有个Windows的安全检查工具,确实不错,推荐给大家。
它是这样介绍自己的,时间太紧,就自己看吧。
一、下载地址
https://github.com/GhostPack/Seatbelt
我编译好了,放在网盘中。
链接:https://pan.baidu.com/s/1O4ooxQK_iSZtqOnh9j5RdA
提取码:ggo5
Exe在这个目录下,
二、使用方法
1)Seatbelt has the following command groups: All, User, System, Slack, Chrome, Remote, Misc
格式:You can invoke command groups with "Seatbelt.exe <group>"
1、 "Seatbelt.exe -group=all" runs all commands
2、 "Seatbelt.exe -group=user" runs the following commands:
ChromePresence, CloudCredentials, CredEnum, dir, DpapiMasterKeys,
ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence,
IdleTime, IEFavorites, IETabs, IEUrls,
MappedDrives, OfficeMRUs, PowerShellHistory, PuttyHostKeys,
PuttySessions, RDCManFiles, RDPSavedConnections, SecPackageCreds,
SlackDownloads, SlackPresence, SlackWorkspaces, SuperPutty,
TokenGroups, WindowsCredentialFiles, WindowsVault
3、 "Seatbelt.exe -group=system" runs the following commands:
AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
AuditPolicyRegistry, AutoRuns, CredGuard, DNSCache,
DotNet, EnvironmentPath, EnvironmentVariables, Hotfixes,
InterestingProcesses, InternetSettings, LAPS, LastShutdown,
LocalGPOs, LocalGroups, LocalUsers, LogonSessions,
LSASettings, McAfeeConfigs, NamedPipes, NetworkProfiles,
NetworkShares, NTLMSettings, OSInfo, PoweredOnEvents,
PowerShell, Processes, PSSessionSettings, RDPSessions,
RDPsettings, SCCM, Services, Sysmon,
TcpConnections, TokenPrivileges, UAC, UdpConnections,
UserRightAssignments, WindowsAutoLogon, WindowsDefender, WindowsEventForwarding,
WindowsFirewall, WMIEventConsumer, WMIEventFilter, WMIFilterBinding,
WSUS
4、"Seatbelt.exe -group=slack" runs the following commands:
SlackDownloads, SlackPresence, SlackWorkspaces
5、"Seatbelt.exe -group=chrome" runs the following commands:
ChromeBookmarks, ChromeHistory, ChromePresence
6、"Seatbelt.exe -group=remote" runs the following commands:
AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes,
InterestingProcesses, LastShutdown, LogonSessions, LSASettings,
MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions,
RDPSavedConnections, RDPSessions, RDPsettings, Sysmon,
WindowsDefender, WindowsEventForwarding, WindowsFirewall
"Seatbelt.exe -group=misc" runs the following commands:
ChromeBookmarks, ChromeHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
HuntLolbas, InstalledProducts, InterestingFiles, LogonEvents,
McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents,
Printers, ProcessCreationEvents, ProcessOwners, RecycleBin,
reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex,
SecurityPackages, SysmonEvents2)详细列表如下,
1、整体检查
the following command will run ALL checks and returns ALL output:
Seatbelt.exe -group=all -full
2、system
Runs checks that mine interesting data about the system.
Executed with: Seatbelt.exe -group=system
| Command | Description |
|---|---|
| AMSIProviders | Providers registered for AMSI |
| AntiVirus | Registered antivirus (via WMI) |
| AppLocker | AppLocker settings, if installed |
| ARPTable | Lists the current ARP table and adapter information(equivalent to arp -a) |
| AuditPolicies | Enumerates classic and advanced audit policy settings |
| AuditPolicyRegistry | Audit settings via the registry |
| AutoRuns | Auto run executables/scripts/programs |
| CredGuard | CredentialGuard configuration |
| DNSCache | DNS cache entries (via WMI) |
| DotNet | DotNet versions |
| EnvironmentPath | Current environment %PATH$ folders and SDDL information |
| EnvironmentVariables | Current user environment variables |
| Hotfixes | Installed hotfixes (via WMI) |
| InterestingProcesses | "Interesting" processes - defensive products and admin tools |
| InternetSettings | Internet settings including proxy configs |
| LAPS | LAPS settings, if installed |
| LastShutdown | Returns the DateTime of the last system shutdown (via the registry) |
| LocalGPOs | Local Group Policy settings applied to the machine/local users |
| LocalGroups | Non-empty local groups, "full" displays all groups (argument == computername to enumerate) |
| LocalUsers | Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate) |
| LogonSessions | Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. |
| LSASettings | LSA settings (including auth packages) |
| McAfeeConfigs | Finds McAfee configuration files |
| NamedPipes | Named pipe names and any readable ACL information |
| NetworkProfiles | Windows network profiles |
| NetworkShares | Network shares exposed by the machine (via WMI) |
| NTLMSettings | NTLM authentication settings |
| OSInfo | Basic OS info (i.e. architecture, OS version, etc.) |
| PoweredOnEvents | Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days. |
| PowerShell | PowerShell versions and security settings |
| Processes | Running processes with file info company names that don't contain 'Microsoft', "full" enumerates all processes |
| PSSessionSettings | Enumerates PS Session Settings from the registry |
| RDPSessions | Current incoming RDP sessions (argument == computername to enumerate) |
| RDPsettings | Remote Desktop Server/Client Settings |
| SCCM | System Center Configuration Manager (SCCM) settings, if applicable |
| Services | Services with file info company names that don't contain 'Microsoft', "full" dumps all processes |
| Sysmon | Sysmon configuration from the registry |
| TcpConnections | Current TCP connections and their associated processes and services |
| TokenPrivileges | Currently enabled token privileges (e.g. SeDebugPrivilege/etc.) |
| UAC | UAC system policies via the registry |
| UdpConnections | Current UDP connections and associated processes and services |
| UserRightAssignments | Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate |
| WindowsAutoLogon | Registry autologon information |
| WindowsDefender | Windows Defender settings (including exclusion locations) |
| WindowsEventForwarding | Windows Event Forwarding (WEF) settings via the registry |
| WindowsFirewall | Non-standard firewall rules, "full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public) |
| WMIEventConsumer | Lists WMI Event Consumers |
| WMIEventFilter | Lists WMI Event Filters |
| WMIFilterBinding | Lists WMI Filter to Consumer Bindings |
| WSUS | Windows Server Update Services (WSUS) settings, if applicable |
3、user
Runs checks that mine interesting data about the currently logged on user (if not elevated) or ALL users (if elevated).
Executed with: Seatbelt.exe -group=user
| Command | Description |
|---|---|
| ChromePresence | Checks if interesting Google Chrome files exist |
| CloudCredentials | AWS/Google/Azure cloud credential files |
| CredEnum | Enumerates the current user's saved credentials using CredEnumerate() |
| dir | Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == <directory> <depth> <regex> |
| DpapiMasterKeys | List DPAPI master keys |
| ExplorerMRUs | Explorer most recently used files (last 7 days, argument == last X days) |
| ExplorerRunCommands | Recent Explorer "run" commands |
| FileZilla | FileZilla configuration files |
| FirefoxPresence | Checks if interesting Firefox files exist |
| IdleTime | Returns the number of seconds since the current user's last input. |
| IEFavorites | Internet Explorer favorites |
| IETabs | Open Internet Explorer tabs |
| IEUrls | Internet Explorer typed URLs (last 7 days, argument == last X days) |
| MappedDrives | Users' mapped drives (via WMI) |
| OfficeMRUs | Office most recently used file list (last 7 days) |
| PowerShellHistory | Iterates through every local user and attempts to read their PowerShell console history if successful will print it |
| PuttyHostKeys | Saved Putty SSH host keys |
| PuttySessions | Saved Putty configuration (interesting fields) and SSH host keys |
| RDCManFiles | Windows Remote Desktop Connection Manager settings files |
| RDPSavedConnections | Saved RDP connections stored in the registry |
| SecPackageCreds | Obtains credentials from security packages |
| SlackDownloads | Parses any found 'slack-downloads' files |
| SlackPresence | Checks if interesting Slack files exist |
| SlackWorkspaces | Parses any found 'slack-workspaces' files |
| SuperPutty | SuperPutty configuration files |
| TokenGroups | The current token's local and domain groups |
| WindowsCredentialFiles | Windows credential DPAPI blobs |
| WindowsVault | Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge). |
4、misc
Runs all miscellaneous checks.
Executed with: Seatbelt.exe -group=misc
| Command | Description |
|---|---|
| ChromeBookmarks | Parses any found Chrome bookmark files |
| ChromeHistory | Parses any found Chrome history files |
| ExplicitLogonEvents | Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days. |
| FileInfo | Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s) |
| FirefoxHistory | Parses any found FireFox history files |
| HuntLolbas | Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time. |
| InstalledProducts | Installed products via the registry |
| InterestingFiles | "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time. |
| LogonEvents | Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. |
| McAfeeSiteList | Decrypt any found McAfee SiteList.xml configuration files. |
| MicrosoftUpdates | All Microsoft updates (via COM) |
| OutlookDownloads | List files downloaded by Outlook |
| PowerShellEvents | PowerShell script block logs (4104) with sensitive data. |
| Printers | Installed Printers (via WMI) |
| ProcessCreationEvents | Process creation logs (4688) with sensitive data. |
| ProcessOwners | Running non-session 0 process list with owners. For remote use. |
| RecycleBin | Items in the Recycle Bin deleted in the last 30 days - only works from a user context! |
| reg | Registry key values (HKLMSoftware by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors] |
| RPCMappedEndpoints | Current RPC endpoints mapped |
| ScheduledTasks | Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "full" dumps all Scheduled tasks |
| SearchIndex | Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...> |
| SecurityPackages | Enumerates the security packages currently available using EnumerateSecurityPackagesA() |
| SysmonEvents | Sysmon process creation logs (1) with sensitive data. |
5、Additional Command Groups
Executed with: Seatbelt.exe -group=GROUPNAME
| Alias | Description |
|---|---|
| Slack | Runs modules that start with "Slack*" |
| Chrome | Runs modules that start with "Chrome*" |
| Remote | Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes, InterestingProcesses, LastShutdown, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall |
6、命令行参数
6-1、the following command returns 4624 logon events for the last 30 days:
Seatbelt.exe "LogonEvents 30"
6-2、The following command queries a registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.*, and ignoring any errors that occur.
Seatbelt.exe "reg "HKLMSOFTWAREMicrosoftWindows Defender" 3 .*defini.* true"
6-3、the following command will output the results of system checks to a txt file:
Seatbelt.exe -group=system -outputfile="C:Tempsystem.txt"
7、远程枚举
7-1、To enumerate a remote system, supply -computername=COMPUTER.DOMAIN.COM - an alternate username and password can be specified with -username=DOMAINUSER -password=PASSWORD
7-2、the following command runs remote-focused checks against a remote system:
Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIREsam -password="yum "po-ta-toes""
不截长图了,效果很好,确实是利器。
感谢无糖学院导师戴华老师分享。
欢迎关注公众号MicroPest
原文始发于微信公众号(无糖反网络犯罪研究中心):工具:Windows安全检查SeatBelt
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论