Seatbelt is available for download in GhostPack.
Execute Is my host protected against Seatbelt?
in Operator on each host in your environment to test if you are vulnerable.
This chain will stage a Seatbelt binary from Operator and use it to enumerate the local system's antivirus, UAC policy, and PowerShell logs for sensitive information.
Microsoft has released Attack Surface Reduction (ASR) rules to Block process creations originating from PSExec and WMI commands and Block persistence through WMI event subscription. These rules currently apply to WMI and PsExec processes, but will not prevent the use of Seatbelt or other tools that implement WMI functionality.
Seatbelt may be detected by monitoring network traffic for WMI connections as well as proper AV that enabled signature-based detection.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec
Robin: https://twitter.com/bfuzzy1