GhostPack/Seatbelt

# Seatbelt Seatbelt 是一个 C# 项目，从攻防安全视角出发，执行一系列安全导向的主机调查“安全检查”。 [@andrewchiles](https://twitter.com/andrewchiles) 的 [HostEnum.ps1](https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1) 脚本和 [@tifkin\_](https://twitter.com/tifkin_) 的 [Get-HostProfile.ps1](https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1) 为许多收集的工件提供了灵感。 [@harmj0y](https://twitter.com/harmj0y) 和 [@tifkin_](https://twitter.com/tifkin_) 是此实现的主要作者。 Seatbelt 根据 BSD 3-Clause 许可证授权。 ## 目录 - [Seatbelt](#seatbelt) * [目录](#table-of-contents) * [命令行用法](#command-line-usage) * [命令组](#command-groups) + [system](#system) + [user](#user) + [misc](#misc) + [其他命令组](#additional-command-groups) * [命令参数](#command-arguments) * [输出](#output) * [远程枚举](#remote-enumeration) * [构建你自己的模块](#building-your-own-modules) * [编译说明](#compile-instructions) * [致谢](#acknowledgments) ## 命令行用法 ``` %&&@@@&& &&&&&&&%%%, #&&@@@@@@%%%%%%###############% &%& %&%% &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%% %%%%%%%%%%%######%%%#%%####% &%%**# @////(((&%%%%%%######################((((((((((((((((((( #%#%%%%%%%#######%#%%####### %&%,,,,,,,,,,,,,,,, @////(((&%%%%%#%#####################((((((((((((((((((( #%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&%%%%%%%######################(#(((#(#(((((((((( #####%%%#################### &%%...... ... .. @////(((&%%%%%%%###############%######((#(#(####(((((((( #######%##########%######### %%%...... ... .. @////(((&%%%%%#########################(#(#######((##### ###%##%%#################### &%%............... @////(((&%%%%%%%%##############%#######(#########((##### #####%###################### %%%.. @////(((&%%%%%%%################ &%& %%%%% Seatbelt %////(((&%%%%%%%%#############* &%%&&&%%%%% v1.2.1 ,(((&%%%%%%%%%%%%%%%%%, #%%%%##, Available commands (+ means remote usage is supported): + AMSIProviders - Providers registered for AMSI + AntiVirus - Registered antivirus (via WMI) + AppLocker - AppLocker settings, if installed ARPTable - Lists the current ARP table and adapter information (equivalent to arp -a) AuditPolicies - Enumerates classic and advanced audit policy settings + AuditPolicyRegistry - Audit settings via the registry + AutoRuns - Auto run executables/scripts/programs azuread - Return AzureAD info Certificates - Finds user and machine personal certificate files CertificateThumbprints - Finds thumbprints for all certificate store certs on the system + ChromiumBookmarks - Parses any found Chrome/Edge/Brave/Opera bookmark files + ChromiumHistory - Parses any found Chrome/Edge/Brave/Opera history files + ChromiumPresence - Checks if interesting Chrome/Edge/Brave/Opera files exist + CloudCredentials - AWS/Google/Azure/Bluemix cloud credential files + CloudSyncProviders - All configured Office 365 endpoints (tenants and teamsites) which are synchronised by OneDrive. CredEnum - Enumerates the current user's saved credentials using CredEnumerate() + CredGuard - CredentialGuard configuration dir - Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == [directory] [maxDepth] [regex] [boolIgnoreErrors] + DNSCache - DNS cache entries (via WMI) + DotNet - DotNet versions + DpapiMasterKeys - List DPAPI master keys EnvironmentPath - Current environment %PATH$ folders and SDDL information + EnvironmentVariables - Current environment variables + ExplicitLogonEvents - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days. ExplorerMRUs - Explorer most recently used files (last 7 days, argument == last X days) + ExplorerRunCommands - Recent Explorer "run" commands FileInfo - Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s) + FileZilla - FileZilla configuration files + FirefoxHistory - Parses any found FireFox history files + FirefoxPresence - Checks if interesting Firefox files exist + Hotfixes - Installed hotfixes (via WMI) IdleTime - Returns the number of seconds since the current user's last input. + IEFavorites - Internet Explorer favorites IETabs - Open Internet Explorer tabs + IEUrls - Internet Explorer typed URLs (last 7 days, argument == last X days) + InstalledProducts - Installed products via the registry InterestingFiles - "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time. + InterestingProcesses - "Interesting" processes - defensive products and admin tools InternetSettings - Internet settings including proxy configs and zones configuration + KeePass - Finds KeePass configuration files + LAPS - LAPS settings, if installed + LastShutdown - Returns the DateTime of the last system shutdown (via the registry). LocalGPOs - Local Group Policy settings applied to the machine/local users + LocalGroups - Non-empty local groups, "-full" displays all groups (argument == computername to enumerate) + LocalUsers - Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate) + LogonEvents - Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. + LogonSessions - Windows logon sessions LOLBAS - Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time. + LSASettings - LSA settings (including auth packages) + MappedDrives - Users' mapped drives (via WMI) McAfeeConfigs - Finds McAfee configuration files McAfeeSiteList - Decrypt any found McAfee SiteList.xml configuration files. MicrosoftUpdates - All Microsoft updates (via COM) MTPuTTY - MTPuTTY configuration files NamedPipes - Named pipe names, any readable ACL information and associated process information. + NetworkProfiles - Windows network profiles + NetworkShares - Network shares exposed by the machine (via WMI) + NTLMSettings - NTLM authentication settings OfficeMRUs - Office most recently used file list (last 7 days) OneNote - List OneNote backup files + OptionalFeatures - List Optional Features/Roles (via WMI) OracleSQLDeveloper - Finds Oracle SQLDeveloper connections.xml files + OSInfo - Basic OS info (i.e. architecture, OS version, etc.) + OutlookDownloads - List files downloaded by Outlook + PoweredOnEvents - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days. + PowerShell - PowerShell versions and security settings + PowerShellEvents - PowerShell script block logs (4104) with sensitive data. + PowerShellHistory - Searches PowerShell console history files for sensitive regex matches. Printers - Installed Printers (via WMI) + ProcessCreationEvents - Process creation logs (4688) with sensitive data. Processes - Running processes with file info company names that don't contain 'Microsoft', "-full" enumerates all processes + ProcessOwners - Running non-session 0 process list with owners. For remote use. + PSSessionSettings - Enumerates PS Session Settings from the registry + PuttyHostKeys - Saved Putty SSH host keys + PuttySessions - Saved Putty configuration (interesting fields) and SSH host keys RDCManFiles - Windows Remote Desktop Connection Manager settings files + RDPSavedConnections - Saved RDP connections stored in the registry + RDPSessions - Current incoming RDP sessions (argument == computername to enumerate) + RDPsettings - Remote Desktop Server/Client Settings RecycleBin - Items in the Recycle Bin deleted in the last 30 days - only works from a user context! reg - Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors] RPCMappedEndpoints - Current RPC endpoints mapped + SCCM - System Center Configuration Manager (SCCM) settings, if applicable + ScheduledTasks - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks SearchIndex - Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == SecPackageCreds - Obtains credentials from security packages + SecureBoot - Secure Boot configuration SecurityPackages - Enumerates the security packages currently available using EnumerateSecurityPackagesA() Services - Services with file info company names that don't contain 'Microsoft', "-full" dumps all processes + SlackDownloads - Parses any found 'slack-downloads' files + SlackPresence - Checks if interesting Slack files exist + SlackWorkspaces - Parses any found 'slack-workspaces' files + SuperPutty - SuperPutty configuration files + Sysmon - Sysmon configuration from the registry + SysmonEvents - Sysmon process creation logs (1) with sensitive data. TcpConnections - Current TCP connections and their associated processes and services TokenGroups - The current token's local and domain groups TokenPrivileges - Currently enabled token privileges (e.g. SeDebugPrivilege/etc.) + UAC - UAC system policies via the registry UdpConnections - Current UDP connections and associated processes and services UserRightAssignments - Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate WifiProfile - Enumerates the saved Wifi profiles and extract the ssid, authentication type, cleartext key/passphrase (when possible) + WindowsAutoLogon - Registry autologon information WindowsCredentialFiles - Windows credential DPAPI blobs + WindowsDefender - Windows Defender settings (including exclusion locations) + WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry + WindowsFirewall - Non-standard firewall rules, "-full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public) WindowsVault - Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge). + WMI - Runs a specified WMI query WMIEventConsumer - Lists WMI Event Consumers WMIEventFilter - Lists WMI Event Filters WMIFilterBinding - Lists WMI Filter to Consumer Bindings + WSUS - Windows Server Update Services (WSUS) settings, if applicable Seatbelt has the following command groups: All, User, System, Slack, Chromium, Remote, Misc You can invoke command groups with "Seatbelt.exe " Or command groups except specific commands "Seatbelt.exe -Command" "Seatbelt.exe -group=all" runs all commands "Seatbelt.exe -group=user" runs the following commands: azuread, Certificates, CertificateThumbprints, ChromiumPresence, CloudCredentials, CloudSyncProviders, CredEnum, dir, DpapiMasterKeys, ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence, IdleTime, IEFavorites, IETabs, IEUrls, KeePass, MappedDrives, MTPuTTY, OfficeMRUs, OneNote, OracleSQLDeveloper, PowerShellHistory, PuttyHostKeys, PuttySessions, RDCManFiles, RDPSavedConnections, SecPackageCreds, SlackDownloads, SlackPresence, SlackWorkspaces, SuperPutty, TokenGroups, WindowsCredentialFiles, WindowsVault "Seatbelt.exe -group=system" runs the following commands: AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies, AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints, CredGuard, DNSCache, DotNet, EnvironmentPath, EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings, LAPS, LastShutdown, LocalGPOs, LocalGroups, LocalUsers, LogonSessions, LSASettings, McAfeeConfigs, NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings, OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell, Processes, PSSessionSettings, RDPSessions, RDPsettings, SCCM, SecureBoot, Services, Sysmon, TcpConnections, TokenPrivileges, UAC, UdpConnections, UserRightAssignments, WifiProfile, WindowsAutoLogon, WindowsDefender, WindowsEventForwarding, WindowsFirewall, WMI, WMIEventConsumer, WMIEventFilter, WMIFilterBinding, WSUS "Seatbelt.exe -group=slack" runs the following commands: SlackDownloads, SlackPresence, SlackWorkspaces "Seatbelt.exe -group=chromium" runs the following commands: ChromiumBookmarks, ChromiumHistory, ChromiumPresence "Seatbelt.exe -group=remote" runs the following commands: AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials, DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables, ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes, InterestingProcesses, KeePass, LastShutdown, LocalGroups, LocalUsers, LogonEvents, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell, ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, SecureBoot, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall "Seatbelt.exe -group=misc" runs the following commands: ChromiumBookmarks, ChromiumHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory, InstalledProducts, InterestingFiles, LogonEvents, LOLBAS, McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents, Printers, ProcessCreationEvents, ProcessOwners, RecycleBin, reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex, SecurityPackages, SysmonEvents Examples: 'Seatbelt.exe [Command2] ...' will run one or more specified checks only 'Seatbelt.exe -full' will return complete results for a command without any filtering. 'Seatbelt.exe " [argument]"' will pass an argument to a command that supports it (note the quotes). 'Seatbelt.exe -group=all' will run ALL enumeration checks, can be combined with "-full". 'Seatbelt.exe -group=all -AuditPolicies' will run all enumeration checks EXCEPT AuditPolicies, can be combined with "-full". 'Seatbelt.exe -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\USER -password=PASSWORD]' will run an applicable check remotely 'Seatbelt.exe -group=remote -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\USER -password=PASSWORD]' will run remote specific checks 'Seatbelt.exe -group=system -outputfile="C:\Temp\out.txt"' will run system checks and output to a .txt file. 'Seatbelt.exe -group=user -q -outputfile="C:\Temp\out.json"' will run in quiet mode with user checks and output to a .json file. ``` **注意：** 针对用户的检查，如果在非提权状态下运行，则针对当前用户；如果在提权状态下运行，则针对所有用户。 ## 命令组 **注意：** 许多命令默认会进行某种类型的过滤。提供 `-full` 参数可防止过滤输出。此外，命令组 `all` 将运行所有当前的检查。 例如，以下命令将运行所有检查并返回所有输出： `Seatbelt.exe -group=all -full` ### 系统 运行有关系统有趣数据的检查。 执行命令：`Seatbelt.exe -group=system` | 命令 | 描述 | | ----------- | ----------- | | AMSIProviders | 为 AMSI 注册的提供程序 | | AntiVirus | 已注册的杀毒软件 (通过 WMI) | | AppLocker | AppLocker 设置（如果已安装） | | ARPTable | 列出当前的 ARP 表和适配器信息（等同于 arp -a） | | AuditPolicies | 枚举经典和高级审核策略设置 | | AuditPolicyRegistry | 通过注册表获取审核设置 | | AutoRuns | 自动运行的 executable/script/program | | Certificates | 用户和计算机的个人证书文件 | | CertificateThumbprints | 系统上所有证书存储证书的指纹 | | CredGuard | CredentialGuard 配置 | | DNSCache | DNS 缓存条目 (通过 WMI) | | DotNet | DotNet 版本 | | EnvironmentPath | 当前环境 %PATH$ 文件夹和 SDDL 信息 | | EnvironmentVariables | 当前用户环境变量 | | Hotfixes | 已安装的补丁 (通过 WMI) | | InterestingProcesses | “有趣”的进程 - 防御产品和管理工具 | | InternetSettings | Internet 设置，包括代理配置 | | LAPS | LAPS 设置（如果已安装） | | LastShutdown | 返回上次系统关闭的 DateTime (通过注册表) | | LocalGPOs | 应用于机器/本地用户的本地组策略设置 | | LocalGroups | 非空本地组，“full”显示所有组（参数 == 计算机名以进行枚举） | | LocalUsers | 本地用户，无论其是活动/禁用状态，以及密码上次设置时间（参数 == 计算机名以进行枚举） | | LogonSessions | 来自安全事件日志的登录事件 (Event ID 4624)。默认为 10 天，参数 == 最近 X 天。 | | LSASettings | LSA 设置（包括认证包） | | McAfeeConfigs | 查找 McAfee 配置文件 | | NamedPipes | 命名管道名称及任何可读的 ACL 信息 | | NetworkProfiles | Windows 网络配置文件 | | NetworkShares | 机器暴露的网络共享 (通过 WMI) | | NTLMSettings | NTLM 认证设置 | | OptionalFeatures | TODO | | OSInfo | 基本 OS 信息（即架构、OS 版本等） | | PoweredOnEvents | 基于系统事件日志 EID 1, 12, 13, 42 和 6008 的重启和睡眠计划。默认为 7 天，参数 == 最近 X 天。 | | PowerShell | PowerShell 版本和安全设置 | | Processes | 运行中的进程，其文件信息公司名不包含 'Microsoft'，"full" 枚举所有进程 | | PSSessionSettings | 从注册表枚举 PS 会话设置 | | RDPSessions | 当前传入的 RDP 会话（参数 == 计算机名以进行枚举） | | RDPsettings | 远程桌面服务器/客户端设置 | | SCCM | System Center Configuration Manager (SCCM) 设置（如果适用） | | Services | 文件信息公司名不包含 'Microsoft' 的服务，"full" 转储所有进程 | | Sysmon | 来自注册表的 Sysmon 配置 | | TcpConnections | 当前 TCP 连接及其关联的进程和服务 | | TokenPrivileges | 当前启用的令牌权限（例如 SeDebugPrivilege/etc.） | | UAC | 通过注册表获取的 UAC 系统策略 | | UdpConnections | 当前 UDP 连接及关联的进程和服务 | | UserRightAssignments | 已配置的用户权限分配（例如 SeDenyNetworkLogonRight, SeShutdownPrivilege 等）参数 == 计算机名以进行枚举 | | WifiProfile | TODO | | WindowsAutoLogon | 注册表自动登录信息 | | WindowsDefender | Windows Defender 设置（包括排除位置） | | WindowsEventForwarding | 通过注册表获取的 Windows Event Forwarding (WEF) 设置 | | WindowsFirewall | 非标准防火墙规则，"full" 转储所有（参数 == allow/deny/tcp/udp/in/out/domain/private/public） | | WMIEventConsumer | 列出 WMI 事件消费者 | | WMIEventFilter | 列出 WMI 事件过滤器 | | WMIFilterBinding | 列出 WMI 过滤器到消费者的绑定 | | WSUS | Windows Server Update Services (WSUS) 设置（如果适用） | ### 用户 运行有关当前登录用户（如果未提权）或所有用户（如果已提权）的有趣数据的检查。 执行命令：`Seatbelt.exe -group=user` | 命令 | 描述 | | ----------- | ----------- | | Certificates | 用户和机器个人证书文件 | | CertificateThumbprints | 系统上所有证书存储证书的指纹 | | ChromiumPresence | 检查是否存在有趣的 Chrome/Edge/Brave/Opera 文件 | | CloudCredentials | AWS/Google/Azure 云凭证文件 | | CloudSyncProviders | TODO | | CredEnum | 使用 CredEnumerate() 枚举当前用户保存的凭证 | | dir | 列出文件/文件夹。默认情况下，列出用户的下载、文档和桌面文件夹（参数 == \ \ \ | | DpapiMasterKeys | 列出 DPAPI 主密钥 | | Dsregcmd | TODO | | ExplorerMRUs | 资源管理器最近使用的文件（最近 7 天，参数 == 最近 X 天） | | ExplorerRunCommands | 最近的资源管理器“运行”命令 | | FileZilla | FileZilla 配置文件 | | FirefoxPresence | 检查是否存在有趣的 Firefox 文件 | | IdleTime | 返回自当前用户上次输入以来的秒数。 | | IEFavorites | Internet Explorer 收藏夹 | | IETabs | 打开的 Internet Explorer 标签页 | | IEUrls| Internet Explorer 输入的 URL（最近 7 天，参数 == 最近 X 天） | | KeePass | TODO | | MappedDrives | 用户映射的驱动器 (通过 WMI) | | OfficeMRUs | Office 最近使用的文件列表（最近 7 天） | | OneNote | TODO | | OracleSQLDeveloper | TODO | | PowerShellHistory | 遍历每个本地用户并尝试读取其 PowerShell 控制台历史记录，如果成功将打印出来 | | PuttyHostKeys | 保存的 Putty SSH 主机密钥 | | PuttySessions | 保存的 Putty 配置（有趣字段）和 SSH 主机密钥 | | RDCManFiles | Windows 远程桌面连接管理器设置文件 | | RDPSavedConnections | 存储在注册表中的已保存 RDP 连接 | | SecPackageCreds | 从安全包获取凭证 | | SlackDownloads | 解析任何找到的 'slack-downloads' 文件 | | SlackPresence | 检查是否存在有趣的 Slack 文件 | | SlackWorkspaces | 解析任何找到的 'slack-workspaces' 文件 | | SuperPutty | SuperPutty 配置文件 | | TokenGroups | 当前令牌的本地和域组 | | WindowsCredentialFiles | Windows 凭证 DPAPI blobs | | WindowsVault | 保存在 Windows Vault 中的凭证（即来自 Internet Explorer 和 Edge 的登录信息）。 | ### 杂项 运行所有杂项检查。 执行命令：`Seatbelt.exe -group=misc` | 命令 | 描述 | | ----------- | ----------- | | ChromiumBookmarks | 解析任何找到的 Chrome/Edge/Brave/Opera 书签文件 | | ChromiumHistory | 解析任何找到的 Chrome/Edge/Brave/Opera 历史记录文件 | | ExplicitLogonEvents | 来自安全事件日志的显式登录事件 (Event ID 4648)。默认为 7 天，参数 == 最近 X 天。 | | FileInfo | 关于文件的信息（版本信息、时间戳、基本 PE 信息等。参数 == 文件路径 | | FirefoxHistory | 解析任何找到的 FireFox 历史记录文件 | | InstalledProducts | 通过注册表获取已安装的产品 | | InterestingFiles | 用户文件夹中匹配各种模式的“有趣”文件。注意：需要一定时间。 | | LogonEvents | 来自安全事件日志的登录事件 (Event ID 4624)。默认为 10 天，参数 == 最近 X 天。 | | LOLBAS | 定位系统上的 Living Off The Land Binaries and Scripts (LOLBAS)。注意：需要一定时间。 | | McAfeeSiteList | 解密任何找到的 McAfee SiteList.xml 配置文件。 | | MicrosoftUpdates | 所有 Microsoft 更新 (通过 COM) | | OutlookDownloads | 列出由 Outlook 下载的文件 | | PowerShellEvents | 包含敏感数据的 PowerShell 脚本块日志 (4104)。 | | Printers | 已安装的打印机 (通过 WMI) | | ProcessCreationEvents | 包含敏感数据的进程创建日志 (4688)。 | | ProcessOwners | 运行中的非会话 0 进程列表及其所有者。用于远程使用。 | | RecycleBin | 最近 30 天内回收站中删除的项目 - 仅在用户上下文中有效！ | | reg | 注册表键值（默认为 HKLM\Software）参数 == [Path] [intDepth] [Regex] [boolIgnoreErrors] | | RPCMappedEndpoints | 当前映射的 RPC 端点 | | ScheduledTasks | 非由 'Microsoft' 编写的计划任务 (通过 WMI)，"full" 转储所有计划任务 | | SearchIndex | 来自 Windows 搜索索引的查询结果，默认术语为 'passsword'。（参数 == \ \ | | SecurityPackages | 使用 EnumerateSecurityPackagesA() 枚举当前可用的安全包 | | SysmonEvents | 包含敏感数据的 Sysmon 进程创建日志 (1)。 | ### 其他命令组 执行命令：`Seatbelt.exe -group=GROUPNAME` | 别名 | 描述 | | ----------- | ----------- | | Slack | 运行以 "Slack*" 开头的模块 | | Chromium | 运行以 "Chromium*" 开头的模块 | | Remote | 运行以下模块（用于针对远程系统）：AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials, DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables, ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes, InterestingProcesses, KeePass, LastShutdown, LocalGroups, LocalUsers, LogonEvents, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell, ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall | ## 命令参数 接受参数的命令在其描述中注明。要将参数传递给命令，请将命令和参数用双引号括起来。 例如，以下命令返回最近 30 天的 4624 登录事件： `Seatbelt.exe "LogonEvents 30"` 以下命令查询注册表三层深度，仅返回匹配正则表达式 `.*defini.*` 的键/值名称/值，并忽略发生的任何错误。 `Seatbelt.exe "reg \"HKLM\SOFTWARE\Microsoft\Windows Defender\" 3 .*defini.* true"` ## 输出 Seatbelt 可以使用 `-outputfile="C:\Path\file.txt"` 参数将其重定向到文件。如果文件路径以 .json 结尾，则输出将是结构化的 json。 例如，以下命令将系统检查的结果输出到 txt 文件： `Seatbelt.exe -group=system -outputfile="C:\Temp\system.txt"` ## 远程枚举 在帮助菜单中用 + 标注的命令可以针对另一个系统远程运行。这是通过 WMI 进行的，通过查询 WMI 类和使用 WMI 的 StdRegProv 进行注册表枚举。 要枚举远程系统，请提供 `-computername=COMPUTER.DOMAIN.COM` - 可以使用 `-username=DOMAIN\USER -password=PASSWORD` 指定备用用户名和密码。 例如，以下命令针对远程系统运行专注于远程的检查： `Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\""` ## 构建你自己的模块 Seatbelt 的结构是完全模块化的，允许将额外的命令模块放入文件结构并动态加载。 在 `.\Seatbelt\Commands\Template.cs` 有一个带注释的命令模块模板供参考。构建完成后，将模块放在逻辑文件位置，在 Visual Studio Solution Explorer 中将其包含在项目中，然后编译。 ## 编译说明 我们不计划发布 Seatbelt 的二进制文件，因此您必须自己编译。 Seatbelt 已针对 .NET 3.5 和 4.0 使用 C# 8.0 功能构建，并与 [Visual Studio Community Edition](https://visualstudio.microsoft.com/downloads/) 兼容。只需打开项目 .sln，选择 "release"，然后构建。要更改目标 .NET framework 版本，请[修改项目的设置](https://github.com/GhostPack/Seatbelt/issues/27)并重新构建项目。 ## 致谢 Seatbelt 整合了在其功能研究过程中发现的各种收集项、C# 代码片段和 PoC 片段。这些想法、片段和作者在源代码的适当位置被高亮显示，包括： * [@andrewchiles](https://twitter.com/andrewchiles) 的 [HostEnum.ps1](https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1) 脚本和 [@tifkin\_](https://twitter.com/tifkin_) 的 [Get-HostProfile.ps1](https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1) 为许多收集的工件提供了灵感。 * [Boboes 关于 NetLocalGroupGetMembers 的代码](https://stackoverflow.com/questions/33935825/pinvoke-netlocalgroupgetmembers-runs-into-fatalexecutionengineerror/33939889#33939889) * [ambyte 用于将映射驱动器号转换为网络路径的代码](https://gist.github.com/ambyte/01664dc7ee576f69042c) * [Igor Korkhov 用于检索当前令牌组信息的代码](https://stackoverflow.com/questions/2146153/how-to-get-the-logon-sid-in-c-sharp/2146418#2146418) * [RobSiklos 用于确定主机是否为虚拟机的代码片段](https://stackoverflow.com/questions/498371/how-to-detect-if-my-application-is-running-in-a-virtual-machine/11145280#11145280) * [JGU 关于文件/文件夹 ACL 权限比较的代码片段](https://stackoverflow.com/questions/1410127/c-sharp-test-if-user-has-write-access-to-a-folder/21996345#21996345) * [Rod Stephens 用于递归文件枚举的模式](http://csharphelper.com/blog/2015/06/find-files-that-match-multiple-patterns-in-c/) * [SwDevMan81 用于枚举当前令牌权限的代码片段](https://stackoverflow.com/questions/4349743/setting-size-of-token-privileges-luid-and-attributes-array-returned-by-gettokeni) * [Jared Atkinson 关于 Kerberos 票据缓存的 PowerShell 工作](https://github.com/Invoke-IR/ACE/blob/master/ACE-Management/PS-ACE/Scripts/ACE_Get-KerberosTicketCache.ps1) * [darkmatter08 的 Kerberos C# 代码片段](https://www.dreamincode.net/forums/topic/135033-increment-memory-pointer-issue/) * 众多的 [PInvoke.net](https://www.pinvoke.net/) 示例 <3 * [Jared Hill 出色的使用 Local Security Authority 枚举用户会话的 CodeProject](https://www.codeproject.com/Articles/18179/Using-the-Local-Security-Authority-to-Enumerate-Us) * [Fred 关于查询 ARP 缓存的代码](https://social.technet.microsoft.com/Forums/lync/en-US/e949b8d6-17ad-4afc-88cd-0019a3ac9df9/powershell-alternative-to-arp-a?forum=ITCG) * [ShuggyCoUk 关于查询 TCP 连接表的代码片段](https://stackoverflow.com/questions/577433/which-pid-listens-on-a-given-port-in-c-sharp/577660#577660) * [yizhang82 使用反射通过 C# 与 COM 对象交互的示例](https://gist.github.com/yizhang82/a1268d3ea7295a8a1496e01d60ada816) * [@djhohnstein](https://twitter.com/djhohnstein) 的 [SharpWeb 项目](https://github.com/djhohnstein/SharpWeb/blob/master/Edge/SharpEdge.cs) * [@djhohnstein](https://twitter.com/djhohnstein) 的 [EventLogParser 项目](https://github.com/djhohnstein/EventLogParser) * [@cmaddalena](https://twitter.com/cmaddalena) 的 [SharpCloud 项目](https://github.com/chrismaddalena/SharpCloud)，BSD 3-Clause * [@_RastaMouse](https://twitter.com/_RastaMouse) 的 [Watson 项目](https://github.com/rasta-mouse/Watson/)，GPL License * [@_RastaMouse](https://twitter.com/_RastaMouse) 的 [关于 AppLocker 枚举的工作](https://rastamouse.me/2018/09/enumerating-applocker-config/) * [@peewpw](https://twitter.com/peewpw) 的 [Invoke-WCMDump 项目](https://github.com/peewpw/Invoke-WCMDump/blob/master/Invoke-WCMDump.ps1)，GPL License * TrustedSec 的 [HoneyBadger 项目](https://github.com/trustedsec/HoneyBadger/tree/master/modules/post/windows/gather)，BSD 3-Clause * CENTRAL Solutions 的 [Audit User Rights Assignment Project](https://www.centrel-solutions.com/support/tools.aspx?feature=auditrights)，No license * 来自 [@ukstufus](https://twitter.com/ukstufus) 的 [Reconerator](https://github.com/stufus/reconerator) 启发的收集想法 * 来自 Dustin Hurlbut 的论文 [Microsoft Office 2007, 2010 - Registry Artifacts](https://ad-pdf.s3.amazonaws.com/Microsoft_Office_2007-2010_Registry_ArtifactsFINAL.pdf) 的 Office MRU 位置和时间戳解析信息 * [Windows 命令列表](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands)，用于构建敏感正则表达式 * [Ryan Ries 用于枚举映射 RPC 端点的代码](https://stackoverflow.com/questions/21805038/how-do-i-pinvoke-rpcmgmtepeltinqnext) | [Chris Haas 关于 EnumerateSecurityPackages() 的帖子](https://stackoverflow.com/a/5941873) * [darkoperator](carlos_perez) 关于 [HoneyBadger 项目的工作](https://github.com/trustedsec/HoneyBadger) * [@airzero24](https://twitter.com/airzero24) 关于 [WMI 注册表枚举的工作](https://github.com/airzero24/WMIReg) * Alexandru 关于 [RegistryKey.OpenBaseKey 替代方案](https://stackoverflow.com/questions/26217199/what-are-some-alternatives-to-registrykey-openbasekey-in-net-3-5) 的回答 * Tomas Vera 关于 [JavaScriptSerializer 的帖子](http://www.tomasvera.com/programming/using-javascriptserializer-to-parse-json-objects/) | Marc Gravell 关于 [递归列出文件/文件夹的说明](https://stackoverflow.com/a/929418) * [@mattifestation](https://twitter.com/mattifestation) 的 [Sysmon 规则解析器](https://github.com/mattifestation/PSSysmonTools/blob/master/PSSysmonTools/Code/SysmonRuleParser.ps1#L589-L595) * 来自 spolnik 的 [Simple.CredentialsManager 项目](https://github.com/spolnik/Simple.CredentialsManager) 的一些灵感，Apache 2 license * [这篇关于 Credential Guard 设置的帖子](https://www.tenforums.com/tutorials/68926-verify-if-device-guard-enabled-disabled-windows-10-a.html) | [这个关于网络配置文件信息的主题](https://social.technet.microsoft.com/Forums/windows/en-US/b0e13a16-51a6-4aca-8d44-c85e097f882b/nametype-in-nla-information-for-a-network-profile) | Mark McKinnon 关于 [解码 DateCreated 和 DateLastConnected SSID 值的帖子](http://cfed-ttf.blogspot.com/2009/08/decoding-datecreated-and.html) | 这篇 Specops [关于组策略缓存的帖子](https://specopssoft.com/blog/things-work-group-policy-caching/) | sa_ddam213 关于 [枚举回收站项目的 StackOverflow 帖子](https://stackoverflow.com/questions/18071412/list-filenames-in-the-recyclebin-with-c-sharp-without-using-any-external-files) | Kirill Osenkov 关于 [托管程序集检测的代码](https://stackoverflow.com/a/15608028) | [Mono 项目](https://github.com/mono/linux-packaging-mono/blob/d356d2b7db91d62b80a61eeb6fbc70a402ac3cac/external/corefx/LICENSE.TXT) 提供的 SecBuffer/SecBufferDesc 类 | [Elad Shamir](https://twitter.com/elad_shamir) 和他的 [Internal-Monologue](https://github.com/eladshamir/Internal-Monologue/) 项目，[Vincent Le Toux](https://twitter.com/mysmartlogon) 的 [DetectPasswordViaNTLMInFlow](https://github.com/vletoux/DetectPasswordViaNTLMInFlow/) 项目，以及 Lee Christensen 的 [GetNTLMChallenge](https://github.com/leechristensen/GetNTLMChallenge/) 项目。所有这些都为 SecPackageCreds 命令提供了灵感。 * @leftp 和 @eksperience 的 [Gopher 项目](https://github.com/EncodeGroup/Gopher) 为 FileZilla 和 SuperPutty 命令提供了灵感 * @funoverip 提供的原始 McAfee SiteList.xml 解密代码 我们已尽力进行引用，如果我们遗漏了某人/某事，请告知我们！

标签：Conpot, CTF学习, Mr. Robot, Seatbelt, Windows安全, 主机侦查, 内网渗透, 协议分析, 后渗透, 安全检查, 数据包嗅探, 数据展示, 无线安全, 权限提升, 横向移动, 流量嗅探, 漏洞利用前, 端点可见性, 系统枚举, 红队, 编程规范, 网络安全审计