HackTricks
Search…
Pentesting
Powered By GitBook
Seatbelt

Start

1
SeatbeltNet3.5x64.exe all
2
SeatbeltNet3.5x64.exe all full #Without filtering
Copied!
I really like the performed filtering.

Check

This tool is more gathering-info oriented than privesc, but it has some pretty nice checks and looks for some passwords.
SeatBelt.exe system collects the following system data:
1
BasicOSInfo - Basic OS info (i.e. architecture, OS version, etc.)
2
RebootSchedule - Reboot schedule (last 15 days) based on event IDs 12 and 13
3
TokenGroupPrivs - Current process/token privileges (e.g. SeDebugPrivilege/etc.)
4
UACSystemPolicies - UAC system policies via the registry
5
PowerShellSettings - PowerShell versions and security settings
6
AuditSettings - Audit settings via the registry
7
WEFSettings - Windows Event Forwarding (WEF) settings via the registry
8
LSASettings - LSA settings (including auth packages)
9
UserEnvVariables - Current user environment variables
10
SystemEnvVariables - Current system environment variables
11
UserFolders - Folders in C:\Users\
12
NonstandardServices - Services with file info company names that don't contain 'Microsoft'
13
InternetSettings - Internet settings including proxy configs
14
LapsSettings - LAPS settings, if installed
15
LocalGroupMembers - Members of local admins, RDP, and DCOM
16
MappedDrives - Mapped drives
17
RDPSessions - Current incoming RDP sessions
18
WMIMappedDrives - Mapped drives via WMI
19
NetworkShares - Network shares
20
FirewallRules - Deny firewall rules, "full" dumps all
21
AntiVirusWMI - Registered antivirus (via WMI)
22
InterestingProcesses - "Interesting" processes- defensive products and admin tools
23
RegistryAutoRuns - Registry autoruns
24
RegistryAutoLogon - Registry autologon information
25
DNSCache - DNS cache entries (via WMI)
26
ARPTable - Lists the current ARP table and adapter information (equivalent to arp -a)
27
AllTcpConnections - Lists current TCP connections and associated processes
28
AllUdpConnections - Lists current UDP connections and associated processes
29
NonstandardProcesses - Running processeswith file info company names that don't contain 'Microsoft'
30
* If the user is in high integrity, the following additional actions are run:
31
SysmonConfig - Sysmon configuration from the registry
Copied!
SeatBelt.exe user collects the following user data:
1
SavedRDPConnections - Saved RDP connections
2
TriageIE - Internet Explorer bookmarks and history (last 7 days)
3
DumpVault - Dump saved credentials in Windows Vault (i.e. logins from Internet Explorer and Edge), from SharpWeb
4
RecentRunCommands - Recent "run" commands
5
PuttySessions - Interesting settings from any saved Putty configurations
6
PuttySSHHostKeys - Saved putty SSH host keys
7
CloudCreds - AWS/Google/Azure cloud credential files (SharpCloud)
8
RecentFiles - Parsed "recent files" shortcuts (last 7 days)
9
MasterKeys - List DPAPI master keys
10
CredFiles - List Windows credential DPAPI blobs
11
RDCManFiles - List Windows Remote Desktop Connection Manager settings files
12
* If the user is in high integrity, this data is collected for ALL users instead of just the current user
Copied!
Non-default collection options:
1
CurrentDomainGroups - The current user's local and domain groups
2
Patches - Installed patches via WMI (takes a bit on some systems)
3
LogonSessions - User logon session data
4
KerberosTGTData - ALL TEH TGTZ!
5
InterestingFiles - "Interesting" files matching various patterns in the user's folder
6
IETabs - Open Internet Explorer tabs
7
TriageChrome - Chrome bookmarks and history
8
TriageFirefox - Firefox history (no bookmarks)
9
RecycleBin - Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
10
4624Events - 4624 logon events from the security event log
11
4648Events - 4648 explicit logon events from the security event log
12
KerberosTickets - List Kerberos tickets. If elevated, grouped by all logon sessions.
Copied!
Last modified 1yr ago
Copy link
Contents
Start
Check