span class="p">,</span><span class="w"> </span><span class="n">AppLocker</span><span class="p">,</span><span class="w"> </span><span class="n">ARPTable</span><span class="p">,</span><span class="w"> </span><span class="n">AuditPolicies</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">AuditPolicyRegistry</span><span class="p">,</span><span class="w"> </span><span class="n">AutoRuns</span><span class="p">,</span><span class="w"> </span><span class="n">CredGuard</span><span class="p">,</span><span class="w"> </span><span class="n">DNSCache</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">DotNet</span><span class="p">,</span><span class="w"> </span><span class="n">EnvironmentPath</span><span class="p">,</span><span class="w"> </span><span class="n">EnvironmentVariables</span><span class="p">,</span><span class="w"> </span><span class="n">Hotfixes</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">InterestingProcesses</span><span class="p">,</span><span class="w"> </span><span class="n">InternetSettings</span><span class="p">,</span><span class="w"> </span><span class="n">LAPS</span><span class="p">,</span><span class="w"> </span><span class="n">LastShutdown</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">LocalGPOs</span><span class="p">,</span><span class="w"> </span><span class="n">LocalGroups</span><span class="p">,</span><span class="w"> </span><span class="n">LocalUsers</span><span class="p">,</span><span class="w"> </span><span class="n">LogonSessions</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">LSASettings</span><span class="p">,</span><span class="w"> </span><span class="n">McAfeeConfigs</span><span class="p">,</span><span class="w"> </span><span class="n">NamedPipes</span><span class="p">,</span><span class="w"> </span><span class="n">NetworkProfiles</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">NetworkShares</span><span class="p">,</span><span class="w"> </span><span class="n">NTLMSettings</span><span class="p">,</span><span class="w"> </span><span class="n">OSInfo</span><span class="p">,</span><span class="w"> </span><span class="n">PoweredOnEvents</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">PowerShell</span><span class="p">,</span><span class="w"> </span><span class="n">Processes</span><span class="p">,</span><span class="w"> </span><span class="n">PSSessionSettings</span><span class="p">,</span><span class="w"> </span><span class="n">RDPSessions</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">RDPsettings</span><span class="p">,</span><span class="w"> </span><span class="n">SCCM</span><span class="p">,</span><span class="w"> </span><span class="n">Services</span><span class="p">,</span><span class="w"> </span><span class="n">Sysmon</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">TcpConnections</span><span class="p">,</span><span class="w"> </span><span class="n">TokenPrivileges</span><span class="p">,</span><span class="w"> </span><span class="n">UAC</span><span class="p">,</span><span class="w"> </span><span class="n">UdpConnections</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">UserRightAssignments</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsAutoLogon</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsDefender</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsEventForwarding</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">WindowsFirewall</span><span class="p">,</span><span class="w"> </span><span class="n">WMIEventConsumer</span><span class="p">,</span><span class="w"> </span><span class="n">WMIEventFilter</span><span class="p">,</span><span class="w"> </span><span class="n">WMIFilterBinding</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">WSUS</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=slack&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">SlackDownloads</span><span class="p">,</span><span class="w"> </span><span class="n">SlackPresence</span><span class="p">,</span><span class="w"> </span><span class="n">SlackWorkspaces</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=chromium&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">ChromiumBookmarks</span><span class="p">,</span><span class="w"> </span><span class="n">ChromiumHistory</span><span class="p">,</span><span class="w"> </span><span class="n">ChromiumPresence</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=remote&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">AMSIProviders</span><span class="p">,</span><span class="w"> </span><span class="n">AntiVirus</span><span class="p">,</span><span class="w"> </span><span class="n">AuditPolicyRegistry</span><span class="p">,</span><span class="w"> </span><span class="n">ChromiumPresence</span><span class="p">,</span><span class="w"> </span><span class="n">CloudCredentials</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">DNSCache</span><span class="p">,</span><span class="w"> </span><span class="n">DotNet</span><span class="p">,</span><span class="w"> </span><span class="n">DpapiMasterKeys</span><span class="p">,</span><span class="w"> </span><span class="n">EnvironmentVariables</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">ExplicitLogonEvents</span><span class="p">,</span><span class="w"> </span><span class="n">ExplorerRunCommands</span><span class="p">,</span><span class="w"> </span><span class="n">FileZilla</span><span class="p">,</span><span class="w"> </span><span class="n">Hotfixes</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">InterestingProcesses</span><span class="p">,</span><span class="w"> </span><span class="n">KeePass</span><span class="p">,</span><span class="w"> </span><span class="n">LastShutdown</span><span class="p">,</span><span class="w"> </span><span class="n">LocalGroups</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">LocalUsers</span><span class="p">,</span><span class="w"> </span><span class="n">LogonEvents</span><span class="p">,</span><span class="w"> </span><span class="n">LogonSessions</span><span class="p">,</span><span class="w"> </span><span class="n">LSASettings</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">MappedDrives</span><span class="p">,</span><span class="w"> </span><span class="n">NetworkProfiles</span><span class="p">,</span><span class="w"> </span><span class="n">NetworkShares</span><span class="p">,</span><span class="w"> </span><span class="n">NTLMSettings</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">OSInfo</span><span class="p">,</span><span class="w"> </span><span class="n">PoweredOnEvents</span><span class="p">,</span><span class="w"> </span><span class="n">PowerShell</span><span class="p">,</span><span class="w"> </span><span class="n">ProcessOwners</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">PSSessionSettings</span><span class="p">,</span><span class="w"> </span><span class="n">PuttyHostKeys</span><span class="p">,</span><span class="w"> </span><span class="n">PuttySessions</span><span class="p">,</span><span class="w"> </span><span class="n">RDPSavedConnections</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">RDPSessions</span><span class="p">,</span><span class="w"> </span><span class="n">RDPsettings</span><span class="p">,</span><span class="w"> </span><span class="n">Sysmon</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsDefender</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">WindowsEventForwarding</span><span class="p">,</span><span class="w"> </span><span class="n">WindowsFirewall</span><span class="w"></span>
<span class="w"> </span><span class="s2">&quot;Seatbelt.exe -group=misc&quot;</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">commands</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">ChromiumBookmarks</span><span class="p">,</span><span class="w"> </span><span class="n">ChromiumHistory</span><span class="p">,</span><span class="w"> </span><span class="n">ExplicitLogonEvents</span><span class="p">,</span><span class="w"> </span><span class="n">FileInfo</span><span class="p">,</span><span class="w"> </span><span class="n">FirefoxHistory</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">InstalledProducts</span><span class="p">,</span><span class="w"> </span><span class="n">InterestingFiles</span><span class="p">,</span><span class="w"> </span><span class="n">LogonEvents</span><span class="p">,</span><span class="w"> </span><span class="n">LOLBAS</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">McAfeeSiteList</span><span class="p">,</span><span class="w"> </span><span class="n">MicrosoftUpdates</span><span class="p">,</span><span class="w"> </span><span class="n">OutlookDownloads</span><span class="p">,</span><span class="w"> </span><span class="n">PowerShellEvents</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">Printers</span><span class="p">,</span><span class="w"> </span><span class="n">ProcessCreationEvents</span><span class="p">,</span><span class="w"> </span><span class="n">ProcessOwners</span><span class="p">,</span><span class="w"> </span><span class="n">RecycleBin</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">reg</span><span class="p">,</span><span class="w"> </span><span class="n">RPCMappedEndpoints</span><span class="p">,</span><span class="w"> </span><span class="n">ScheduledTasks</span><span class="p">,</span><span class="w"> </span><span class="n">SearchIndex</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="n">SecurityPackages</span><span class="p">,</span><span class="w"> </span><span class="n">SysmonEvents</span><span class="w"></span>
<span class="n">Examples</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe &lt;Command&gt; [Command2] ...&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">one</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="n">more</span><span class="w"> </span><span class="n">specified</span><span class="w"> </span><span class="n">checks</span><span class="w"> </span><span class="n">only</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe &lt;Command&gt; -full&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">complete</span><span class="w"> </span><span class="n">results</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">without</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">filtering</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe &quot;&lt;Command&gt; [argument]&quot;&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="k">pass</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">argument</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">supports</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="p">(</span><span class="n">note</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">quotes</span><span class="p">)</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe -group=all&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">ALL</span><span class="w"> </span><span class="n">enumeration</span><span class="w"> </span><span class="n">checks</span><span class="p">,</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">combined</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="s2">&quot;-full&quot;</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe &lt;Command&gt; -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\USER -password=PASSWORD]&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">applicable</span><span class="w"> </span><span class="n">check</span><span class="w"> </span><span class="n">remotely</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe -group=remote -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\USER -password=PASSWORD]&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="k">remote</span><span class="w"> </span><span class="n">specific</span><span class="w"> </span><span class="n">checks</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe -group=system -outputfile=&quot;C:\Temp\out.txt&quot;&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">system</span><span class="w"> </span><span class="n">checks</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">output</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="o">.</span><span class="n">txt</span><span class="w"> </span><span class="n">file</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="s1">&#39;Seatbelt.exe -group=user -q -outputfile=&quot;C:\Temp\out.json&quot;&#39;</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">quiet</span><span class="w"> </span><span class="n">mode</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="n">checks</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">output</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="o">.</span><span class="n">json</span><span class="w"> </span><span class="n">file</span><span class="o">.</span><span class="w"></span>
</code></pre></div>
<p><strong>Note:</strong> searches that target users will run for the current user if not-elevated and for ALL users if elevated.</p>
<p><strong>A more detailed wiki is coming...</strong></p>
<h2 id="command-groups">Command Groups</h2>
<p><strong>Note:</strong> many commands do some type of filtering by default. Supplying the <code>-full</code> argument prevents filtering output. Also, the command group <code>all</code> will run all current checks.</p>
<p>For example, the following command will run ALL checks and returns ALL output:</p>
<p><code>Seatbelt.exe -group=all -full</code></p>
<h3 id="system">system</h3>
<p>Runs checks that mine interesting data about the system.</p>
<p>Executed with: <code>Seatbelt.exe -group=system</code></p>
<p>| Command | Description |
| ----------- | ----------- |
| AMSIProviders | Providers registered for AMSI |
| AntiVirus | Registered antivirus (via WMI) |
| AppLocker | AppLocker settings, if installed |
| ARPTable | Lists the current ARP table and adapter information(equivalent to arp -a) |
| AuditPolicies | Enumerates classic and advanced audit policy settings |
| AuditPolicyRegistry | Audit settings via the registry |
| AutoRuns | Auto run executables/scripts/programs |
| CredGuard | CredentialGuard configuration |
| DNSCache | DNS cache entries (via WMI) |
| DotNet | DotNet versions |
| EnvironmentPath | Current environment %PATH$ folders and SDDL information |
| EnvironmentVariables | Current user environment variables |
| Hotfixes | Installed hotfixes (via WMI) |
| InterestingProcesses | "Interesting" processes - defensive products and admin tools |
| InternetSettings | Internet settings including proxy configs |
| LAPS | LAPS settings, if installed |
| LastShutdown | Returns the DateTime of the last system shutdown (via the registry) |
| LocalGPOs | Local Group Policy settings applied to the machine/local users |
| LocalGroups | Non-empty local groups, "full" displays all groups (argument == computername to enumerate) |
| LocalUsers | Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate) |
| LogonSessions | Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. |
| LSASettings | LSA settings (including auth packages) |
| McAfeeConfigs | Finds McAfee configuration files |
| NamedPipes | Named pipe names and any readable ACL information |
| NetworkProfiles | Windows network profiles |
| NetworkShares | Network shares exposed by the machine (via WMI) |
| NTLMSettings | NTLM authentication settings |
| OSInfo | Basic OS info (i.e. architecture, OS version, etc.) |
| PoweredOnEvents | Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days. |
| PowerShell | PowerShell versions and security settings |
| Processes | Running processes with file info company names that don't contain 'Microsoft', "full" enumerates all processes |
| PSSessionSettings | Enumerates PS Session Settings from the registry |
| RDPSessions | Current incoming RDP sessions (argument == computername to enumerate) |
| RDPsettings | Remote Desktop Server/Client Settings |
| SCCM | System Center Configuration Manager (SCCM) settings, if applicable |
| Services | Services with file info company names that don't contain 'Microsoft', "full" dumps all processes |
| Sysmon | Sysmon configuration from the registry |
| TcpConnections | Current TCP connections and their associated processes and services |
| TokenPrivileges | Currently enabled token privileges (e.g. SeDebugPrivilege/etc.) |
| UAC | UAC system policies via the registry |
| UdpConnections | Current UDP connections and associated processes and services |
| UserRightAssignments | Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate |
| WindowsAutoLogon | Registry autologon information |
| WindowsDefender | Windows Defender settings (including exclusion locations) |
| WindowsEventForwarding | Windows Event Forwarding (WEF) settings via the registry |
| WindowsFirewall | Non-standard firewall rules, "full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public) |
| WMIEventConsumer | Lists WMI Event Consumers |
| WMIEventFilter | Lists WMI Event Filters |
| WMIFilterBinding | Lists WMI Filter to Consumer Bindings |
| WSUS | Windows Server Update Services (WSUS) settings, if applicable |</p>
<h3 id="user">user</h3>
<p>Runs checks that mine interesting data about the currently logged on user (if not elevated) or ALL users (if elevated).</p>
<p>Executed with: <code>Seatbelt.exe -group=user</code></p>
<p>| Command | Description |
| ----------- | ----------- |
| ChromePresence | Checks if interesting Google Chrome files exist |
| CloudCredentials | AWS/Google/Azure cloud credential files |
| CredEnum | Enumerates the current user's saved credentials using CredEnumerate() |
| dir | Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == \&lt;directory&gt; \&lt;depth&gt; \&lt;regex&gt; |
| DpapiMasterKeys | List DPAPI master keys |
| ExplorerMRUs | Explorer most recently used files (last 7 days, argument == last X days) |
| ExplorerRunCommands | Recent Explorer "run" commands |
| FileZilla | FileZilla configuration files |
| FirefoxPresence | Checks if interesting Firefox files exist |
| IdleTime | Returns the number of seconds since the current user's last input. |
| IEFavorites | Internet Explorer favorites |
| IETabs | Open Internet Explorer tabs |
| IEUrls| Internet Explorer typed URLs (last 7 days, argument == last X days) |
| MappedDrives | Users' mapped drives (via WMI) |
| OfficeMRUs | Office most recently used file list (last 7 days) |
| PowerShellHistory | Iterates through every local user and attempts to read their PowerShell console history if successful will print it |
| PuttyHostKeys | Saved Putty SSH host keys |
| PuttySessions | Saved Putty configuration (interesting fields) and SSH host keys |
| RDCManFiles | Windows Remote Desktop Connection Manager settings files |
| RDPSavedConnections | Saved RDP connections stored in the registry |
| SecPackageCreds | Obtains credentials from security packages |
| SlackDownloads | Parses any found 'slack-downloads' files |
| SlackPresence | Checks if interesting Slack files exist |
| SlackWorkspaces | Parses any found 'slack-workspaces' files |
| SuperPutty | SuperPutty configuration files |
| TokenGroups | The current token's local and domain groups |
| WindowsCredentialFiles | Windows credential DPAPI blobs |
| WindowsVault | Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge). |</p>
<h3 id="misc">misc</h3>
<p>Runs all miscellaneous checks.</p>
<p>Executed with: <code>Seatbelt.exe -group=misc</code></p>
<p>| Command | Description |
| ----------- | ----------- |
| ChromeBookmarks | Parses any found Chrome bookmark files |
| ChromeHistory | Parses any found Chrome history files |
| ExplicitLogonEvents | Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days. |
| FileInfo | Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s) |
| FirefoxHistory | Parses any found FireFox history files |
| HuntLolbas | Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time. |
| InstalledProducts | Installed products via the registry |
| InterestingFiles | "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time. |
| LogonEvents | Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. |
| McAfeeSiteList | Decrypt any found McAfee SiteList.xml configuration files. |
| MicrosoftUpdates | All Microsoft updates (via COM) |
| OutlookDownloads | List files downloaded by Outlook |
| PowerShellEvents | PowerShell script block logs (4104) with sensitive data. |
| Printers | Installed Printers (via WMI) |
| ProcessCreationEvents | Process creation logs (4688) with sensitive data. |
| ProcessOwners | Running non-session 0 process list with owners. For remote use. |
| RecycleBin | Items in the Recycle Bin deleted in the last 30 days - only works from a user context! |
| reg | Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors] |
| RPCMappedEndpoints | Current RPC endpoints mapped |
| ScheduledTasks | Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "full" dumps all Scheduled tasks |
| SearchIndex | Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == \&lt;search path&gt; \&lt;pattern1,pattern2,...&gt; |
| SecurityPackages | Enumerates the security packages currently available using EnumerateSecurityPackagesA() |
| SysmonEvents | Sysmon process creation logs (1) with sensitive data. |</p>
<h3 id="additional-command-groups">Additional Command Groups</h3>
<p>Executed with: <code>Seatbelt.exe -group=GROUPNAME</code></p>
<p>| Alias | Description |
| ----------- | ----------- |
| Slack | Runs modules that start with "Slack<em>" |
| Chrome | Runs modules that start with "Chrome</em>" |
| Remote | Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes, InterestingProcesses, LastShutdown, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall |</p>
<h2 id="command-arguments">Command Arguments</h2>
<p>Command that accept arguments have it noted in their description. To pass an argument to a command, enclose the command an arguments in double quotes.</p>
<p>For example, the following command returns 4624 logon events for the last 30 days:</p>
<p><code>Seatbelt.exe "LogonEvents 30"</code></p>
<p>The following command queries a registry three levels deep, returning only keys/valueNames/values that match the regex <code>.*defini.*</code>, and ignoring any errors that occur.</p>
<p><code>Seatbelt.exe "reg \"HKLM\SOFTWARE\Microsoft\Windows Defender\" 3 .*defini.* true"</code></p>
<h2 id="output">Output</h2>
<p>Seatbelt can redirect its output to a file with the <code>-outputfile="C:\Path\file.txt"</code> argument. If the file path ends in .json, the output will be structured json.</p>
<p>For example, the following command will output the results of system checks to a txt file:</p>
<p><code>Seatbelt.exe -group=system -outputfile="C:\Temp\system.txt"</code></p>
<h2 id="remote-enumeration">Remote Enumeration</h2>
<p>Commands noted with a + in the help menu can be run remotely against another system. This is performed over WMI via queries for WMI classes and WMI's StdRegProv for registry enumeration.</p>
<p>To enumerate a remote system, supply <code>-computername=COMPUTER.DOMAIN.COM</code> - an alternate username and password can be specified with <code>-username=DOMAIN\USER -password=PASSWORD</code></p>
<p>For example, the following command runs remote-focused checks against a remote system:</p>
<p><code>Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\""</code></p>
<h2 id="building-your-own-modules">Building Your Own Modules</h2>
<p>Seatbelt's structure is completely modular, allowing for additional command modules to be dropped into the file structure and loaded up dynamically.</p>
<p>There is a commented command module template at <code>.\Seatbelt\Commands\Template.cs</code> for reference. Once built, drop the module in the logical file location, include it in the project in the Visual Studio Solution Explorer, and compile.</p>
<h2 id="compile-instructions">Compile Instructions</h2>
<p>We are not planning on releasing binaries for Seatbelt, so you will have to compile yourself.</p>
<p>Seatbelt has been built against .NET 3.5 and 4.0 with C# 8.0 features and is compatible with <a href="https://visualstudio.microsoft.com/downloads/">Visual Studio Community Edition</a>. Simply open up the project .sln, choose "release", and build. To change the target .NET framework version, <a href="https://github.com/GhostPack/Seatbelt/issues/27">modify the project's settings</a> and rebuild the project.</p>
<h2 id="acknowledgments">Acknowledgments</h2>
<p>Seatbelt incorporates various collection items, code C# snippets, and bits of PoCs found throughout research for its capabilities. These ideas, snippets, and authors are highlighted in the appropriate locations in the source code, and include:</p>
<ul>
<li><a href="https://twitter.com/andrewchiles">@andrewchiles</a>' <a href="https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1">HostEnum.ps1</a> script and <a href="https://twitter.com/tifkin_">@tifkin_</a>'s <a href="https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1">Get-HostProfile.ps1</a> provided inspiration for many of the artifacts to collect.</li>
<li><a href="https://stackoverflow.com/questions/33935825/pinvoke-netlocalgroupgetmembers-runs-into-fatalexecutionengineerror/33939889#33939889">Boboes' code concerning NetLocalGroupGetMembers</a></li>
<li><a href="https://gist.github.com/ambyte/01664dc7ee576f69042c">ambyte's code for converting a mapped drive letter to a network path</a></li>
<li><a href="https://stackoverflow.com/questions/2146153/how-to-get-the-logon-sid-in-c-sharp/2146418#2146418">Igor Korkhov's code to retrieve current token group information</a></li>
<li><a href="https://stackoverflow.com/questions/498371/how-to-detect-if-my-application-is-running-in-a-virtual-machine/11145280#11145280">RobSiklos' snippet to determine if a host is a virtual machine</a></li>
<li><a href="https://stackoverflow.com/questions/1410127/c-sharp-test-if-user-has-write-access-to-a-folder/21996345#21996345">JGU's snippet on file/folder ACL right comparison</a></li>
<li><a href="http://csharphelper.com/blog/2015/06/find-files-that-match-multiple-patterns-in-c/">Rod Stephens' pattern for recursive file enumeration</a></li>
<li><a href="https://stackoverflow.com/questions/4349743/setting-size-of-token-privileges-luid-and-attributes-array-returned-by-gettokeni">SwDevMan81's snippet for enumerating current token privileges</a></li>
<li><a href="https://github.com/Invoke-IR/ACE/blob/master/ACE-Management/PS-ACE/Scripts/ACE_Get-KerberosTicketCache.ps1">Jared Atkinson's PowerShell work on Kerberos ticket caches</a></li>
<li><a href="https://www.dreamincode.net/forums/topic/135033-increment-memory-pointer-issue/">darkmatter08's Kerberos C# snippet</a></li>
<li>Numerous <a href="https://www.pinvoke.net/">PInvoke.net</a> samples &lt;3</li>
<li><a href="https://www.codeproject.com/Articles/18179/Using-the-Local-Security-Authority-to-Enumerate-Us">Jared Hill's awesome CodeProject to use Local Security Authority to Enumerate User Sessions</a></li>
<li><a href="https://social.technet.microsoft.com/Forums/lync/en-US/e949b8d6-17ad-4afc-88cd-0019a3ac9df9/powershell-alternative-to-arp-a?forum=ITCG">Fred's code on querying the ARP cache</a></li>
<li><a href="https://stackoverflow.com/questions/577433/which-pid-listens-on-a-given-port-in-c-sharp/577660#577660">ShuggyCoUk's snippet on querying the TCP connection table</a></li>
<li><a href="https://gist.github.com/yizhang82/a1268d3ea7295a8a1496e01d60ada816">yizhang82's example of using reflection to interact with COM objects through C#</a></li>
<li><a href="https://twitter.com/djhohnstein">@djhohnstein</a>'s <a href="https://github.com/djhohnstein/SharpWeb/blob/master/Edge/SharpEdge.cs">SharpWeb project</a></li>
<li><a href="https://twitter.com/djhohnstein">@djhohnstein</a>'s <a href="https://github.com/djhohnstein/EventLogParser">EventLogParser project</a></li>
<li><a href="https://twitter.com/cmaddalena">@cmaddalena</a>'s <a href="https://github.com/chrismaddalena/SharpCloud">SharpCloud project</a>, BSD 3-Clause</li>
<li><a href="https://twitter.com/_RastaMouse">@_RastaMouse</a>'s <a href="https://github.com/rasta-mouse/Watson/">Watson project</a>, GPL License</li>
<li><a href="https://twitter.com/_RastaMouse">@_RastaMouse</a>'s <a href="https://rastamouse.me/2018/09/enumerating-applocker-config/">Work on AppLocker enumeration</a></li>
<li><a href="https://twitter.com/peewpw">@peewpw</a>'s <a href="https://github.com/peewpw/Invoke-WCMDump/blob/master/Invoke-WCMDump.ps1">Invoke-WCMDump project</a>, GPL License</li>
<li>TrustedSec's <a href="https://github.com/trustedsec/HoneyBadger/tree/master/modules/post/windows/gather">HoneyBadger project</a>, BSD 3-Clause</li>
<li>CENTRAL Solutions's <a href="https://www.centrel-solutions.com/support/tools.aspx?feature=auditrights">Audit User Rights Assignment Project</a>, No license</li>
<li>Collection ideas inspired from <a href="https://twitter.com/ukstufus">@ukstufus</a>'s <a href="https://github.com/stufus/reconerator">Reconerator</a></li>
<li>Office MRU locations and timestamp parsing information from Dustin Hurlbut's paper <a href="https://ad-pdf.s3.amazonaws.com/Microsoft_Office_2007-2010_Registry_ArtifactsFINAL.pdf">Microsoft Office 2007, 2010 - Registry Artifacts</a></li>
<li>The <a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands">Windows Commands list</a>, used for sensitive regex construction</li>
<li><a href="https://stackoverflow.com/questions/21805038/how-do-i-pinvoke-rpcmgmtepeltinqnext">Ryan Ries' code for enumeration mapped RPC endpoints</a></li>
<li><a href="https://stackoverflow.com/a/5941873">Chris Haas' post on EnumerateSecurityPackages()</a></li>
<li><a href="carlos_perez">darkoperator</a>'s work <a href="https://github.com/trustedsec/HoneyBadger">on the HoneyBadger project</a></li>
<li><a href="https://twitter.com/airzero24">@airzero24</a>'s work on <a href="https://github.com/airzero24/WMIReg">WMI Registry enumeration</a></li>
<li>Alexandru's answer on <a href="https://stackoverflow.com/questions/26217199/what-are-some-alternatives-to-registrykey-openbasekey-in-net-3-5">RegistryKey.OpenBaseKey alternatives</a></li>
<li>Tomas Vera's <a href="http://www.tomasvera.com/programming/using-javascriptserializer-to-parse-json-objects/">post on JavaScriptSerializer</a></li>
<li>Marc Gravell's <a href="https://stackoverflow.com/a/929418">note on recursively listing files/folders</a></li>
<li><a href="https://twitter.com/mattifestation">@mattifestation</a>'s <a href="https://github.com/mattifestation/PSSysmonTools/blob/master/PSSysmonTools/Code/SysmonRuleParser.ps1#L589-L595">Sysmon rule parser</a></li>
<li>Some inspiration from spolnik's <a href="https://github.com/spolnik/Simple.CredentialsManager">Simple.CredentialsManager project</a>, Apache 2 license</li>
<li><a href="https://www.tenforums.com/tutorials/68926-verify-if-device-guard-enabled-disabled-windows-10-a.html">This post on Credential Guard settings</a></li>
<li><a href="https://social.technet.microsoft.com/Forums/windows/en-US/b0e13a16-51a6-4aca-8d44-c85e097f882b/nametype-in-nla-information-for-a-network-profile">This thread</a> on network profile information</li>
<li>Mark McKinnon's post on <a href="http://cfed-ttf.blogspot.com/2009/08/decoding-datecreated-and.html">decoding the DateCreated and DateLastConnected SSID values</a></li>
<li>This Specops <a href="https://specopssoft.com/blog/things-work-group-policy-caching/">post on group policy caching</a></li>
<li>sa_ddam213's StackOverflow post on <a href="https://stackoverflow.com/questions/18071412/list-filenames-in-the-recyclebin-with-c-sharp-without-using-any-external-files">enumerating items in the Recycle Bin</a></li>
<li>Kirill Osenkov's <a href="https://stackoverflow.com/a/15608028">code for managed assembly detection</a></li>
<li>The <a href="https://github.com/mono/linux-packaging-mono/blob/d356d2b7db91d62b80a61eeb6fbc70a402ac3cac/external/corefx/LICENSE.TXT">Mono project</a> for the SecBuffer/SecBufferDesc classes</li>
<li><a href="https://twitter.com/elad_shamir">Elad Shamir</a> and his <a href="https://github.com/eladshamir/Internal-Monologue/">Internal-Monologue</a> project, <a href="https://twitter.com/mysmartlogon">Vincent Le Toux</a> for his <a href="https://github.com/vletoux/DetectPasswordViaNTLMInFlow/">DetectPasswordViaNTLMInFlow</a> project, and Lee Christensen for this <a href="https://github.com/leechristensen/GetNTLMChallenge/">GetNTLMChallenge</a> project. All of these served as inspiration int he SecPackageCreds command.</li>
<li>@leftp and @eksperience's <a href="https://github.com/EncodeGroup/Gopher">Gopher project</a> for inspiration for the FileZilla and SuperPutty commands</li>
<li>@funoverip for the original McAfee SiteList.xml decryption code</li>
</ul>
<p>We've tried to do our due diligence for citations, but if we've left someone/something out, please let us know!</p>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
function linkClick(obj) {
if (obj.open) {
//console.log('open');
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
} else {
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
</script>
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink