explaingit

ghostpack/seatbelt

4,570C#Audience · ops devopsComplexity · 3/5Setup · moderate

TLDR

A Windows security audit tool that runs dozens of read-only checks and reports what an attacker or defender would find, saved credentials, startup programs, browser history, network shares, and security settings.

Mindmap

mindmap
  root((seatbelt))
    System Checks
      Antivirus status
      Startup programs
      Network shares
      Event logs
    User Checks
      Browser history
      Cloud credentials
      Password managers
      Recent documents
    Usage
      Local machine
      Remote machine
      File output
    Audience
      Pentesters
      Defenders
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run Seatbelt during a penetration test to quickly inventory what credentials, configs, and sensitive files are exposed on a Windows host.

USE CASE 2

Use Seatbelt as a defender to snapshot a machine's security state and check for common misconfigurations.

USE CASE 3

Point Seatbelt at a remote Windows machine over the network to audit it without needing direct keyboard access.

USE CASE 4

Add a custom C# module to Seatbelt to run a check specific to your organization's environment.

Tech stack

C#.NET

Getting it running

Difficulty · moderate Time to first run · 30min

Requires Visual Studio and the .NET framework to compile from source before running.

In plain English

Seatbelt is a Windows inspection tool written in C#. It runs a large set of security-focused checks on a Windows computer, collecting information relevant to both people testing a system's security and people defending it. Think of it as a detailed snapshot tool: you run it, and it reports back dozens of facts about the machine's current state. The checks cover a wide range of areas. On the system side, it can report what antivirus software is installed, what programs launch automatically on startup, what Windows event logs show about recent logins, what network shares the machine exposes, what version of .NET is present, and much more. On the user side, it can find saved browser history from Chrome, Firefox, Edge, and others, locate cloud credential files for AWS, Google, and Azure, identify KeePass password manager configurations, and list recently opened Office documents. There are also checks for specific security settings like NTLM authentication, AppLocker policies, and whether Windows Credential Guard is active. You run Seatbelt from a Windows command prompt. You can tell it to run all checks, a named group of checks (there are built-in groups for system, user, and miscellaneous categories), or individual checks by name. It supports pointing at a remote Windows machine rather than just the local one, which is useful when a security tester has network access but not direct keyboard access. Results can be written to a file instead of the screen. The tool is built for security professionals: people doing authorized penetration tests who want to understand what an attacker could find on a compromised machine, and defenders who want a thorough inventory of what is exposed on a given host. It does not change anything on the system, it only reads and reports. The source code is open, so teams can add their own custom checks by writing a small C# class that follows the project's module pattern. Building it requires Visual Studio and the .NET framework. The README covers compile steps and explains how to add custom modules. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
Using Seatbelt, write a command to run all user-focused checks on a Windows machine and save the output to a text file.
Prompt 2
How do I add a custom C# check module to Seatbelt that scans for a specific registry key?
Prompt 3
Help me interpret this Seatbelt output section about NTLM authentication settings on a Windows host.
Prompt 4
Write a script that runs Seatbelt against a list of remote Windows machines and collects all results into one report.
Open on GitHub → Explain another repo

← ghostpack on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.