HackTool.MSIL.Seatbelt.E

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It does not have any information-stealing capability.

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Propagation

This Hacking Tool does not have any propagation routine.

Backdoor Routine

This Hacking Tool does not have any backdoor routine.

Rootkit Capabilities

This Hacking Tool does not have rootkit capabilities.

Information Theft

This Hacking Tool does not have any information-stealing capability.

Other Details

This Hacking Tool accepts the following parameters:

• -group=all|user|system|slack|chrome|remote|misc → used to run a predefined set of related commands collectively, rather than executing each command individually.
  
  System | Remote:
  
  
• AMSIProviders → Providers registered for AMSI
• AntiVirus → Registered antivirus (via WMI)
• DotNet → DotNet versions
• ExplorerRunCommands → Recent Explorer "run" commands
• Hotfixes → Installed hotfixes (via WMI)
• InterestingProcesses → "Interesting" processes - defensive products and admin tools
• LastShutdown → Returns the DateTime of the last system shutdown (via the registry).
• LogonSessions → Windows logon sessions
• LSASettings → LSA settings (including auth packages)
• MappedDrives → Users' mapped drives (via WMI)
• NetworkProfiles → Windows network profiles
• NetworkShares → Network shares exposed by the machine (via WMI)
• NTLMSettings → NTLM authentication settings
• PowerShell → PowerShell versions and security settings
• Sysmon → Sysmon configuration from the registry
• WindowsDefender → Windows Defender settings (including exclusion locations)
• WindowsEventForwarding → Windows Event Forwarding (WEF) settings via the registry
• WindowsFirewall → Non-standard firewall rules, "-full" dumps all (arguments == allow|deny|tcp|udp|in|out|domain|private/public)
  
  System | Remote | User:
  
  
• PuttyHostKeys → Saved Putty SSH host keys
• PuttySessions → Saved Putty configuration (interesting fields) and SSH host keys
• RDPSavedConnections → Saved RDP connections stored in the registry
  
  System:
  
  
• AppLocker → AppLocker settings, if installed
• ARPTable → Lists the current ARP table and adapter information (equivalent to arp -a)
• AuditPolicies → Enumerates classic and advanced audit policy settings
• AuditPolicyRegistry → Audit settings via the registry
• AutoRuns → Auto run executables/scripts/programs
• CredGuard → CredentialGuard configuration
• DNSCache → DNS cache entries (via WMI)
• EnvironmentPath → Current environment %PATH$ folders and SDDL information
• EnvironmentVariables → Current user environment variables
• InternetSettings → Internet settings including proxy configs and zones configuration
• LAPS → LAPS settings, if installed
• LocalGPOs → Local Group Policy settings applied to the machine/local users
• LocalGroups → Non-empty local groups, "-full" displays all groups (argument == computername to enumerate)
• LocalUsers → Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)
• NamedPipes → Named pipe names and any readable ACL information.
• OSInfo → Basic OS info (i.e. architecture, OS version, etc.)
• PoweredOnEvents → Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
• Printers → Installed Printers (via WMI)
• Processes → Running processes with file info company names that don't contain 'Microsoft', "-full" enumerates all processes
• PSSessionSettings → Enumerates PS Session Settings from the registry
• SCCM → System Center Configuration Manager (SCCM) settings, if applicable
• Services → Services with file info company names that don't contain 'Microsoft', "-full" dumps all processes
• TcpConnections → Current TCP connections and their associated processes and services
• TokenPrivileges → Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
• UAC → UAC system policies via the registry
• UdpConnections → Current UDP connections and associated processes and services
• UserRightAssignments → Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
• WindowsAutoLogon → Registry autologon information
• WMIEventConsumer → Lists WMI Event Consumers
• WMIEventFilter → Lists WMI Event Filters
• WMIFilterBinding → Lists WMI Filter to Consumer Bindings
• WSUS → Windows Server Update Services (WSUS) settings, if applicable
  
  User:
  
  
• ChromePresence → Checks if interesting Google Chrome files exist
• CloudCredentials → AWS/Google/Azure cloud credential files
• CredEnum → Enumerates the current user's saved credentials using CredEnumerate()
• dir → Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == [directory] [depth] [regex] [boolIgnoreErrors]
• DpapiMasterKeys → List DPAPI master keys
• ExplorerMRUs → Explorer most recently used files (last 7 days, argument == last X days)
• FirefoxPresence → Checks if interesting Firefox files exist
• IdleTime → Returns the number of seconds since the current user's last input.
• IEFavorites → Internet Explorer favorites
• IETabs → Open Internet Explorer tabs
• IEUrls → Internet Explorer typed URLs (last 7 days, argument == last X days)
• OfficeMRUs → Office most recently used file list (last 7 days)
• RDCManFiles → Windows Remote Desktop Connection Manager settings files
• TokenGroups → The current token's local and domain groups
• WindowsCredentialFiles → Windows credential DPAPI blobs
• WindowsVault → Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
  
  Slack | User:
  
  
• SlackDownloads → Parses any found 'slack-downloads' files
• SlackPresence → Checks if interesting Slack files exist
• SlackWorkspaces → Parses any found 'slack-workspaces' files
  
  Chrome | User:
  
  
• ChromePresence → Checks if interesting Google Chrome files exist
  
  Chrome | Misc:
  
  
• ChromeBookmarks → Parses any found Chrome bookmark files
• ChromeHistory → Parses any found Chrome history files
  
  Misc:
  
  
• ExplicitLogonEvents → Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
• FileInfo → Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
• FirefoxHistory → Parses any found FireFox history files
• InstalledProducts → Installed products via the registry
• InterestingFiles → "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
• LogonEvents → Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
• MicrosoftUpdates → All Microsoft updates.
• OutlookDownloads → List files downloaded by Outlook
• PowerShellEvents → PowerShell script block logs (4104) with sensitive data.
• ProcessCreationEvents → Process creation logs (4688) with sensitive data.
• ProcessOwners → Running non-session 0 process list with owners. For remote use.
• RecycleBin → Items in the Recycle Bin deleted in the last 30 days - only works from a user context.
• reg → Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
• RPCMappedEndpoints → Current RPC endpoints mapped
• ScheduledTasks → Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks
• SearchIndex → Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == {search path} {pattern1,pattern2,...}
• SecurityPackages → Enumerates the security packages currently available using EnumerateSecurityPackagesA()
• SysmonEvents → Sysmon process creation logs (1) with sensitive data.