Slingshot is a post-exploitation agent (stage 2) used by red teams to conduct advanced network operations
Level Up Your Post Exploitation Skills
Built with OpSec as a first priority, Slingshot empowers teams to more accurately emulate sophisticated adversaries. Capable of zero process creation, malleable network profiles, syscall process injection, memory obfuscation, and blended HTML traffic, Slingshot makes no compromises. It enables operations to run with a limited detection surface, powerful modularity, and ephemeral concepts.
Looking to step up your game? Slingshot is the perfect fit.
The agent is built in C++ with a Python 3 listening post/server. All C2 is compressed, encrypted, and validated with modern primitives. In addition to HTTP/S comms, SMB is supported for inter-network pivoting and host-to-host communication. Ever needed to be 8 hops deep for exfil? We have too.
Rather than basic lateral movement techniques obscured behind commands, we supply multiple pivoting techniques via a hosted repository of Slingshot scripts. Every capability in Slingshot is exposed with a simple Python library. This allows teams to automate any part of their operation with custom Slingshot scripts. Feeling tricky? Crack open the scripts for reference and modification.
Serious About Modularity
Modularity is a core design principle for Slingshot. In addition to modules we supply, such as Mimikatz and an in-memory keylogger, you can inject any native custom DLL into a local process or remote memory.
These in-memory modules remain stealthy when in use. For instance, while loaded, Mimikatz is constantly obfuscated in memory This helps avoid basic signatures which might compromise operations. Remember, opsec first!
.NET Safe Haven
Slingshot has a sophisticated system for loading assemblies into the .NET Runtime (CLR). This system supports simultaneous modules and cross-version support with simple management. You can convert, author, and re-use advanced .NET code directly in Slingshot without creating external processes or constantly re-staging code.
Pre-built modules like in-memory PowerShell and SOCKS proxying make use of this integration to hyperextend Slingshot’s functionality. Defensive protections such as ETW tracing, PowerShell logging, and AMSI are all handled transparently by Slingshot to reduce detection surface.
Extensible and Modular
- Slingshot can load and execute PowerShell scripts and .NET assemblies in-memory extending functionality and automating routine tasks. Scripts and assemblies get loaded and executed to bypass AMSI and script block logging.
Windows API Integration
- Many routine operator commands have been integrated directly into Slingshot through the use of Windows APIs. This allows operators to maintain operational security by avoiding appearing in the process list or the use of cmd.exe.
- Slingshot has malleable communication profiles, meaning operators can quickly and easily modify detailed aspects of the C2 traffic including HTTP headers, POST/GET pages and parameters, compression, connection wait times, and much more.
- All commands and corresponding output are logged and timestamped. This allows red and blue teams to analyze target data, align timelines, and develop remediation plans.
Python Scripting Engine
- The Slingshot LP is built in Python 3. Operators can easily build and run custom Python scripts on targets to analyze command output, conduct host pivots, collect target data, or perform virtually any command in an automated fashion.
- Slingshot is developed by the NetSPI team and used in cyberoperations continually. Development is constant as new features and improvements are pushed to the production version. Got ideas? We want to hear them!
- Agent automation with SDKs and APIs
- In-memory PowerShell and .NET
- Native syscall API broker
- AMSI, ETW, and PS logging bypass
- Full filesystem integration
- 25+ integrated commands
- HTTP/S beaconing
- Full Mimikatz functionality
- SOCKS proxying
- 5+ SMB pivoting techniques
- Malleable C2 profiles
- 10+ defensive countermeasures