Invoke-Seatbelt - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/host/seatbelt Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-Seatbelt
Module: powershell/situational_awareness/host/seatbelt
Source code [1]: empire/server/modules/powershell/situational_awareness/host/seatbelt.yaml
Source code [2]: empire/server/modules/powershell/situational_awareness/host/seatbelt.py
MITRE ATT&CK:
T1082
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No
Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the seatbelt module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the seatbelt module:
Agent
Agent to run on.
Additional Module Options
This is a list of additional options that are supported by the seatbelt module:
Command
Use available Seatbelt commands (AntiVirus, PowerShellEvents, UAC, etc).
Suggested values: -group=all
, -group=user
, -group=system
, -group=slack
, -group=chrome
, -group=remote
, -group=misc
, AMSIProviders
, AntiVirus
, AppLocker
, ARPTable
, AuditPolicies
, AuditPolicyRegistry
, AutoRuns
, ChromeBookmarks
, ChromeHistory
, ChromePresence
, CloudCredentials
, CredEnum
, CredGuard
, dir
, DNSCache
, DotNet
, DpapiMasterKeys
, EnvironmentPath
, EnvironmentVariables
, ExplicitLogonEvents
, ExplorerMRUs
, ExplorerRunCommands
, FileInfo
, FirefoxHistory
, FirefoxPresence
, IdleTime
, IEFavorites
, IETabs
, IEUrls
, InstalledProducts
, InterestingFiles
, InterestingProcesses
, InternetSettings
, LAPS
, LastShutdown
, LocalGPOs
, LocalGroups
, LocalUsers
, LogonEvents
, LogonSessions
, LSASettings
, MappedDrives
, NamedPipes
, NetworkProfiles
, NetworkShares
, NTLMSettings
, OfficeMRUs
, OSInfo
, OutlookDownloads
, PoweredOnEvents
, PowerShell
, PowerShellEvents
, Printers
, ProcessCreationEvents
, Processes
, ProcessOwners
, PSSessionSettings
, PuttyHostKeys
, PuttySessions
, RDCManFiles
, RDPSavedConnections
, RDPSessions
, RecycleBin
, reg
, RPCMappedEndpoints
, SCCM
, ScheduledTasks
, SearchIndex
, SecurityPackages
, Services
, SlackDownloads
, SlackPresence
, SlackWorkspaces
, Sysmon
, SysmonEvents
, TcpConnections
, TokenGroups
, TokenPrivileges
, UAC
, UdpConnections
, UserRightAssignments
, WindowsAutoLogon
, WindowsCredentialFiles
, WindowsDefender
, WindowsEventForwarding
, WindowsFirewall
, WindowsVault
, WMIEventConsumer
, WMIEventFilter
, WMIFilterBinding
, WSUS
.
Computername
Remote system to run enumeration against. This is performed over WMI via queriesfor WMI classes and WMI StdRegProv for registry enumeration.
Full
Display all results.
Default value: True
.
Group
Runs a predefined group of commands (All, User, System, Slack, Chrome, Remote, Misc).
Default value: all
.
Password
Alternate password for remote enumeration.
Quiet
Runs in Quiet Mode.
Default value: False
.
Username
Alternate username for remote enumeration.
Seatbelt Example Usage
Here's an example of how to use the seatbelt module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/host/seatbelt
Author @harmj0y
@S3cur3Th1sSh1t
Background False
Comments https://github.com/GhostPack/Seatbelt
Description Seatbelt is a C# project that performs a number of security oriented
host-survey "safety checks" relevant from both offensive and defensive
security perspectives.
Language powershell
Name powershell/situational_awareness/host/seatbelt
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1082
,Record Optionsw-------,----------,-------------------------------------,
| Name | Value | Required | Description |
|--------------|-------|----------|-------------------------------------|
| Agent | | True | Agent to run on. |
|--------------|-------|----------|-------------------------------------|
| Command | | False | Use available Seatbelt commands |
| | | | (AntiVirus, PowerShellEvents, UAC, |
| | | | etc). |
|--------------|-------|----------|-------------------------------------|
| Computername | | False | Remote system to run enumeration |
| | | | against. This is performed over WMI |
| | | | via queriesfor WMI classes and WMI |
| | | | StdRegProv for registry |
| | | | enumeration. |
|--------------|-------|----------|-------------------------------------|
| Full | True | False | Display all results. |
|--------------|-------|----------|-------------------------------------|
| Group | all | False | Runs a predefined group of commands |
| | | | (All, User, System, Slack, Chrome, |
| | | | Remote, Misc) |
|--------------|-------|----------|-------------------------------------|
| Password | | False | Alternate password for remote |
| | | | enumeration. |
|--------------|-------|----------|-------------------------------------|
| Quiet | False | False | Runs in Quiet Mode. |
|--------------|-------|----------|-------------------------------------|
| Username | | False | Alternate username for remote |
| | | | enumeration. |
'--------------'-------'----------'-------------------------------------'
(Empire: usemodule/powershell/situational_awareness/host/seatbelt) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/host/seatbelt) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/host/seatbelt.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/host/seatbelt.py
- https://github.com/GhostPack/Seatbelt
- http://attack.mitre.org/techniques/T1082
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/host/hostrecon
- powershell/situational_awareness/host/winenum
- powershell/situational_awareness/host/applockerstatus
- powershell/situational_awareness/host/get_uaclevel
- powershell/situational_awareness/host/dnsserver
- powershell/situational_awareness/host/antivirusproduct
- powershell/situational_awareness/host/get_pathacl
- powershell/situational_awareness/host/get_proxy
- powershell/situational_awareness/host/findtrusteddocuments
- powershell/situational_awareness/host/monitortcpconnections
- powershell/situational_awareness/host/paranoia
- powershell/situational_awareness/host/computerdetails
- python/situational_awareness/host/multi/WorldWriteableFileSearch
- python/situational_awareness/host/multi/SuidGuidSearch
- python/situational_awareness/host/osx/situational_awareness
- python/situational_awareness/host/osx/HijackScanner
- csharp/GhostPack/Rubeus
- csharp/GhostPack/SharpDPAPI
- csharp/GhostPack/SharpUp
- csharp/GhostPack/SharpDump
- csharp/GhostPack/Seatbelt
- csharp/GhostPack/SharpWMI
- python/situational_awareness/network/gethostbyname
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.