├── .gitignore
├── Seatbelt.sln
├── Seatbelt
    ├── Properties
    │   └── AssemblyInfo.cs
    └── Seatbelt.csproj
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | .vs
2 | *.user
3 | [Dd]ebug/
4 | [Rr]elease/
5 | [Bb]in/
6 | [Oo]bj/
7 | 


--------------------------------------------------------------------------------
/Seatbelt.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 14
 4 | VisualStudioVersion = 14.0.25420.1
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Seatbelt", "Seatbelt\Seatbelt.csproj", "{AEC32155-D589-4150-8FE7-2900DF4554C8}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Any CPU = Debug|Any CPU
11 | 		Release|Any CPU = Release|Any CPU
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{AEC32155-D589-4150-8FE7-2900DF4554C8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | 		{AEC32155-D589-4150-8FE7-2900DF4554C8}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | 		{AEC32155-D589-4150-8FE7-2900DF4554C8}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | 		{AEC32155-D589-4150-8FE7-2900DF4554C8}.Release|Any CPU.Build.0 = Release|Any CPU
18 | 	EndGlobalSection
19 | 	GlobalSection(SolutionProperties) = preSolution
20 | 		HideSolutionNode = FALSE
21 | 	EndGlobalSection
22 | EndGlobal
23 | 


--------------------------------------------------------------------------------
/Seatbelt/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following 
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("Seatbelt")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Seatbelt")]
13 | [assembly: AssemblyCopyright("Copyright ©  2018")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible 
18 | // to COM components.  If you need to access a type in this assembly from 
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("aec32155-d589-4150-8fe7-2900df4554c8")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version 
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers 
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/Seatbelt/Seatbelt.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{AEC32155-D589-4150-8FE7-2900DF4554C8}</ProjectGuid>
 8 |     <OutputType>Exe</OutputType>
 9 |     <AppDesignerFolder>Properties</AppDesignerFolder>
10 |     <RootNamespace>Seatbelt</RootNamespace>
11 |     <AssemblyName>Seatbelt</AssemblyName>
12 |     <TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
13 |     <FileAlignment>512</FileAlignment>
14 |     <PublishUrl>publish\</PublishUrl>
15 |     <Install>true</Install>
16 |     <InstallFrom>Disk</InstallFrom>
17 |     <UpdateEnabled>false</UpdateEnabled>
18 |     <UpdateMode>Foreground</UpdateMode>
19 |     <UpdateInterval>7</UpdateInterval>
20 |     <UpdateIntervalUnits>Days</UpdateIntervalUnits>
21 |     <UpdatePeriodically>false</UpdatePeriodically>
22 |     <UpdateRequired>false</UpdateRequired>
23 |     <MapFileExtensions>true</MapFileExtensions>
24 |     <ApplicationRevision>0</ApplicationRevision>
25 |     <ApplicationVersion>1.0.0.%2a</ApplicationVersion>
26 |     <IsWebBootstrapper>false</IsWebBootstrapper>
27 |     <UseApplicationTrust>false</UseApplicationTrust>
28 |     <BootstrapperEnabled>true</BootstrapperEnabled>
29 |   </PropertyGroup>
30 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
31 |     <PlatformTarget>AnyCPU</PlatformTarget>
32 |     <DebugSymbols>true</DebugSymbols>
33 |     <DebugType>full</DebugType>
34 |     <Optimize>false</Optimize>
35 |     <OutputPath>bin\Debug\</OutputPath>
36 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
37 |     <ErrorReport>prompt</ErrorReport>
38 |     <WarningLevel>4</WarningLevel>
39 |     <AllowUnsafeBlocks>false</AllowUnsafeBlocks>
40 |   </PropertyGroup>
41 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
42 |     <PlatformTarget>AnyCPU</PlatformTarget>
43 |     <DebugType>none</DebugType>
44 |     <Optimize>true</Optimize>
45 |     <OutputPath>bin\Release\</OutputPath>
46 |     <DefineConstants>
47 |     </DefineConstants>
48 |     <ErrorReport>prompt</ErrorReport>
49 |     <WarningLevel>4</WarningLevel>
50 |   </PropertyGroup>
51 |   <ItemGroup>
52 |     <Reference Include="System" />
53 |     <Reference Include="System.Core" />
54 |     <Reference Include="System.DirectoryServices" />
55 |     <Reference Include="System.Management" />
56 |     <Reference Include="System.ServiceProcess" />
57 |     <Reference Include="System.Web.Extensions" />
58 |     <Reference Include="System.Xml.Linq" />
59 |     <Reference Include="System.Data.DataSetExtensions" />
60 |     <Reference Include="System.Data" />
61 |     <Reference Include="System.Xml" />
62 |   </ItemGroup>
63 |   <ItemGroup>
64 |     <Compile Include="Program.cs" />
65 |     <Compile Include="Properties\AssemblyInfo.cs" />
66 |   </ItemGroup>
67 |   <ItemGroup>
68 |     <BootstrapperPackage Include="Microsoft.Net.Framework.3.5.SP1">
69 |       <Visible>False</Visible>
70 |       <ProductName>.NET Framework 3.5 SP1</ProductName>
71 |       <Install>true</Install>
72 |     </BootstrapperPackage>
73 |   </ItemGroup>
74 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
75 |   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
76 |        Other similar extension points exist, see Microsoft.Common.targets.
77 |   <Target Name="BeforeBuild">
78 |   </Target>
79 |   <Target Name="AfterBuild">
80 |   </Target>
81 |   -->
82 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Seatbelt
  2 | 
  3 | ----
  4 | 
  5 | Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
  6 | 
  7 | [@andrewchiles](https://twitter.com/andrewchiles)' [HostEnum.ps1](https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1) script and [@tifkin\_](https://twitter.com/tifkin_)'s [Get-HostProfile.ps1](https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1) provided inspiration for many of the artifacts to collect.
  8 | 
  9 | [@harmj0y](https://twitter.com/harmj0y) is the primary author of this implementation.
 10 | 
 11 | Seatbelt is licensed under the BSD 3-Clause license.
 12 | 
 13 | ## Usage
 14 | 
 15 | **SeatBelt.exe system** collects the following system data:
 16 | 
 17 |     BasicOSInfo           -   Basic OS info (i.e. architecture, OS version, etc.)
 18 |     RebootSchedule        -   Reboot schedule (last 15 days) based on event IDs 12 and 13
 19 |     TokenGroupPrivs       -   Current process/token privileges (e.g. SeDebugPrivilege/etc.)
 20 |     UACSystemPolicies     -   UAC system policies via the registry
 21 |     PowerShellSettings    -   PowerShell versions and security settings
 22 |     AuditSettings         -   Audit settings via the registry
 23 |     WEFSettings           -   Windows Event Forwarding (WEF) settings via the registry
 24 |     LSASettings           -   LSA settings (including auth packages)
 25 |     UserEnvVariables      -   Current user environment variables
 26 |     SystemEnvVariables    -   Current system environment variables
 27 |     UserFolders           -   Folders in C:\Users\
 28 |     NonstandardServices   -   Services with file info company names that don't contain 'Microsoft'
 29 |     InternetSettings      -   Internet settings including proxy configs
 30 |     LapsSettings          -   LAPS settings, if installed
 31 |     LocalGroupMembers     -   Members of local admins, RDP, and DCOM
 32 |     MappedDrives          -   Mapped drives
 33 |     RDPSessions           -   Current incoming RDP sessions
 34 |     WMIMappedDrives       -   Mapped drives via WMI
 35 |     NetworkShares         -   Network shares
 36 |     FirewallRules         -   Deny firewall rules, "full" dumps all
 37 |     AntiVirusWMI          -   Registered antivirus (via WMI)
 38 |     InterestingProcesses  -   "Interesting" processes- defensive products and admin tools
 39 |     RegistryAutoRuns      -   Registry autoruns
 40 |     RegistryAutoLogon     -   Registry autologon information
 41 |     DNSCache              -   DNS cache entries (via WMI)
 42 |     ARPTable              -   Lists the current ARP table and adapter information (equivalent to arp -a)
 43 |     AllTcpConnections     -   Lists current TCP connections and associated processes
 44 |     AllUdpConnections     -   Lists current UDP connections and associated processes
 45 |     NonstandardProcesses  -   Running processeswith file info company names that don't contain 'Microsoft'
 46 |       *  If the user is in high integrity, the following additional actions are run:
 47 |     SysmonConfig          -   Sysmon configuration from the registry
 48 | 
 49 | **SeatBelt.exe user** collects the following user data:
 50 | 
 51 |     SavedRDPConnections   -   Saved RDP connections
 52 |     TriageIE              -   Internet Explorer bookmarks and history (last 7 days)
 53 |     DumpVault             -   Dump saved credentials in Windows Vault (i.e. logins from Internet Explorer and Edge), from SharpWeb
 54 |     RecentRunCommands     -   Recent "run" commands
 55 |     PuttySessions         -   Interesting settings from any saved Putty configurations
 56 |     PuttySSHHostKeys      -   Saved putty SSH host keys
 57 |     CloudCreds            -   AWS/Google/Azure cloud credential files (SharpCloud)
 58 |     RecentFiles           -   Parsed "recent files" shortcuts (last 7 days)
 59 |     MasterKeys            -   List DPAPI master keys
 60 |     CredFiles             -   List Windows credential DPAPI blobs
 61 |     RDCManFiles           -   List Windows Remote Desktop Connection Manager settings files
 62 |       *  If the user is in high integrity, this data is collected for ALL users instead of just the current user
 63 | 
 64 | Non-default collection options:
 65 | 
 66 |     CurrentDomainGroups   -   The current user's local and domain groups
 67 |     Patches               -   Installed patches via WMI (takes a bit on some systems)
 68 |     LogonSessions         -   User logon session data
 69 |     KerberosTGTData       -   ALL TEH TGTZ!
 70 |     InterestingFiles      -   "Interesting" files matching various patterns in the user's folder
 71 |     IETabs                -   Open Internet Explorer tabs
 72 |     TriageChrome          -   Chrome bookmarks and history
 73 |     TriageFirefox         -   Firefox history (no bookmarks)
 74 |     RecycleBin            -   Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
 75 |     4624Events            -   4624 logon events from the security event log
 76 |     4648Events            -   4648 explicit logon events from the security event log
 77 |     KerberosTickets       -   List Kerberos tickets. If elevated, grouped by all logon sessions.
 78 | 
 79 | **SeatBelt.exe all** will run ALL enumeration checks, can be combined with **full**.
 80 | 
 81 | **SeatBelt.exe [CheckName] full** will prevent any filtering and will return complete results.
 82 | 
 83 | **SeatBelt.exe [CheckName] [CheckName2] ...** will run one or more specified checks only (case-sensitive naming!)
 84 | 
 85 | ## Compile Instructions
 86 | 
 87 | We are not planning on releasing binaries for Seatbelt, so you will have to compile yourself :)
 88 | 
 89 | Seatbelt has been built against .NET 3.5 and is compatible with [Visual Studio 2015 Community Edition](https://go.microsoft.com/fwlink/?LinkId=532606&clcid=0x409). Simply open up the project .sln, choose "release", and build.
 90 | 
 91 | ## Acknowledgments
 92 | 
 93 | Seatbelt incorporates various code C# snippets and bits of PoCs found throughout research for its capabilities. These snippets and authors are highlighted in the appropriate locations in the source code, and include:
 94 | 
 95 | * [@andrewchiles](https://twitter.com/andrewchiles)' [HostEnum.ps1](https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1) script and [@tifkin\_](https://twitter.com/tifkin_)'s [Get-HostProfile.ps1](https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1) provided inspiration for many of the artifacts to collect.
 96 | * [Boboes' code concerning NetLocalGroupGetMembers](https://stackoverflow.com/questions/33935825/pinvoke-netlocalgroupgetmembers-runs-into-fatalexecutionengineerror/33939889#33939889)
 97 | * [ambyte's code for converting a mapped drive letter to a network path](https://gist.github.com/ambyte/01664dc7ee576f69042c)
 98 | * [Igor Korkhov's code to retrieve current token group information](https://stackoverflow.com/questions/2146153/how-to-get-the-logon-sid-in-c-sharp/2146418#2146418)
 99 | * [RobSiklos' snippet to determine if a host is a virtual machine](https://stackoverflow.com/questions/498371/how-to-detect-if-my-application-is-running-in-a-virtual-machine/11145280#11145280)
100 | * [JGU's snippet on file/folder ACL right comparison](https://stackoverflow.com/questions/1410127/c-sharp-test-if-user-has-write-access-to-a-folder/21996345#21996345)
101 | * [Rod Stephens' pattern for recursive file enumeration](http://csharphelper.com/blog/2015/06/find-files-that-match-multiple-patterns-in-c/)
102 | * [SwDevMan81's snippet for enumerating current token privileges](https://stackoverflow.com/questions/4349743/setting-size-of-token-privileges-luid-and-attributes-array-returned-by-gettokeni)
103 | * [Jared Atkinson's PowerShell work on Kerberos ticket caches](https://github.com/Invoke-IR/ACE/blob/master/ACE-Management/PS-ACE/Scripts/ACE_Get-KerberosTicketCache.ps1)
104 | * [Vincent LE TOUX' great C# Kerberos work](https://github.com/vletoux/MakeMeEnterpriseAdmin/blob/master/MakeMeEnterpriseAdmin.ps1#L2939-L2950)
105 | * [darkmatter08's Kerberos C# snippet](https://www.dreamincode.net/forums/topic/135033-increment-memory-pointer-issue/)
106 | * Numerous [PInvoke.net](https://www.pinvoke.net/) samples <3
107 | * [Jared Hill's awesome CodeProject to use Local Security Authority to Enumerate User Sessions](https://www.codeproject.com/Articles/18179/Using-the-Local-Security-Authority-to-Enumerate-Us)
108 | * [Fred's code on querying the ARP cache](https://social.technet.microsoft.com/Forums/lync/en-US/e949b8d6-17ad-4afc-88cd-0019a3ac9df9/powershell-alternative-to-arp-a?forum=ITCG)
109 | * [ShuggyCoUk's snippet on querying the TCP connection table](https://stackoverflow.com/questions/577433/which-pid-listens-on-a-given-port-in-c-sharp/577660#577660)
110 | * [yizhang82's example of using reflection to interact with COM objects through C#](https://gist.github.com/yizhang82/a1268d3ea7295a8a1496e01d60ada816)
111 | * [@cmaddalena](https://twitter.com/cmaddalena)'s [SharpCloud project](https://github.com/chrismaddalena/SharpCloud), BSD 3-Clause
112 | 


--------------------------------------------------------------------------------