RED TEAM TOOLKIT
SLINGSHOT
Slingshot is a post-exploitation agent (stage 2) used by red teams
to conduct advanced network operations
Level Up Your Post Exploitation Skills!
Built
with OpSec as a first priority, Slingshot empowers teams to more accurately
emulate sophisticated adversaries. Capable of zero process creation,
malleable network profiles, syscall process injection, memory obfuscation,
and blended HTML traffic, Slingshot makes no compromises. It enables operations
to run with a limited detection surface, powerful modularity, and epheremal concepts.
Looking to step up your game? Slingshot is the perfect fit.
___ _ _ _ _ / __| (_)_ _ __ _ __| |_ ___| |_ \__ \ | | ' \/ _` (_-< ' \/ _ \ _| |___/_|_|_||_\__, /__/_||_\___/\__| |___/ v2.00.0 Notes: New features and bug fixes.[+] Using the 'primary' profile [+] Prepared 32 modules [+] Blended obfuscation is enabled! [+] HTTP/S server is running (0.0.0.0) [+] Switching NOqgdSTZaa to a derived key [+] Added new HTTPS target 'NOqgdSTZaa' from 8.8.8.8 at 22:06:07 on Jan 01 [+] Getting intitial target info getpid
PID: 4238 Arch: x64 User: JOHN-PC\Admin Image: C:\Windows\System32\explorer.exe
Scripted Techniques
The agent is built in C++ with a Python 3 listening post/server.
All C2 is compressed, encrypted, and validated with modern primitives.
In addition to HTTP/S comms, SMB is supported for inter-network pivoting
and host-to-host communication. Ever needed to be 8 hops deep for exfil?
We have too.
Rather than basic lateral movement techniques obscured behind commands,
we supply multiple pivoting techniques via a hosted repository of Slingshot scripts. Every capability
in Slingshot is exposed with a dead simple Python library. This allows teams
to automate any part of their operation with custom Slingshot scripts. Feeling tricky? Crack open the scripts for reference and modification.
Serious About Modularity
Modularity is a core design principle for Slingshot. In addition to modules
we supply, such as Mimikatz and an in-memory keylogger, you can inject any
native custom DLL into a local process or remote memory.
These in-memory modules remain stealthy when in use.
For instance, while loaded, Mimikatz is constantly obfuscated in memory
This helps avoid basic signatures which might compromise operations. Remember, opsec first!
( ( ) ) .______. | |] \ / `----'mimikatz sekurlsa::logonpasswords
Authentication Id : 0 ; 335132 (00000000:00051d1c) Session : Interactive from 1 User Name : John Domain : JOHN-PC Logon Server : JOHN-PC Logon Time : 1/01/1997 1:40:29 PM tspkg : * Username : John * Domain : JOHN-PC * Password : P@ssword0ne ...inject -p explorer.exe exploit.dll [+] Completed succesfully
______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.4.0 [*] Action: Calculate Password Hashes [*] Input password : Password123! [*] rc4_hmac : 2B576ACBE6BCFDA7294D6BD18041B8FEpowershell load [+] Completed succesfully powershell Get-Host
Name Value ---- ----- PSVersion 5.1.18362.145 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.18362.145 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1
.NET Safe Haven
Slingshot has a sophisticated system for loading assemblies into the .NET Runtime (CLR).
This system supports simultaneous modules and cross-version support with simple management.
You can convert, author, and re-use advanced .NET code directly in Slingshot without
creating external processes or constantly re-staging code.
Pre-built modules like in-memory PowerShell and SOCKS proxying make use of this integration
to hyperextend Slingshot's functionality. Defensive protections such as ETW tracing, PowerShell
logging, and AMSI are all handled transparently by Slingshot to reduce detection surface.
Extensible And Modular
Slingshot can load and execute PowerShell scripts and .NET assemblies in-memory extending functionality and automating routine tasks. Scripts and assemblies get loaded and executed to bypass AMSI and script block logging.
Covert Communication
Slingshot has malleable communication profiles, meaning operators can quickly and easily modify detailed aspects of the C2 traffic including HTTP headers, POST/GET pages and parameters, compression, connection wait times, and much more.
Python Scripting Engine
The Slingshot LP is built in Python 3. Operators can easily build and run custom Python scripts on targets to analyze command output, conduct host pivots, collect target data, or perform virtually any command in an automated fashion.
Windows API Integration
Many routine operator commands have been integrated directly into Slingshot through the use of Windows APIs. This allows operators to maintain operational security by avoiding appearing in the process list or the use of cmd.exe.
Command Logging
All commands and corresponding output are logged and timestamped. This allows red and blue teams to analyze target data, align timelines, and develop remediation plans.
Great Support
Slingshot is developed by the Silent Break Security team and used in cyberoperations continually. Development is constant as new features and improvements are pushed to the production version. Got ideas? We want to hear them!
Quick Facts
What does it cost?
RTT licenses cost $6,000 per user for the first year. Subsequent license renewals cost $3,000 per user per year.
I took the Dark Side Ops training and already have Slingshot. Is this version different?
Yes! The version of Slingshot in RTT is much more functional. Just see the features list above, or contact us for more details.
Does RTT include source code?
The Slingshot LP (e.g. server) source code is included in RTT. In addition, scripts provided by our team will be open source and available for study. The Slingshot agent (e.g. client) consists of several compiled binaries, patched with callback domain data.
We already have tool xyz! Why do we need another red team tool?
Maybe you don’t! There are some great red team tools out there and if you’re able to conduct adversary simulations without getting caught using your current tool chain, then great! We believe offense-in-depth is a necessary part of effective operations, and that the features and capabilities included in RTT are absolutely worth it.
Do you offer volume discounts?
Yes! Send us an email and we’ll help you out with custom pricing.
Can I get a demo? How about a trial?
Sure! Contact us to setup a demo or ask any additional questions. Also check out our YouTube Channel for videos showcasing the latest features and functionality. Currently, trial licenses are not provided.
Is there documentation? How about tutorials?
Documentation is maintained in the RTT Client Portal. It includes detailed tool usage and functionality, Slingshot Python scripting examples, and license information. Tutorials can be found on our YouTube Channel.