Command Groups
Many commands do some type of filtering by default. Supplying the -full argument prevents filtering output. Also, the command group all will run all current checks.
For example, the following command will run ALL checks and returns ALL output:
Seatbelt.exe -group=all -full
system
Runs checks that mine interesting data about the system.
Executed with: Seatbelt.exe -group=system
Command | Description |
AMSIProviders | Providers registered for AMSI |
AntiVirus | Registered antivirus (via WMI) |
AppLocker | AppLocker settings, if installed |
ARPTable | Lists the current ARP table and adapter information(equivalent to arp -a) |
AuditPolicies | Enumerates classic and advanced audit policy settings |
AuditPolicyRegistry | Audit settings via the registry |
AutoRuns | Auto run executables/scripts/programs |
CredGuard | CredentialGuard configuration |
DNSCache | DNS cache entries (via WMI) |
DotNet | DotNet versions |
EnvironmentPath | Current environment %PATH$ folders and SDDL information |
EnvironmentVariables | Current user environment variables |
Hotfixes | Installed hotfixes (via WMI) |
InterestingProcesses | "Interesting" processes - defensive products and admin tools |
InternetSettings | Internet settings including proxy configs |
LAPS | LAPS settings, if installed |
LastShutdown | Returns the DateTime of the last system shutdown (via the registry) |
LocalGPOs | Local Group Policy settings applied to the machine/local users |
LocalGroups | Non-empty local groups, "full" displays all groups (argument == computername to enumerate) |
LocalUsers | Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate) |
LogonSessions | Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. |
LSASettings | LSA settings (including auth packages) |
McAfeeConfigs | Finds McAfee configuration files |
NamedPipes | Named pipe names and any readable ACL information |
NetworkProfiles | Windows network profiles |
NetworkShares | Network shares exposed by the machine (via WMI) |
NTLMSettings | NTLM authentication settings |
OSInfo | Basic OS info (i.e. architecture, OS version, etc.) |
PoweredOnEvents | Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days. |
PowerShell | PowerShell versions and security settings |
Processes | Running processes with file info company names that don't contain 'Microsoft', "full" enumerates all processes |
PSSessionSettings | Enumerates PS Session Settings from the registry |
RDPSessions | Current incoming RDP sessions (argument == computername to enumerate) |
RDPsettings | Remote Desktop Server/Client Settings |
SCCM | System Center Configuration Manager (SCCM) settings, if applicable |
Services | Services with file info company names that don't contain 'Microsoft', "full" dumps all processes |
Sysmon | Sysmon configuration from the registry |
TcpConnections | Current TCP connections and their associated processes and services |
TokenPrivileges | Currently enabled token privileges (e.g. SeDebugPrivilege/etc.) |
UAC | UAC system policies via the registry |
UdpConnections | Current UDP connections and associated processes and services |
UserRightAssignments | Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate |
WindowsAutoLogon | Registry autologon information |
WindowsDefender | Windows Defender settings (including exclusion locations) |
WindowsEventForwarding | Windows Event Forwarding (WEF) settings via the registry |
WindowsFirewall | Non-standard firewall rules, "full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public) |
WMIEventConsumer | Lists WMI Event Consumers |
WMIEventFilter | Lists WMI Event Filters |
WMIFilterBinding | Lists WMI Filter to Consumer Bindings |
WSUS | Windows Server Update Services (WSUS) settings, if applicable |
user
Runs checks that mine interesting data about the currently logged on user (if not elevated) or ALL users (if elevated).
Executed with: Seatbelt.exe -group=user
Command | Description |
ChromePresence | Checks if interesting Google Chrome files exist |
CloudCredentials | AWS/Google/Azure cloud credential files |
CredEnum | Enumerates the current user's saved credentials using CredEnumerate() |
dir | Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == \ \ \ |
DpapiMasterKeys | List DPAPI master keys |
ExplorerMRUs | Explorer most recently used files (last 7 days, argument == last X days) |
ExplorerRunCommands | Recent Explorer "run" commands |
FileZilla | FileZilla configuration files |
FirefoxPresence | Checks if interesting Firefox files exist |
IdleTime | Returns the number of seconds since the current user's last input. |
IEFavorites | Internet Explorer favorites |
IETabs | Open Internet Explorer tabs |
IEUrls | Internet Explorer typed URLs (last 7 days, argument == last X days) |
MappedDrives | Users' mapped drives (via WMI) |
OfficeMRUs | Office most recently used file list (last 7 days) |
PowerShellHistory | Iterates through every local user and attempts to read their PowerShell console history if successful will print it |
PuttyHostKeys | Saved Putty SSH host keys |
PuttySessions | Saved Putty configuration (interesting fields) and SSH host keys |
RDCManFiles | Windows Remote Desktop Connection Manager settings files |
RDPSavedConnections | Saved RDP connections stored in the registry |
SecPackageCreds | Obtains credentials from security packages |
SlackDownloads | Parses any found 'slack-downloads' files |
SlackPresence | Checks if interesting Slack files exist |
SlackWorkspaces | Parses any found 'slack-workspaces' files |
SuperPutty | SuperPutty configuration files |
TokenGroups | The current token's local and domain groups |
WindowsCredentialFiles | Windows credential DPAPI blobs |
WindowsVault | Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge). |
misc
Runs all miscellaneous checks.
Executed with: Seatbelt.exe -group=misc
Command | Description |
ChromeBookmarks | Parses any found Chrome bookmark files |
ChromeHistory | Parses any found Chrome history files |
ExplicitLogonEvents | Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days. |
FileInfo | Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s) |
FirefoxHistory | Parses any found FireFox history files |
HuntLolbas | Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time. |
InstalledProducts | Installed products via the registry |
InterestingFiles | "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time. |
LogonEvents | Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days. |
McAfeeSiteList | Decrypt any found McAfee SiteList.xml configuration files. |
MicrosoftUpdates | All Microsoft updates (via COM) |
OutlookDownloads | List files downloaded by Outlook |
PowerShellEvents | PowerShell script block logs (4104) with sensitive data. |
Printers | Installed Printers (via WMI) |
ProcessCreationEvents | Process creation logs (4688) with sensitive data. |
ProcessOwners | Running non-session 0 process list with owners. For remote use. |
RecycleBin | Items in the Recycle Bin deleted in the last 30 days - only works from a user context! |
reg | Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors] |
RPCMappedEndpoints | Current RPC endpoints mapped |
ScheduledTasks | Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "full" dumps all Scheduled tasks |
SearchIndex | Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == \ \ |
SecurityPackages | Enumerates the security packages currently available using EnumerateSecurityPackagesA() |
SysmonEvents | Sysmon process creation logs (1) with sensitive data. |
Additional Command Groups
Executed with: Seatbelt.exe -group=GROUPNAME
Alias | Description |
Slack | Runs modules that start with "Slack*" |
Chrome | Runs modules that start with "Chrome*" |
Remote | Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes, InterestingProcesses, LastShutdown, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall |
Last updated