Invoke-Seatbelt - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/host/seatbelt Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-Seatbelt
Module: powershell/situational_awareness/host/seatbelt
Source code [1]: empire/server/modules/powershell/situational_awareness/host/seatbelt.yaml
Source code [2]: empire/server/modules/powershell/situational_awareness/host/seatbelt.py
MITRE ATT&CK:
T1082
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No
Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the seatbelt module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the seatbelt module:
Agent
Agent to run on.
Additional Module Options
This is a list of additional options that are supported by the seatbelt module:
Command
Use available Seatbelt commands (AntiVirus, PowerShellEvents, UAC, etc).
Suggested values: -group=all, -group=user, -group=system, -group=slack, -group=chrome, -group=remote, -group=misc, AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies, AuditPolicyRegistry, AutoRuns, ChromeBookmarks, ChromeHistory, ChromePresence, CloudCredentials, CredEnum, CredGuard, dir, DNSCache, DotNet, DpapiMasterKeys, EnvironmentPath, EnvironmentVariables, ExplicitLogonEvents, ExplorerMRUs, ExplorerRunCommands, FileInfo, FirefoxHistory, FirefoxPresence, IdleTime, IEFavorites, IETabs, IEUrls, InstalledProducts, InterestingFiles, InterestingProcesses, InternetSettings, LAPS, LastShutdown, LocalGPOs, LocalGroups, LocalUsers, LogonEvents, LogonSessions, LSASettings, MappedDrives, NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings, OfficeMRUs, OSInfo, OutlookDownloads, PoweredOnEvents, PowerShell, PowerShellEvents, Printers, ProcessCreationEvents, Processes, ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions, RDCManFiles, RDPSavedConnections, RDPSessions, RecycleBin, reg, RPCMappedEndpoints, SCCM, ScheduledTasks, SearchIndex, SecurityPackages, Services, SlackDownloads, SlackPresence, SlackWorkspaces, Sysmon, SysmonEvents, TcpConnections, TokenGroups, TokenPrivileges, UAC, UdpConnections, UserRightAssignments, WindowsAutoLogon, WindowsCredentialFiles, WindowsDefender, WindowsEventForwarding, WindowsFirewall, WindowsVault, WMIEventConsumer, WMIEventFilter, WMIFilterBinding, WSUS.
Computername
Remote system to run enumeration against. This is performed over WMI via queriesfor WMI classes and WMI StdRegProv for registry enumeration.
Full
Display all results.
Default value: True.
Group
Runs a predefined group of commands (All, User, System, Slack, Chrome, Remote, Misc).
Default value: all.
Password
Alternate password for remote enumeration.
Quiet
Runs in Quiet Mode.
Default value: False.
Username
Alternate username for remote enumeration.
Seatbelt Example Usage
Here's an example of how to use the seatbelt module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/host/seatbelt
Author @harmj0y
@S3cur3Th1sSh1t
Background False
Comments https://github.com/GhostPack/Seatbelt
Description Seatbelt is a C# project that performs a number of security oriented
host-survey "safety checks" relevant from both offensive and defensive
security perspectives.
Language powershell
Name powershell/situational_awareness/host/seatbelt
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1082
,Record Optionsw-------,----------,-------------------------------------,
| Name | Value | Required | Description |
|--------------|-------|----------|-------------------------------------|
| Agent | | True | Agent to run on. |
|--------------|-------|----------|-------------------------------------|
| Command | | False | Use available Seatbelt commands |
| | | | (AntiVirus, PowerShellEvents, UAC, |
| | | | etc). |
|--------------|-------|----------|-------------------------------------|
| Computername | | False | Remote system to run enumeration |
| | | | against. This is performed over WMI |
| | | | via queriesfor WMI classes and WMI |
| | | | StdRegProv for registry |
| | | | enumeration. |
|--------------|-------|----------|-------------------------------------|
| Full | True | False | Display all results. |
|--------------|-------|----------|-------------------------------------|
| Group | all | False | Runs a predefined group of commands |
| | | | (All, User, System, Slack, Chrome, |
| | | | Remote, Misc) |
|--------------|-------|----------|-------------------------------------|
| Password | | False | Alternate password for remote |
| | | | enumeration. |
|--------------|-------|----------|-------------------------------------|
| Quiet | False | False | Runs in Quiet Mode. |
|--------------|-------|----------|-------------------------------------|
| Username | | False | Alternate username for remote |
| | | | enumeration. |
'--------------'-------'----------'-------------------------------------'
(Empire: usemodule/powershell/situational_awareness/host/seatbelt) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/host/seatbelt) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/host/seatbelt.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/host/seatbelt.py
- https://github.com/GhostPack/Seatbelt
- http://attack.mitre.org/techniques/T1082
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/host/hostrecon
- powershell/situational_awareness/host/winenum
- powershell/situational_awareness/host/applockerstatus
- powershell/situational_awareness/host/get_uaclevel
- powershell/situational_awareness/host/dnsserver
- powershell/situational_awareness/host/antivirusproduct
- powershell/situational_awareness/host/get_pathacl
- powershell/situational_awareness/host/get_proxy
- powershell/situational_awareness/host/findtrusteddocuments
- powershell/situational_awareness/host/monitortcpconnections
- powershell/situational_awareness/host/paranoia
- powershell/situational_awareness/host/computerdetails
- python/situational_awareness/host/multi/WorldWriteableFileSearch
- python/situational_awareness/host/multi/SuidGuidSearch
- python/situational_awareness/host/osx/situational_awareness
- python/situational_awareness/host/osx/HijackScanner
- csharp/GhostPack/Rubeus
- csharp/GhostPack/SharpDPAPI
- csharp/GhostPack/SharpUp
- csharp/GhostPack/SharpDump
- csharp/GhostPack/Seatbelt
- csharp/GhostPack/SharpWMI
- python/situational_awareness/network/gethostbyname
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
