Seatbelt

Seatbelt is a C# tool which automatically collects enumeration data for a host. It can check for security configurations such as OS info, AV, AppLocker, LAPS, PowerShell logging, audit policies, .NET versions, firewall rules, and more.

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system

====== AntiVirus ======

  Engine                         : Windows Defender
  ProductEXE                     : windowsdefender://
  ReportingEXE                   : %ProgramFiles%\Windows Defender\MsMpeng.exe

====== AppLocker ======

    [*] Applocker is not running because the AppIDSvc is not running

====== DotNet ======

  Installed CLR Versions
      4.0.30319

  Installed .NET Versions
      4.8.04084

  Anti-Malware Scan Interface (AMSI)
      OS supports AMSI           : True
     .NET version support AMSI   : True
        [!] The highest .NET version is enrolled in AMSI!

====== InternetSettings ======

  HKCU                       ProxyEnable : 1
  HKCU                     ProxyOverride : *.cyberbotic.io;<local>
  HKCU                       ProxyServer : squid.dev.cyberbotic.io:3128

====== LAPS ======

  LAPS Enabled                          : False

====== OSInfo ======

  Hostname                      :  wkstn-2
  Domain Name                   :  dev.cyberbotic.io
  Username                      :  DEV\bfarmer
  Build                         :  19044.1889
  BuildBranch                   :  vb_release
  CurrentMajorVersionNumber     :  10
  CurrentVersion                :  6.3
  Architecture                  :  AMD64
  IsLocalAdmin                  :  True
    [*] In medium integrity but user is a local administrator - UAC can be bypassed.
  TimeZone                      :  Coordinated Universal Time

====== PowerShell ======

  Installed CLR Versions
      4.0.30319

  Installed PowerShell Versions
      2.0
        [!] Version 2.0.50727 of the CLR is not installed - PowerShell v2.0 won't be able to run.
      5.1.19041.1

====== UAC ======

  ConsentPromptBehaviorAdmin     : 5 - PromptForNonWindowsBinaries
  EnableLUA (Is UAC enabled?)    : 1

\

One thing to note from this output is that there's a web proxy in place - squid.dev.cyberbotic.io. This has implications for HTTP(S) C2 for a variety of reasons.

\

Web Categorisation

Domain names are categorised by vendors so that they can be lumped together for filtering purposes. This is useful so that everything categorised as "gambling", "drugs", "violence", or "social media", etc can be blocked outright. If the domain being used for part of your engagement ends up in a blocked category, it becomes effectively useless.

Two strategies for tackling this issue include:

1. Obtaining a domain that is already in a desirable category.

2. Requesting a change of category for a domain.

\

Several websites exist (e.g. from Bluecoat) that facilitate this, and tools such as Chameleon can help automate the process.

\

HTTPS Offloading

Some organisations (particularly those with an internal PKI) will perform SSL offloading on HTTPS web traffic. This allows the proxy to decrypt incoming HTTPS traffic and inspect the plaintext HTTP. The traffic is then re-encrypted with an internally trusted private key before being forwarded to the client.

This means that even your HTTPS C2 traffic can be inspected. Some C2 tools (such as Covenant) allow you to configure certificate pinning on the implants which would effectively prevent this from taking place, but at the potential cost of the proxy blocking the traffic entirely.

\

Content Filtering & AV Scanning

This may go without saying - but if a web proxy has the ability to read and inspect HTTP(S) traffic, then it can also scan for known malicious content. However, this does come with a performance penalty. Another common feature is to block the download and/or upload of particular file types, such as .exe, .dll, .ps1, etc, which may impact your ability to deliver payloads.

\

Authentication

Many organisations will also require a form of authentication before a client is allowed use a proxy. This could be anything from basic auth with a local database, Radius or Active Directory integration. AD integration is a very common and popular choice as it provides single sign-on via NTLM, Kerberos and LDAP(S).

This often means that a principal has to be in a "trusted" domain group before they can use the proxy, such Domain Users or a custom group entirely. This does often exclude computer accounts, which means HTTP(S) Beacons running as local SYSTEM accounts cannot work.