工具：Windows安全检查SeatBelt

有个Windows的安全检查工具，确实不错，推荐给大家。

它是这样介绍自己的，时间太紧，就自己看吧。

一、下载地址

https://github.com/GhostPack/Seatbelt

我编译好了，放在网盘中。

链接：https://pan.baidu.com/s/1O4ooxQK_iSZtqOnh9j5RdA

提取码：ggo5

Exe在这个目录下，

二、使用方法

1）Seatbelt has the following command groups: All, User, System, Slack, Chrome, Remote, Misc

 格式：You can invoke command groups with "Seatbelt.exe <group>"

   1、 "Seatbelt.exe -group=all" runs all commands

   2、 "Seatbelt.exe -group=user" runs the following commands:

            ChromePresence, CloudCredentials, CredEnum, dir, DpapiMasterKeys,
            ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence,
            IdleTime, IEFavorites, IETabs, IEUrls,
            MappedDrives, OfficeMRUs, PowerShellHistory, PuttyHostKeys,
            PuttySessions, RDCManFiles, RDPSavedConnections, SecPackageCreds,
            SlackDownloads, SlackPresence, SlackWorkspaces, SuperPutty,
            TokenGroups, WindowsCredentialFiles, WindowsVault

    3、 "Seatbelt.exe -group=system" runs the following commands:

            AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
            AuditPolicyRegistry, AutoRuns, CredGuard, DNSCache,
            DotNet, EnvironmentPath, EnvironmentVariables, Hotfixes,
            InterestingProcesses, InternetSettings, LAPS, LastShutdown,
            LocalGPOs, LocalGroups, LocalUsers, LogonSessions,
            LSASettings, McAfeeConfigs, NamedPipes, NetworkProfiles,
            NetworkShares, NTLMSettings, OSInfo, PoweredOnEvents,
            PowerShell, Processes, PSSessionSettings, RDPSessions,
            RDPsettings, SCCM, Services, Sysmon,
            TcpConnections, TokenPrivileges, UAC, UdpConnections,
            UserRightAssignments, WindowsAutoLogon, WindowsDefender, WindowsEventForwarding,
            WindowsFirewall, WMIEventConsumer, WMIEventFilter, WMIFilterBinding,
            WSUS

     4、"Seatbelt.exe -group=slack" runs the following commands:

            SlackDownloads, SlackPresence, SlackWorkspaces

     5、"Seatbelt.exe -group=chrome" runs the following commands:

            ChromeBookmarks, ChromeHistory, ChromePresence

     6、"Seatbelt.exe -group=remote" runs the following commands:

            AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes,
            InterestingProcesses, LastShutdown, LogonSessions, LSASettings,
            MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
            PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions,
            RDPSavedConnections, RDPSessions, RDPsettings, Sysmon,
            WindowsDefender, WindowsEventForwarding, WindowsFirewall

       "Seatbelt.exe -group=misc" runs the following commands:

            ChromeBookmarks, ChromeHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
            HuntLolbas, InstalledProducts, InterestingFiles, LogonEvents,
            McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents,
            Printers, ProcessCreationEvents, ProcessOwners, RecycleBin,
            reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex,
            SecurityPackages, SysmonEvents

2）详细列表如下，

1、整体检查

 the following command will run ALL checks and returns ALL output:

Seatbelt.exe -group=all -full

2、system

Runs checks that mine interesting data about the system.

Executed with: Seatbelt.exe -group=system

Command	Description
AMSIProviders	Providers registered for AMSI
AntiVirus	Registered antivirus (via WMI)
AppLocker	AppLocker settings, if installed
ARPTable	Lists the current ARP table and adapter information(equivalent to arp -a)
AuditPolicies	Enumerates classic and advanced audit policy settings
AuditPolicyRegistry	Audit settings via the registry
AutoRuns	Auto run executables/scripts/programs
CredGuard	CredentialGuard configuration
DNSCache	DNS cache entries (via WMI)
DotNet	DotNet versions
EnvironmentPath	Current environment %PATH$ folders and SDDL information
EnvironmentVariables	Current user environment variables
Hotfixes	Installed hotfixes (via WMI)
InterestingProcesses	"Interesting" processes - defensive products and admin tools
InternetSettings	Internet settings including proxy configs
LAPS	LAPS settings, if installed
LastShutdown	Returns the DateTime of the last system shutdown (via the registry)
LocalGPOs	Local Group Policy settings applied to the machine/local users
LocalGroups	Non-empty local groups, "full" displays all groups (argument == computername to enumerate)
LocalUsers	Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)
LogonSessions	Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
LSASettings	LSA settings (including auth packages)
McAfeeConfigs	Finds McAfee configuration files
NamedPipes	Named pipe names and any readable ACL information
NetworkProfiles	Windows network profiles
NetworkShares	Network shares exposed by the machine (via WMI)
NTLMSettings	NTLM authentication settings
OSInfo	Basic OS info (i.e. architecture, OS version, etc.)
PoweredOnEvents	Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
PowerShell	PowerShell versions and security settings
Processes	Running processes with file info company names that don't contain 'Microsoft', "full" enumerates all processes
PSSessionSettings	Enumerates PS Session Settings from the registry
RDPSessions	Current incoming RDP sessions (argument == computername to enumerate)
RDPsettings	Remote Desktop Server/Client Settings
SCCM	System Center Configuration Manager (SCCM) settings, if applicable
Services	Services with file info company names that don't contain 'Microsoft', "full" dumps all processes
Sysmon	Sysmon configuration from the registry
TcpConnections	Current TCP connections and their associated processes and services
TokenPrivileges	Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
UAC	UAC system policies via the registry
UdpConnections	Current UDP connections and associated processes and services
UserRightAssignments	Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
WindowsAutoLogon	Registry autologon information
WindowsDefender	Windows Defender settings (including exclusion locations)
WindowsEventForwarding	Windows Event Forwarding (WEF) settings via the registry
WindowsFirewall	Non-standard firewall rules, "full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
WMIEventConsumer	Lists WMI Event Consumers
WMIEventFilter	Lists WMI Event Filters
WMIFilterBinding	Lists WMI Filter to Consumer Bindings
WSUS	Windows Server Update Services (WSUS) settings, if applicable

3、user

Runs checks that mine interesting data about the currently logged on user (if not elevated) or ALL users (if elevated).

Executed with: Seatbelt.exe -group=user

Command	Description
ChromePresence	Checks if interesting Google Chrome files exist
CloudCredentials	AWS/Google/Azure cloud credential files
CredEnum	Enumerates the current user's saved credentials using CredEnumerate()
dir	Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == <directory> <depth> <regex>
DpapiMasterKeys	List DPAPI master keys
ExplorerMRUs	Explorer most recently used files (last 7 days, argument == last X days)
ExplorerRunCommands	Recent Explorer "run" commands
FileZilla	FileZilla configuration files
FirefoxPresence	Checks if interesting Firefox files exist
IdleTime	Returns the number of seconds since the current user's last input.
IEFavorites	Internet Explorer favorites
IETabs	Open Internet Explorer tabs
IEUrls	Internet Explorer typed URLs (last 7 days, argument == last X days)
MappedDrives	Users' mapped drives (via WMI)
OfficeMRUs	Office most recently used file list (last 7 days)
PowerShellHistory	Iterates through every local user and attempts to read their PowerShell console history if successful will print it
PuttyHostKeys	Saved Putty SSH host keys
PuttySessions	Saved Putty configuration (interesting fields) and SSH host keys
RDCManFiles	Windows Remote Desktop Connection Manager settings files
RDPSavedConnections	Saved RDP connections stored in the registry
SecPackageCreds	Obtains credentials from security packages
SlackDownloads	Parses any found 'slack-downloads' files
SlackPresence	Checks if interesting Slack files exist
SlackWorkspaces	Parses any found 'slack-workspaces' files
SuperPutty	SuperPutty configuration files
TokenGroups	The current token's local and domain groups
WindowsCredentialFiles	Windows credential DPAPI blobs
WindowsVault	Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).

4、misc

Runs all miscellaneous checks.

Executed with: Seatbelt.exe -group=misc

Command	Description
ChromeBookmarks	Parses any found Chrome bookmark files
ChromeHistory	Parses any found Chrome history files
ExplicitLogonEvents	Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
FileInfo	Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
FirefoxHistory	Parses any found FireFox history files
HuntLolbas	Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.
InstalledProducts	Installed products via the registry
InterestingFiles	"Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
LogonEvents	Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
McAfeeSiteList	Decrypt any found McAfee SiteList.xml configuration files.
MicrosoftUpdates	All Microsoft updates (via COM)
OutlookDownloads	List files downloaded by Outlook
PowerShellEvents	PowerShell script block logs (4104) with sensitive data.
Printers	Installed Printers (via WMI)
ProcessCreationEvents	Process creation logs (4688) with sensitive data.
ProcessOwners	Running non-session 0 process list with owners. For remote use.
RecycleBin	Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
reg	Registry key values (HKLMSoftware by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
RPCMappedEndpoints	Current RPC endpoints mapped
ScheduledTasks	Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "full" dumps all Scheduled tasks
SearchIndex	Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>
SecurityPackages	Enumerates the security packages currently available using EnumerateSecurityPackagesA()
SysmonEvents	Sysmon process creation logs (1) with sensitive data.

5、Additional Command Groups

Executed with: Seatbelt.exe -group=GROUPNAME

Alias	Description
Slack	Runs modules that start with "Slack*"
Chrome	Runs modules that start with "Chrome*"
Remote	Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes, InterestingProcesses, LastShutdown, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall

6、命令行参数

6-1、the following command returns 4624 logon events for the last 30 days:

Seatbelt.exe "LogonEvents 30"

6-2、The following command queries a registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.*, and ignoring any errors that occur.

Seatbelt.exe "reg "HKLMSOFTWAREMicrosoftWindows Defender" 3 .*defini.* true"

6-3、the following command will output the results of system checks to a txt file:

Seatbelt.exe -group=system -outputfile="C:Tempsystem.txt"




7、远程枚举

7-1、To enumerate a remote system, supply -computername=COMPUTER.DOMAIN.COM - an alternate username and password can be specified with -username=DOMAINUSER -password=PASSWORD

7-2、the following command runs remote-focused checks against a remote system:

Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIREsam -password="yum "po-ta-toes""


三、效果

不截长图了，效果很好，确实是利器。

感谢无糖学院导师戴华老师分享。

欢迎关注公众号MicroPest

原文始发于微信公众号（无糖反网络犯罪研究中心）：工具：Windows安全检查SeatBelt