killchain-compendium/post_exploitation/Seatbelt/CHANGELOG.md

11 KiB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[1.1.1] - 2020-11-06

Added

  • Added remote support to the following commands:

    • PowerShell, DotNet
    • FirefoxPresence, FirefoxHistory
    • ChromePresence/ChromeHistory/ChromeBookmarks
    • InternetExplorerFavorites, IEUrls
    • SlackDownloads, SlackPresence, SlackWorkspaces
    • CloudCredentials, FileZilla, OutlookDownloads, RDCManFiles
    • SuperPutty, LocalUsers, LocalGroups, PowerShellHistory
    • Credguard, InstalledProducts, AppLocker, AuditPolicyRegistry
    • DNSCache, PSSessionSettings, OSInfo, EnvironmentVariables, DpapiMasterKeys
  • Implemented remote event log support:

    • ExplicitLogonEvents, LogonEvents, PoweredOnEvents, PowerShellEvents, ProcessCreationEvents, SysmonEvents
  • Chrome* modules now converted to Chromium support:

    • Chrome, Edge, Brave, Opera
  • Added IBM Bluemix enumeration to CloudCredentials

Fixed

  • Better error handling in various modules
  • OS version number collection on Windows 10
  • McAfeeSiteList null pointer exception
  • Interpretation of uac/tokenfilter/filteradmintoken values
  • Nullable type issues
  • WindowsFirewall filtering

[1.1.0] - 2020-09-30

Added

  • Added the following commands:
    • Hotfixes - installed hotfixes (via WMI)
    • MicrosoftUpdates - all Microsoft updates (via COM)
    • HuntLolbas - hunt for living-off-the-land binaries (from @NotoriousRebel)
    • PowerShellHistory - searches PowerShell console history files for sensitive regex matches (adapted from @NotoriousRebel)
    • RDPSettings - Remote Desktop Server/Client Settings
    • SecPackageCreds - obtains credentials from security packages (InternalMonologue for the current user)
    • FileZilla - files user FileZilla configuration files/passwords
    • SuperPutty - files user SuperPutty configuration files
    • McAfeeSiteList - finds/decrypts McAfee SiteList.xml files
    • McAfeeConfigs- finds McAfee configuration files

Changed

  • Added CLR version enumeration to "DotNet" and "PowerShell" commands
  • Updated LSASettings to detect restricted admin mode
  • Added ZoneMapKey & Auth settings to "InternetSettings" (Francis Lacoste)
  • Added support for ByteArrays in "WindowsVault"
  • Redid assembly detection to (hopefully) prevent image load events
  • Added version/description fields to processes and services
  • Added ASR rules to "WindowsDefender" command

Fixed

  • Big fix for event log searching
  • Fix for sensitive command line scraping
  • Code cleanup/dead code removal
  • Allow empty companyname the Services command
  • Better exception handling
  • Various fixes/expansions for the "WindowsVault" command
  • Added disposing of output sinks
  • Other misc. bug fixes

[1.0.0] - 2020-05-26

Added

  • Added the following commands:
    • NTLMSettings, SCCM, WSUS, UserRightAssignments, IdleTime, FileInfo, NamedPipes, NetworkProfile
    • AMSIProviders, RPCMappedEndpoints, LocalUsers, CredGuard, LocalGPOs, OutlookDownloads
    • AppLocker (thanks @_RastaMouse! https://github.com/GhostPack/Seatbelt/pull/15)
    • InstalledProducts and Printers commands, with DACLs included for printers
    • SearchIndex - module to search the Windows Search Indexer
    • WMIEventFilter/WMIEventConsumer/WMIEventConsumer commands
    • ScheduledTasks command (via WMI for win8+)
    • AuditPolicies/AuditSettings - classic and advanced audit policy settings
    • EnvironmentPath - %ENV:PATH% folder enumeration, along with DACLs
    • ProcessCreation - from @djhohnstein's EventLogParser project. Expanded sensitive regexes.
    • CredEnum - use CredEnumerate() to enumerate the credentials from the user's credential set (thanks @djhohnstein and @peewpw)
    • SecurityPackages - uses EnumerateSecurityPackages() to enumerate available security packages
    • WindowsDefender - exclusions for paths/extensions/processes for Windows Defender
    • DotNet - detects .NET versions and whether AMSI is enabled/can by bypassed (similar to 'PowerShell')
    • ProcessOwners - simplified enumeration of non-session 0 processes/owners that can function remotely
    • dir
      • Allows recursively enumerating directories and searching for files based on a regex
      • Lists user folders by default
      • Usage: "dir [path] [depth] [searchRegex] [ignoreErrors? true/false]"
      • Default: "dir C:\users\ 2 \(Documents|Downloads|Desktop) false"
        • Shows files in users' documents/downloads/desktop folders
    • reg
      • Allows recursively listing and searching for registry values on the current machine and remotely (if remote registry is enabled).
    • Added additional defensive process checks thanks to @swarleysez, @Ne0nd0g, and @leechristensen. See https://github.com/GhostPack/Seatbelt/pull/17 and https://github.com/GhostPack/Seatbelt/pull/19.
    • Added Xen virtual machine detections thanks to @rasta-mouse. See https://github.com/GhostPack/Seatbelt/pull/18
  • Added the following command aliases:
    • "Remote" for common commands to run remotely
    • "Slack" to run Slack-specific modules
    • "Chrome" to run Chrome-specific modules
  • Added in ability to give commands arguments (to be expanded in the future). Syntax: Seatbelt.exe "PoweredOnEvents 30"
  • Added remote support for WMI/registry enumeration modules that are marked with a +
    • Usage: computername=COMPUTER.DOMAIN.COM [username=DOMAIN\USER password=PASSWORD]
  • Added the "-q" command-line flag to not print the logo
  • Added ability to output to a file with the the "-o " parameter
    • Providing a file that ends in .json produces JSON-structured output!
  • Added in the architecture for different output sinks. Still need to convert a lot of cmdlets to the new format.
  • Added a module template.
  • Added CHANGELOG.md.

Changed

  • Externalized all commands into their own class/file
  • Cleaned up some of the registry querying code
  • Commands can now be case-insensitive
  • Seatbelt's help message is now dynamically created
  • Renamed RebootSchedule to PoweredOnEvents
    • Now enumerates events for system startup/shutdown, unexpected shutdown, and sleeping/awaking.
  • Modified the output of the Logon and ExplicitLogon event commands to be easier to read/analyze
  • LogonEvents, ExplicitLogonEvents, and PoweredOnEvents take an argument of how many days back to collect logs for. Example: Seatbelt.exe "LogonEvents 50"
  • Added Added timezone, locale information, MachineGuid, Build number and UBR (if present) to OSInfo command
  • Refactored registry enumeration code
  • Putty command now lists if agent forwarding is enabled
  • Renamed BasicOSInfo to OSInfo
  • Simplified IsLocalAdmin code
  • Added the member type to localgroupmembership output
  • Simplified the RDPSavedConnections code
  • Formatted the output of RDPSavedConnections to be prettier
  • Formatted the output of RecentFiles to be prettier
  • Modified logonevents default so that it only outputs the past day on servers
  • Re-wrote the PowerShell command. Added AMSI information and hints for bypassing.
  • Add NTLM/Kerberos informational alerts to the LogonEvents command
  • Changed the output format of DpapiMasterKeys
  • Re-wrote the Registry helper code
  • Refactored the helper code
  • Incorprated @mark-s's code to speed up the interestingfiles command. See #16
  • Added SDDL to the "fileinfo" command
  • Added MRUs for all office applications to the RecentFiles command
  • RecentFiles now has a paramater that restricts how old the documents are. "RecentFiles 20" - Shows files accessed in the last 20 days.
  • Renamed RegistryValue command to "reg"
  • Search terms in the "reg" command now match keys, value names, and values.
  • Updated the "reg" commands arguments.
    • Usage: "reg <HIVE[\PATH\TO\KEY]> [depth] [searchTerm] [ignoreErrors]"
    • Defaults: "reg HKLM\Software 1 default true"
  • Added generic GetSecurityInfos command into SecurityUtil
  • Formatting tweak for DPAPIMasterkeys
  • WindowsVaults output filtering
  • Renamed RecentFiles to ExplorerMRUs, broke out functionality for ExplorerMRUs and OfficeMRUs
  • Broke IETriage command into IEUrls and IEFavorites
  • Changed FirefoxCommand to FirefoxHistory
  • Changed ChromePresence and FirefoxPresence to display last modified timestamps for the history/cred/etc. files
  • Split ChromeCommand into ChromeHistoryCommand and ChromeBookmarksCommand
  • Broke PuttyCommand into PuttyHostKeys and PuttySessions
  • Added SDDL field to InterestingFiles command
  • Modified IdleTime to display the current user and time in hⓂ️s:ms format
  • Moved Firewall enumeration to the registry (instead of the COM object). Thanks @Max_68!
  • Changed TokenGroups output formatting
  • Renamed localgroupmemberships to localgroups
  • Changed network firewall enumeration to display "non-builtin" rules instead of deny. Added basic filtering.
  • Added IsDotNet property to the FileInfo command
  • Renamed "NonstandardProcesses" and "NonstandardServices" to "Processes" and "Services", respectively
  • LocalGroups now enumerates all (by default non-empty) local groups and memberships, along with comments
  • Added a "modules" argument to the "Processes" command to display non-Microsoft loaded processes
  • Notify operator when LSA Protected Mode is enabled (RunAsPPL)
  • Updated the EnvironmentVariables command to distinguish between user/system/current process/volatile variables
  • Added a user filter to ExplicitLogonEvents. Usage: ExplicitLogonEvents <days> <targetUserRegex>
  • Added version check for Chrome (v80+)
  • Added analysis messages for the logonevents command
  • Rewrote and expanded README.md

Fixed

  • Some timestamp converting code in the ticket extraction section
  • Fixed Chrome bookmark command (threw an exception with folders)
  • Fixed reboot schedule (xpath query wasn't precise enough, leading to exceptions)
  • Fixed an exception that was being thrown in the CloudCredential command
  • NonstandardServices command
    • Fixed a bug that occurred during enumeration
    • Added ServiceDll and User fields
    • Partially fixed path parsing in NonstandardServices with some help from OJ (@TheColonial)! See https://github.com/GhostPack/Seatbelt/pull/14
    • Cleaned up the code
  • Fixed a bug in localgroupmembership
  • Check if it's a Server before running the AntiVirus check (the WMI class isn't on servers)
  • Fixed a bug in WindowsCredentialFiles so it wouldn't output null bytes
  • Fixed a null reference bug in the PowerShell command
  • Fixed the OS version comparisons in WindowsVault command
  • Fixed a DWORD parsing bug in the registry util class for big (i.e. negative int) values
  • ARPTable bug fix/error handling
  • Fixed PuttySession HKCU v. HKU bug
  • Fixed a terminating exception bug in the Processes command when obtaining file version info
  • More additional bug fixes than we can count >_<

Removed

  • Removed the UserFolder command (replaced by DirectoryList command)

[0.2.0] - 2018-08-20

Added

  • @djhohnstein's vault enumeration

Changed

  • @ClementNotin/@cnotin's various fixes

[0.1.0] - 2018-07-24

  • Initial release