Acknowledgemnents
Seatbelt incorporates various collection items, code C# snippets, and bits of PoCs found throughout research for its capabilities. These ideas, snippets, and authors are highlighted in the appropriate locations in the source code, and include:
@andrewchiles' HostEnum.ps1 script and @tifkin_'s Get-HostProfile.ps1 provided inspiration for many of the artifacts to collect.
Numerous PInvoke.net samples <3
@cmaddalena's SharpCloud project, BSD 3-Clause
@_RastaMouse's Watson project, GPL License
@peewpw's Invoke-WCMDump project, GPL License
TrustedSec's HoneyBadger project, BSD 3-Clause
CENTRAL Solutions's Audit User Rights Assignment Project, No license
Collection ideas inspired from @ukstufus's Reconerator
Office MRU locations and timestamp parsing information from Dustin Hurlbut's paper Microsoft Office 2007, 2010 - Registry Artifacts
The Windows Commands list, used for sensitive regex construction
@airzero24's work on WMI Registry enumeration
Alexandru's answer on RegistryKey.OpenBaseKey alternatives
Tomas Vera's post on JavaScriptSerializer
Marc Gravell's note on recursively listing files/folders
Some inspiration from spolnik's Simple.CredentialsManager project, Apache 2 license
This thread on network profile information
Mark McKinnon's post on decoding the DateCreated and DateLastConnected SSID values
This Specops post on group policy caching
sa_ddam213's StackOverflow post on enumerating items in the Recycle Bin
Kirill Osenkov's code for managed assembly detection
The Mono project for the SecBuffer/SecBufferDesc classes
Elad Shamir and his Internal-Monologue project, Vincent Le Toux for his DetectPasswordViaNTLMInFlow project, and Lee Christensen for this GetNTLMChallenge project. All of these served as inspiration int he SecPackageCreds command.
@leftp and @eksperience's Gopher project for inspiration for the FileZilla and SuperPutty commands
@funoverip for the original McAfee SiteList.xml decryption code
We've tried to do our due diligence for citations, but if we've left someone/something out, please let us know!
Last updated