DETECTION OVERVIEW

Seatbelt Credentialed Enumeration Activity

Risk Factors

Enumeration is a simple but important step taken by attackers after an initial network compromise. Seatbelt is a tool that makes enumeration relatively easy to perform, but an attacker needs network access to the target remote device and credentials to run Seatbelt. Enumeration activity typically does not negatively affect network performance, but attackers can leverage this information to find new targets in an attack campaign.

Kill Chain

Reconnaissance

Risk Score

Attack Background

Seatbelt is a tool for running security checks on local and remote Windows devices, but this tool can also enumerate valuable information for an attacker. Seatbelt can automatically run the CloudCredential module, which finds authentication information for cloud services such as AWS, Google Cloud, and Azure. A successful command can lead to stolen credentials and further attacks on the network.

Mitigation Options

Review network logon events to identify and disable the credentials that perform the scan while checking for indicators of compromise

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases