Acknowledgemnents

Seatbelt incorporates various collection items, code C# snippets, and bits of PoCs found throughout research for its capabilities. These ideas, snippets, and authors are highlighted in the appropriate locations in the source code, and include:

• @andrewchiles' HostEnum.ps1 script and @tifkin_'s Get-HostProfile.ps1 provided inspiration for many of the artifacts to collect.

• Boboes' code concerning NetLocalGroupGetMembers

• ambyte's code for converting a mapped drive letter to a network path

• Igor Korkhov's code to retrieve current token group information

• RobSiklos' snippet to determine if a host is a virtual machine

• JGU's snippet on file/folder ACL right comparison

• Rod Stephens' pattern for recursive file enumeration

• SwDevMan81's snippet for enumerating current token privileges

• Jared Atkinson's PowerShell work on Kerberos ticket caches

• darkmatter08's Kerberos C# snippet

• Numerous PInvoke.net samples <3

• Jared Hill's awesome CodeProject to use Local Security Authority to Enumerate User Sessions

• Fred's code on querying the ARP cache

• ShuggyCoUk's snippet on querying the TCP connection table

• yizhang82's example of using reflection to interact with COM objects through C#

• @djhohnstein's SharpWeb project

• @djhohnstein's EventLogParser project

• @cmaddalena's SharpCloud project, BSD 3-Clause

• @_RastaMouse's Watson project, GPL License

• @_RastaMouse's Work on AppLocker enumeration

• @peewpw's Invoke-WCMDump project, GPL License

• TrustedSec's HoneyBadger project, BSD 3-Clause

• CENTRAL Solutions's Audit User Rights Assignment Project, No license

• Collection ideas inspired from @ukstufus's Reconerator

• Office MRU locations and timestamp parsing information from Dustin Hurlbut's paper Microsoft Office 2007, 2010 - Registry Artifacts

• The Windows Commands list, used for sensitive regex construction

• Ryan Ries' code for enumeration mapped RPC endpoints

• Chris Haas' post on EnumerateSecurityPackages()

• darkoperator's work on the HoneyBadger project

• @airzero24's work on WMI Registry enumeration

• Alexandru's answer on RegistryKey.OpenBaseKey alternatives

• Tomas Vera's post on JavaScriptSerializer

• Marc Gravell's note on recursively listing files/folders

• @mattifestation's Sysmon rule parser

• Some inspiration from spolnik's Simple.CredentialsManager project, Apache 2 license

• This post on Credential Guard settings

• This thread on network profile information

• Mark McKinnon's post on decoding the DateCreated and DateLastConnected SSID values

• This Specops post on group policy caching

• sa_ddam213's StackOverflow post on enumerating items in the Recycle Bin

• Kirill Osenkov's code for managed assembly detection

• The Mono project for the SecBuffer/SecBufferDesc classes

• Elad Shamir and his Internal-Monologue project, Vincent Le Toux for his DetectPasswordViaNTLMInFlow project, and Lee Christensen for this GetNTLMChallenge project. All of these served as inspiration int he SecPackageCreds command.

• @leftp and @eksperience's Gopher project for inspiration for the FileZilla and SuperPutty commands

• @funoverip for the original McAfee SiteList.xml decryption code

We've tried to do our due diligence for citations, but if we've left someone/something out, please let us know!