Command Groups

Many commands do some type of filtering by default. Supplying the -full argument prevents filtering output. Also, the command group all will run all current checks.

For example, the following command will run ALL checks and returns ALL output:

Seatbelt.exe -group=all -full

system

Runs checks that mine interesting data about the system.

Executed with: Seatbelt.exe -group=system

Command	Description
AMSIProviders	Providers registered for AMSI
AntiVirus	Registered antivirus (via WMI)
AppLocker	AppLocker settings, if installed
ARPTable	Lists the current ARP table and adapter information(equivalent to arp -a)
AuditPolicies	Enumerates classic and advanced audit policy settings
AuditPolicyRegistry	Audit settings via the registry
AutoRuns	Auto run executables/scripts/programs
CredGuard	CredentialGuard configuration
DNSCache	DNS cache entries (via WMI)
DotNet	DotNet versions
EnvironmentPath	Current environment %PATH$ folders and SDDL information
EnvironmentVariables	Current user environment variables
Hotfixes	Installed hotfixes (via WMI)
InterestingProcesses	"Interesting" processes - defensive products and admin tools
InternetSettings	Internet settings including proxy configs
LAPS	LAPS settings, if installed
LastShutdown	Returns the DateTime of the last system shutdown (via the registry)
LocalGPOs	Local Group Policy settings applied to the machine/local users
LocalGroups	Non-empty local groups, "full" displays all groups (argument == computername to enumerate)
LocalUsers	Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)
LogonSessions	Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
LSASettings	LSA settings (including auth packages)
McAfeeConfigs	Finds McAfee configuration files
NamedPipes	Named pipe names and any readable ACL information
NetworkProfiles	Windows network profiles
NetworkShares	Network shares exposed by the machine (via WMI)
NTLMSettings	NTLM authentication settings
OSInfo	Basic OS info (i.e. architecture, OS version, etc.)
PoweredOnEvents	Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
PowerShell	PowerShell versions and security settings
Processes	Running processes with file info company names that don't contain 'Microsoft', "full" enumerates all processes
PSSessionSettings	Enumerates PS Session Settings from the registry
RDPSessions	Current incoming RDP sessions (argument == computername to enumerate)
RDPsettings	Remote Desktop Server/Client Settings
SCCM	System Center Configuration Manager (SCCM) settings, if applicable
Services	Services with file info company names that don't contain 'Microsoft', "full" dumps all processes
Sysmon	Sysmon configuration from the registry
TcpConnections	Current TCP connections and their associated processes and services
TokenPrivileges	Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
UAC	UAC system policies via the registry
UdpConnections	Current UDP connections and associated processes and services
UserRightAssignments	Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
WindowsAutoLogon	Registry autologon information
WindowsDefender	Windows Defender settings (including exclusion locations)
WindowsEventForwarding	Windows Event Forwarding (WEF) settings via the registry
WindowsFirewall	Non-standard firewall rules, "full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
WMIEventConsumer	Lists WMI Event Consumers
WMIEventFilter	Lists WMI Event Filters
WMIFilterBinding	Lists WMI Filter to Consumer Bindings
WSUS	Windows Server Update Services (WSUS) settings, if applicable

user

Runs checks that mine interesting data about the currently logged on user (if not elevated) or ALL users (if elevated).

Executed with: Seatbelt.exe -group=user

Command	Description
ChromePresence	Checks if interesting Google Chrome files exist
CloudCredentials	AWS/Google/Azure cloud credential files
CredEnum	Enumerates the current user's saved credentials using CredEnumerate()
dir	Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == \ \ \
DpapiMasterKeys	List DPAPI master keys
ExplorerMRUs	Explorer most recently used files (last 7 days, argument == last X days)
ExplorerRunCommands	Recent Explorer "run" commands
FileZilla	FileZilla configuration files
FirefoxPresence	Checks if interesting Firefox files exist
IdleTime	Returns the number of seconds since the current user's last input.
IEFavorites	Internet Explorer favorites
IETabs	Open Internet Explorer tabs
IEUrls	Internet Explorer typed URLs (last 7 days, argument == last X days)
MappedDrives	Users' mapped drives (via WMI)
OfficeMRUs	Office most recently used file list (last 7 days)
PowerShellHistory	Iterates through every local user and attempts to read their PowerShell console history if successful will print it
PuttyHostKeys	Saved Putty SSH host keys
PuttySessions	Saved Putty configuration (interesting fields) and SSH host keys
RDCManFiles	Windows Remote Desktop Connection Manager settings files
RDPSavedConnections	Saved RDP connections stored in the registry
SecPackageCreds	Obtains credentials from security packages
SlackDownloads	Parses any found 'slack-downloads' files
SlackPresence	Checks if interesting Slack files exist
SlackWorkspaces	Parses any found 'slack-workspaces' files
SuperPutty	SuperPutty configuration files
TokenGroups	The current token's local and domain groups
WindowsCredentialFiles	Windows credential DPAPI blobs
WindowsVault	Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).

misc

Runs all miscellaneous checks.

Executed with: Seatbelt.exe -group=misc

Command	Description
ChromeBookmarks	Parses any found Chrome bookmark files
ChromeHistory	Parses any found Chrome history files
ExplicitLogonEvents	Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
FileInfo	Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
FirefoxHistory	Parses any found FireFox history files
HuntLolbas	Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.
InstalledProducts	Installed products via the registry
InterestingFiles	"Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
LogonEvents	Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
McAfeeSiteList	Decrypt any found McAfee SiteList.xml configuration files.
MicrosoftUpdates	All Microsoft updates (via COM)
OutlookDownloads	List files downloaded by Outlook
PowerShellEvents	PowerShell script block logs (4104) with sensitive data.
Printers	Installed Printers (via WMI)
ProcessCreationEvents	Process creation logs (4688) with sensitive data.
ProcessOwners	Running non-session 0 process list with owners. For remote use.
RecycleBin	Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
reg	Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
RPCMappedEndpoints	Current RPC endpoints mapped
ScheduledTasks	Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "full" dumps all Scheduled tasks
SearchIndex	Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == \ \
SecurityPackages	Enumerates the security packages currently available using EnumerateSecurityPackagesA()
SysmonEvents	Sysmon process creation logs (1) with sensitive data.

Additional Command Groups

Executed with: Seatbelt.exe -group=GROUPNAME

Alias	Description
Slack	Runs modules that start with "Slack*"
Chrome	Runs modules that start with "Chrome*"
Remote	Runs the following modules (for use against a remote system): AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes, InterestingProcesses, LastShutdown, LogonSessions, LSASettings, MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions, RDPSavedConnections, RDPSessions, RDPsettings, Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall