PUA - Seatbelt Execution

Aug 12, 2024 · attack.discovery attack.t1526 attack.t1087 attack.t1083 ·

Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters

Sigma rule (View on GitHub)

 1title: PUA - Seatbelt Execution
 2id: 38646daa-e78f-4ace-9de0-55547b2d30da
 3status: test
 4description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
 5references:
 6    - https://github.com/GhostPack/Seatbelt
 7    - https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-10-18
10modified: 2023-02-04
11tags:
12    - attack.discovery
13    - attack.t1526
14    - attack.t1087
15    - attack.t1083
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\Seatbelt.exe'
22        - OriginalFileName: 'Seatbelt.exe'
23        - Description: 'Seatbelt'
24        - CommandLine|contains:
25              # This just a list of the commands that will produce the least amount of FP in "theory"
26              # Comment out/in as needed in your environment
27              # To get the full list of commands see reference section
28              - ' DpapiMasterKeys'
29              - ' InterestingProcesses'
30              - ' InterestingFiles'
31              - ' CertificateThumbprints'
32              - ' ChromiumBookmarks'
33              - ' ChromiumHistory'
34              - ' ChromiumPresence'
35              - ' CloudCredentials'
36              - ' CredEnum'
37              - ' CredGuard'
38              - ' FirefoxHistory'
39              - ' ProcessCreationEvents'
40              # - ' RDPSessions'
41              # - ' PowerShellHistory'
42    selection_group_list:
43        CommandLine|contains:
44            - ' -group=misc'
45            - ' -group=remote'
46            - ' -group=chromium'
47            - ' -group=slack'
48            - ' -group=system'
49            - ' -group=user'
50            - ' -group=all'
51    selection_group_output:
52        CommandLine|contains: ' -outputfile='
53    condition: selection_img or all of selection_group_*
54falsepositives:
55    - Unlikely
56level: high

References

GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. - GhostPack/Seatbelt

Read More
Fastening the Seatbelt on.. Threat Hunting for Seatbelt

Blue team blog relating to infosec, cybersecurity, Splunk, threat hunting, Linux & Windows log analysis & whatever else I'm working on thrown in too

Read More

PUA - Seatbelt Execution

Sigma rule (View on GitHub)

References

GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

Fastening the Seatbelt on.. Threat Hunting for Seatbelt

Related rules