operator
ChainsTTPsBlogLogin
menu
Prelude chain browser

Is my host protected against Seatbelt?

This chain will stage a Seatbelt binary from Operator and use it to enumerate the local system's antivirus, UAC policy, and PowerShell logs for sensitive information.

2023-01-24

/static/assets/windows-logo.svg
Professional
This is a professional attack chain. A professional subscription automatically gives you access to this chain + 50 more, with direct integration inside of Operator.info
Authors:gerbsec

Is my host protected against Seatbelt?

Seatbelt Seatbelt is a C# project that conducts a variety of host-survey "safety checks" that are significant from both an offensive and defensive security standpoint. These include enumeration for providers registered for AMSI, the current user's saved credentials using CredEnumerate(), and DNS cache entries (via WMI).

Seatbelt is available for download in GhostPack.

Testing

Execute Is my host protected against Seatbelt? in Operator on each host in your environment to test if you are vulnerable.

This chain will stage a Seatbelt binary from Operator and use it to enumerate the local system's antivirus, UAC policy, and PowerShell logs for sensitive information.

Remediation

Microsoft has released Attack Surface Reduction (ASR) rules to Block process creations originating from PSExec and WMI commands and Block persistence through WMI event subscription. These rules currently apply to WMI and PsExec processes, but will not prevent the use of Seatbelt or other tools that implement WMI functionality.
Seatbelt may be detected by monitoring network traffic for WMI connections as well as proper AV that enabled signature-based detection.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec
Robin: https://twitter.com/bfuzzy1

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Enumerate local system antivirus with Seatbelt
Enumerate UAC with Seatbelt
Enumerate PowerShell logs for sensitive data with Seatbelt

Tactics

About PreludePrelude hardens an organization's defenses by continuously “asking” it questions through the form of safe cyberattacks. These attacks respond immediately to the latest vulnerabilities and cyber events, turning complex technical descriptions into deployable “questions”.Our mission is to increase the reach, frequency and usage of advanced security for all organizations.
twitterFollow @preludeorg on Twitter for new chains and more.
discordJoin the Prelude Discord to discuss chains and more.
githubKeep up to date with code changes and community activity on Github
operator
preludesecurity.comCareersTactics & TechniquesAttack themes
Privacy Policysupport@preludesecurity.com© 2023 Prelude Research, Inc.All rights reserved. Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.