I’ve decided to write a few blog posts about tools that I think are really cool that not everyone knows about. First up on my list is Seatbelt which is part of the GhostPac suite recently released by harmj0y.
You can read about harmj0y’s motivations and logic here but suffice to say that sometimes PowerShell is a fantastic choice for your post exploitation needs and sometimes you need to avoid it for opsec or other concerns. Because of this, harmj0y ported some of his favorite PowerShell functionality to C# and GhostPac was born.
One of the modules in the project is called Seatbelt which is designed to enumerate information from the local system.
harmj0y stated that they’re not releasing binaries for this project in an effort to avoid “brittle” signatures targeting static strings, etc. so you’ll have to compile the tools yourself. You can use the free versions of Visual Studio (2015 or 2017 community editions) and it really couldn’t be easier. You can download the project from here, open it in Visual Studio and then build the project.
Once that’s complete you should be left with a nice Seatbelt.exe file buried in a \bin\Debug folder. Note: You may need to disable your antivirus if it alerts on the file and eats it.
You can run Seatbelt with no arguments and see all of the different information that you can gather. Seatbelt.exe system can gather the following information:
Here is an example of some of the data pulled:
Seatbelt.exe user acquires the following information:
There can be a TON of valuable information contained in these results.
And the final group of checks that you can run:
With an example:
As you can see, if you have access to a system and are looking to acquire information for situational awareness, privilege escalation or just about any other reason, Seatbelt is a fantastic option for gathering what you need.
Article Link: https://digitalforensicstips.com/2018/09/a-quick-look-at-seatbelt-for-system-enumeration/