What is Seatbelt?
Seatbelt is a C# project that performs security-oriented host-survey “safety checks” on Windows systems. It collects a comprehensive set of system information useful from both offensive and defensive security perspectives.Key Features
120+ Enumeration Commands
Comprehensive host enumeration covering system, user, and security configurations
Command Groups
Organized command groups for targeted enumeration (system, user, misc, remote)
Remote Enumeration
Enumerate remote systems via WMI with alternate credentials
Flexible Output
Text or JSON output formats with configurable verbosity
Modular Architecture
Easily extensible with custom command modules
Privilege Context Aware
Automatically adjusts enumeration scope based on current privileges
Command Groups
Seatbelt organizes its 120+ commands into logical groups for targeted enumeration:System Group
Runs checks that mine interesting data about the system itself.System Commands (50+ checks)
System Commands (50+ checks)
OS & Environment: OSInfo, DotNet, EnvironmentVariables, EnvironmentPath, LastShutdownSecurity Configuration: AppLocker, UAC, LAPS, CredGuard, SecureBoot, WindowsDefenderAuthentication: NTLM Settings, LSA Settings, Audit Policies, Token PrivilegesNetwork: ARP Table, TCP/UDP Connections, DNS Cache, Network Shares, Network Profiles, RDP SettingsMonitoring: Sysmon, Windows Defender, Windows Event Forwarding, AMSI ProvidersLocal Objects: Local Users, Local Groups, Services, Processes, Scheduled Tasks, Named PipesEnterprise: SCCM, WSUS, Windows Firewall, Hotfixes
Seatbelt.exe -group=system
User Group
Runs checks that enumerate user-specific data and credentials.User Commands (30+ checks)
User Commands (30+ checks)
Credentials: CredEnum, DPAPI Master Keys, Windows Vault, Security Package CredentialsBrowser Data: Chromium (Chrome/Edge/Brave/Opera), Firefox files and historyCloud Credentials: AWS, Google, Azure, Bluemix credential filesRecent Activity: Explorer MRUs, Explorer Run Commands, Office MRUs, IE URLsSaved Connections: FileZilla, PuTTY, SuperPuTTY, RDC Manager, RDP Saved ConnectionsCertificates: User and machine personal certificate filesOther: Mapped Drives, Token Groups, KeePass, OneNote, PowerShell History, Slack files
Seatbelt.exe -group=user
User commands run for the current user if not elevated, and for ALL users if elevated.
Misc Group
Miscellaneous enumeration commands that take longer to run or serve specific purposes.Misc Commands (20+ checks)
Misc Commands (20+ checks)
Event Logs: Logon Events, Explicit Logon Events, Process Creation Events, PowerShell Events, Sysmon EventsTime-Intensive: Interesting Files, LOLBAS, Search IndexDetailed Analysis: File Info, Registry Query, Recycle BinSystem Details: Installed Products, Microsoft Updates, Printers, RPC Endpoints, Scheduled Tasks
Seatbelt.exe -group=misc
Browser Groups
Specialized groups for browser enumeration.- Chromium
- Slack
Enumerates Chrome, Edge, Brave, and Opera artifacts:
- ChromiumPresence
- ChromiumBookmarks
- ChromiumHistory
Seatbelt.exe -group=chromiumRemote Group
Subset of commands that support remote enumeration via WMI (marked with + in help).Remote-Capable Commands (40+ checks)
Remote-Capable Commands (40+ checks)
Commands that can be executed against remote systems include most system and user checks that rely on WMI and registry access.Examples: AMSIProviders, AntiVirus, DotNet, Hotfixes, LocalUsers, LogonEvents, PowerShell, WindowsDefender, and more.
Seatbelt.exe -group=remote -computername=HOST [-username=DOMAIN\USER -password=PASSWORD]
Command Execution Options
Running Individual Commands
Running Command Groups
Commands with Arguments
Some commands accept arguments (enclosed in quotes):Remote Enumeration
Commands marked with + in the help menu support remote execution via WMI.1
Basic Remote Execution
Specify target computer with
-computername:2
Authenticated Remote Execution
Provide alternate credentials:
3
Remote Command Groups
Use the remote group for optimized remote enumeration:
Remote Execution Architecture
Output Options
Text Output
Default output format to console or file:JSON Output
Structured output for parsing and automation:Output Verbosity
Privilege Context Behavior
Seatbelt automatically adjusts its behavior based on execution context:- Not Elevated
- Elevated (Admin)
- High Integrity
User Commands: Enumerate current user onlySystem Commands: Limited to non-privileged enumerationTypical Use: Initial reconnaissance on compromised user account
Modular Architecture
Seatbelt’s structure is completely modular for easy extension:1
Command Template
Use the template at
.\Seatbelt\Commands\Template.cs as a starting point2
Implement Command
Create your command class inheriting from
CommandBase3
Add to Project
Place in appropriate directory and include in Visual Studio solution
4
Compile
Rebuild project - new command automatically discovered and loaded
Use Cases
Red Team Operations
Post-compromise situational awareness and privilege escalation enumeration
Penetration Testing
Host-based enumeration during internal assessments
Incident Response
Rapid triage and forensic artifact collection
Security Auditing
Baseline security configuration assessment
Threat Hunting
Anomaly detection and security posture evaluation
Blue Team Testing
Validate detection capabilities and log visibility
Detection Considerations
Detection Indicators
Process Indicators:- Process name: Seatbelt.exe (or renamed executable)
- Unusual .NET assembly loading patterns
- Sequential enumeration of multiple system resources
- Rapid WMI queries across multiple classes
- Extensive registry enumeration
- File system searches for specific patterns
- Event log queries for security events
- Network connection enumeration
- WMI connections to remote systems (135/TCP, RPC)
- StdRegProv registry access patterns
- Authenticated connections with unusual source
Defensive Measures
Detection Strategies
Detection Strategies
- Monitor for processes making numerous WMI queries
- Alert on registry enumeration of sensitive keys (LSA, credential locations)
- Track event log access patterns (especially security log)
- Monitor file access to credential-related files
- Detect sequential execution of enumeration activities
- Signature-based detection of Seatbelt binary
Prevention Strategies
Prevention Strategies
- Implement least privilege to reduce enumeration effectiveness
- Harden credential storage and remove cached credentials
- Enable constrained PowerShell language mode
- Implement application whitelisting (AppLocker, WDAC)
- Restrict WMI access and remote registry
- Enable enhanced logging for enumeration activities
Command Summary Statistics
System Commands
50+ checksOS, security, network, and system configuration
User Commands
30+ checksUser data, credentials, and activity
Misc Commands
20+ checksEvent logs, intensive searches, detailed analysis
Browser Commands
6 checksChromium and Firefox artifacts
Remote-Capable
40+ checksCommands supporting WMI-based remote execution
Total Commands
120+ checksComprehensive Windows host enumeration
Quick Start
1
Basic Enumeration
Run all checks:
2
Targeted Enumeration
Run specific command group:
3
Save Results
Output to file:
4
Remote Enumeration
Enumerate remote system:
Example Output
Additional Resources
GitHub Repository
Official Seatbelt repository
Compilation Guide
Build Seatbelt from source
Usage Guide
Detailed usage examples and scenarios
GhostPack Tools
Other GhostPack security tools