PUA - Seatbelt Execution
Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
Sigma rule (View on GitHub)
1title: PUA - Seatbelt Execution
2id: 38646daa-e78f-4ace-9de0-55547b2d30da
3status: test
4description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
5references:
6 - https://github.com/GhostPack/Seatbelt
7 - https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-10-18
10modified: 2023-02-04
11tags:
12 - attack.discovery
13 - attack.t1526
14 - attack.t1087
15 - attack.t1083
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\Seatbelt.exe'
22 - OriginalFileName: 'Seatbelt.exe'
23 - Description: 'Seatbelt'
24 - CommandLine|contains:
25 # This just a list of the commands that will produce the least amount of FP in "theory"
26 # Comment out/in as needed in your environment
27 # To get the full list of commands see reference section
28 - ' DpapiMasterKeys'
29 - ' InterestingProcesses'
30 - ' InterestingFiles'
31 - ' CertificateThumbprints'
32 - ' ChromiumBookmarks'
33 - ' ChromiumHistory'
34 - ' ChromiumPresence'
35 - ' CloudCredentials'
36 - ' CredEnum'
37 - ' CredGuard'
38 - ' FirefoxHistory'
39 - ' ProcessCreationEvents'
40 # - ' RDPSessions'
41 # - ' PowerShellHistory'
42 selection_group_list:
43 CommandLine|contains:
44 - ' -group=misc'
45 - ' -group=remote'
46 - ' -group=chromium'
47 - ' -group=slack'
48 - ' -group=system'
49 - ' -group=user'
50 - ' -group=all'
51 selection_group_output:
52 CommandLine|contains: ' -outputfile='
53 condition: selection_img or all of selection_group_*
54falsepositives:
55 - Unlikely
56level: high
References
Related rules
- Capabilities Discovery - Linux
- Cisco Discovery
- DirLister Execution
- Discovery Using AzureHound
- File and Directory Discovery - MacOS