工具:Windows安全检查SeatBelt

admin 2022年10月1日20:27:33安全工具评论21 views10517字阅读35分3秒阅读模式

有个Windows的安全检查工具,确实不错,推荐给大家。

它是这样介绍自己的,时间太紧,就自己看吧。

工具:Windows安全检查SeatBelt



一、下载地址

https://github.com/GhostPack/Seatbelt

我编译好了,放在网盘中。


链接:https://pan.baidu.com/s/1O4ooxQK_iSZtqOnh9j5RdA

提取码:ggo5


Exe在这个目录下,

工具:Windows安全检查SeatBelt

二、使用方法

1)Seatbelt has the following command groups: All, User, System, Slack, Chrome, Remote, Misc

格式:You can invoke command groups with "Seatbelt.exe <group>"

1、 "Seatbelt.exe -group=all" runs all commands

2、 "Seatbelt.exe -group=user" runs the following commands:

ChromePresence, CloudCredentials, CredEnum, dir, DpapiMasterKeys,
ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence,
IdleTime, IEFavorites, IETabs, IEUrls,
MappedDrives, OfficeMRUs, PowerShellHistory, PuttyHostKeys,
PuttySessions, RDCManFiles, RDPSavedConnections, SecPackageCreds,
SlackDownloads, SlackPresence, SlackWorkspaces, SuperPutty,
TokenGroups, WindowsCredentialFiles, WindowsVault

3、 "Seatbelt.exe -group=system" runs the following commands:

AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
AuditPolicyRegistry, AutoRuns, CredGuard, DNSCache,
DotNet, EnvironmentPath, EnvironmentVariables, Hotfixes,
InterestingProcesses, InternetSettings, LAPS, LastShutdown,
LocalGPOs, LocalGroups, LocalUsers, LogonSessions,
LSASettings, McAfeeConfigs, NamedPipes, NetworkProfiles,
NetworkShares, NTLMSettings, OSInfo, PoweredOnEvents,
PowerShell, Processes, PSSessionSettings, RDPSessions,
RDPsettings, SCCM, Services, Sysmon,
TcpConnections, TokenPrivileges, UAC, UdpConnections,
UserRightAssignments, WindowsAutoLogon, WindowsDefender, WindowsEventForwarding,
WindowsFirewall, WMIEventConsumer, WMIEventFilter, WMIFilterBinding,
WSUS

4、"Seatbelt.exe -group=slack" runs the following commands:

SlackDownloads, SlackPresence, SlackWorkspaces

5、"Seatbelt.exe -group=chrome" runs the following commands:

ChromeBookmarks, ChromeHistory, ChromePresence

6、"Seatbelt.exe -group=remote" runs the following commands:

AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes,
InterestingProcesses, LastShutdown, LogonSessions, LSASettings,
MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions,
RDPSavedConnections, RDPSessions, RDPsettings, Sysmon,
WindowsDefender, WindowsEventForwarding, WindowsFirewall

"Seatbelt.exe -group=misc" runs the following commands:

ChromeBookmarks, ChromeHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
HuntLolbas, InstalledProducts, InterestingFiles, LogonEvents,
McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents,
Printers, ProcessCreationEvents, ProcessOwners, RecycleBin,
reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex,
SecurityPackages, SysmonEvents


2)详细列表如下,

1、整体检查

 the following command will run ALL checks and returns ALL output:

Seatbelt.exe -group=all -full

2、system

Runs checks that mine interesting data about the system.

Executed with: Seatbelt.exe -group=system

Command Description
AMSIProviders Providers registered for AMSI
AntiVirus Registered antivirus (via WMI)
AppLocker AppLocker settings, if installed
ARPTable Lists the current ARP table and adapter information(equivalent to arp -a)
AuditPolicies Enumerates classic and advanced audit policy settings
AuditPolicyRegistry Audit settings via the registry
AutoRuns Auto run executables/scripts/programs
CredGuard CredentialGuard configuration
DNSCache DNS cache entries (via WMI)
DotNet DotNet versions
EnvironmentPath Current environment %PATH$ folders and SDDL information
EnvironmentVariables Current user environment variables
Hotfixes Installed hotfixes (via WMI)
InterestingProcesses "Interesting" processes - defensive products and admin tools
InternetSettings Internet settings including proxy configs
LAPS LAPS settings, if installed
LastShutdown Returns the DateTime of the last system shutdown (via the registry)
LocalGPOs Local Group Policy settings applied to the machine/local users
LocalGroups Non-empty local groups, "full" displays all groups (argument == computername to enumerate)
LocalUsers Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)
LogonSessions Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
LSASettings LSA settings (including auth packages)
McAfeeConfigs Finds McAfee configuration files
NamedPipes Named pipe names and any readable ACL information
NetworkProfiles Windows network profiles
NetworkShares Network shares exposed by the machine (via WMI)
NTLMSettings NTLM authentication settings
OSInfo Basic OS info (i.e. architecture, OS version, etc.)
PoweredOnEvents Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
PowerShell PowerShell versions and security settings
Processes Running processes with file info company names that don't contain 'Microsoft', "full" enumerates all processes
PSSessionSettings Enumerates PS Session Settings from the registry
RDPSessions Current incoming RDP sessions (argument == computername to enumerate)
RDPsettings Remote Desktop Server/Client Settings
SCCM System Center Configuration Manager (SCCM) settings, if applicable
Services Services with file info company names that don't contain 'Microsoft', "full" dumps all processes
Sysmon Sysmon configuration from the registry
TcpConnections Current TCP connections and their associated processes and services
TokenPrivileges Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
UAC UAC system policies via the registry
UdpConnections Current UDP connections and associated processes and services
UserRightAssignments Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
WindowsAutoLogon Registry autologon information
WindowsDefender Windows Defender settings (including exclusion locations)
WindowsEventForwarding Windows Event Forwarding (WEF) settings via the registry
WindowsFirewall Non-standard firewall rules, "full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
WMIEventConsumer Lists WMI Event Consumers
WMIEventFilter Lists WMI Event Filters
WMIFilterBinding Lists WMI Filter to Consumer Bindings
WSUS Windows Server Update Services (WSUS) settings, if applicable

3、user

Runs checks that mine interesting data about the currently logged on user (if not elevated) or ALL users (if elevated).

Executed with: Seatbelt.exe -group=user

Command Description
ChromePresence Checks if interesting Google Chrome files exist
CloudCredentials AWS/Google/Azure cloud credential files
CredEnum Enumerates the current user's saved credentials using CredEnumerate()
dir Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == <directory> <depth> <regex>
DpapiMasterKeys List DPAPI master keys
ExplorerMRUs Explorer most recently used files (last 7 days, argument == last X days)
ExplorerRunCommands Recent Explorer "run" commands
FileZilla FileZilla configuration files
FirefoxPresence Checks if interesting Firefox files exist
IdleTime Returns the number of seconds since the current user's last input.
IEFavorites Internet Explorer favorites
IETabs Open Internet Explorer tabs
IEUrls Internet Explorer typed URLs (last 7 days, argument == last X days)
MappedDrives Users' mapped drives (via WMI)
OfficeMRUs Office most recently used file list (last 7 days)
PowerShellHistory Iterates through every local user and attempts to read their PowerShell console history if successful will print it
PuttyHostKeys Saved Putty SSH host keys
PuttySessions Saved Putty configuration (interesting fields) and SSH host keys
RDCManFiles Windows Remote Desktop Connection Manager settings files
RDPSavedConnections Saved RDP connections stored in the registry
SecPackageCreds Obtains credentials from security packages
SlackDownloads Parses any found 'slack-downloads' files
SlackPresence Checks if interesting Slack files exist
SlackWorkspaces Parses any found 'slack-workspaces' files
SuperPutty SuperPutty configuration files
TokenGroups The current token's local and domain groups
WindowsCredentialFiles Windows credential DPAPI blobs
WindowsVault Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).

4、misc

Runs all miscellaneous checks.

Executed with: Seatbelt.exe -group=misc

Command Description
ChromeBookmarks Parses any found Chrome bookmark files
ChromeHistory Parses any found Chrome history files
ExplicitLogonEvents Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
FileInfo Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
FirefoxHistory Parses any found FireFox history files
HuntLolbas Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.
InstalledProducts Installed products via the registry
InterestingFiles "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
LogonEvents Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
McAfeeSiteList Decrypt any found McAfee SiteList.xml configuration files.
MicrosoftUpdates All Microsoft updates (via COM)
OutlookDownloads List files downloaded by Outlook
PowerShellEvents PowerShell script block logs (4104) with sensitive data.
Printers Installed Printers (via WMI)
ProcessCreationEvents Process creation logs (4688) with sensitive data.
ProcessOwners Running non-session 0 process list with owners. For remote use.
RecycleBin Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
reg Registry key values (HKLMSoftware by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
RPCMappedEndpoints Current RPC endpoints mapped
ScheduledTasks Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "full" dumps all Scheduled tasks
SearchIndex Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>
SecurityPackages Enumerates the security packages currently available using EnumerateSecurityPackagesA()
SysmonEvents Sysmon process creation logs (1) with sensitive data.

5、Additional Command Groups

Executed with: Seatbelt.exe -group=GROUPNAME

Alias Description
Slack Runs modules that start with "Slack*"
Chrome Runs modules that start with "Chrome*"
Remote Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes, InterestingProcesses, LastShutdown, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall


6、命令行参数

6-1、the following command returns 4624 logon events for the last 30 days:

Seatbelt.exe "LogonEvents 30"

6-2、The following command queries a registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.*, and ignoring any errors that occur.


Seatbelt.exe "reg "HKLMSOFTWAREMicrosoftWindows Defender" 3 .*defini.* true"


6-3、the following command will output the results of system checks to a txt file:

Seatbelt.exe -group=system -outputfile="C:Tempsystem.txt"


7、远程枚举

7-1、To enumerate a remote system, supply -computername=COMPUTER.DOMAIN.COM - an alternate username and password can be specified with -username=DOMAINUSER -password=PASSWORD

7-2、the following command runs remote-focused checks against a remote system:

Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIREsam -password="yum "po-ta-toes""


三、效果

不截长图了,效果很好,确实是利器。


感谢无糖学院导师戴华老师分享。

欢迎关注公众号MicroPest

工具:Windows安全检查SeatBelt

原文始发于微信公众号(无糖反网络犯罪研究中心):工具:Windows安全检查SeatBelt

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年10月1日20:27:33
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  工具:Windows安全检查SeatBelt http://cn-sec.com/archives/1068373.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: