Skip to main content

Search

Welcome to Block 64 Support

Slingshot: Block 64's agent for remote machines

Joseph Holland
  • Updated

What is Slingshot?

Slingshot is a standalone executable (an 'agent') that runs on Windows-based machines, and is used to inventory machines that would be otherwise unreachable by Block 64's agentless inventory technology.

Why did you build it?

Block 64's agentless inventory technology is an elegant way to quickly enumerate and gather the details of any devices accessible from your corporate network - from the desktop to the data center, to the perimeter and out to the cloud.

But what about workers who never join the corporate network whatsoever, even via VPN? What if you don't even have a corporate network, but still need your endpoints inventoried?

That's why we built Slingshot - to be able to handle those edge cases with a simple, light executable that will gather inventory data from Windows machines tucked away in home offices, balanced on car seats, or being typed on in coffee shops - machines that are otherwise unconnected from a corporate network. It can be the only way you gather inventory, but it is more likely to be used to augment your existing inventory in cases where there are users who just can't be reached via other means.

Slingshot System Requirements

  • Slingshot runs on the.NET Core 3.1 framework.
  • Detailed requirements for the framework are listed here.
  • Slingshot has been tested successfully on up-to-date builds of Windows 7 SP1 or greater, Windows 8.1, Windows 10, and Windows Server 2016.
  • 5GB of disk space is recommended
  • Outbound access to combine.block64.com on ports 443 as well as 8810 in order to receive the inventory payload and aggregate it with your other inventory results

Access level Requirements

Slingshot can run as a standard, non-privileged user however it will not be able to access Win32_TPM and Microsoft-Windows-Diagnostics-Performance/Operational area. If you require gathering data for Trusted Power Model or Windows Boot Time details, you need to run the application under an administrator account, but to be clear - it will run just fine without that level of access.

Can I deploy Slingshot in an On-Prem environment?

Deploying Slingshot on domain-joined devices can potentially strain a network's domain controller (DC), even though Slingshot doesn't directly interact with it. When the application tries to access information from a domain-joined device, Windows itself may “call home” i.e., contact a DC, to authenticate the request. If thousands of devices are “calling home” at the same time, that can introduce strain on the DC.

To address potential network performance issues and alleviate said strain, we have implemented several controls. First, we have introduced inventory "fuzzing", which staggers the endpoint inventory process, ensuring not all endpoints reach out simultaneously, thus distributing the load more evenly. Additionally, we have incorporated logic which allows the reuse of the authentication context from the initial call for subsequent calls, reducing the overhead of repeated authentications. Despite these measures, caution is still advised when deploying Slingshot to a significant number of domain-joined endpoints.

Determining the maximum number of Slingshot deployments per customer will vary based on factors such as the size of a DC, number of DCs, their current capacity utilization, and the total number of domain-joined endpoints in the network. When deploying Slingshot, if you are uncertain about the potential impact on network performance and the workload of a DC, it is recommended to deploy in smaller batches instead of deploying all at once.

 

Hidden (Silent) Mode

Slingshot also supports a hidden mode. After downloading the executable it can be ran through the following command:
Start-Process "C:\path\to\downloaded\slingshot.exe" -WindowStyle Hidden

How to Run It?

  1. Download the slingshot agent using the URL provided by your Partner or Block 64 Support Agent, on the machine.
  2. Run the executable. A CLI window will appear as shown below. Allow to run until you see "Uploaded data to https://combine.block64.com/slingshot/upload successfully." after which, you can close the program if they wish to do so. If the application is left open, it will re-upload data every 2 hours. The application will not continue running after reboot.

Capture.png

NOTE: When using Slingshot, the Block 64 Agent-less Discovery tools (Block 64 Windows Application and Blockbox) will not reflect the devices inventoried by Slingshot as that data is sent directly to the analytics portal, Combine.

Accessing the data collected by Slingshot

The data collected by Slingshot will aggregate while you are under the 'All Sites' view for your partner. However, if you wanted to simply look at Slingshot data ONLY it will be available under Site titled "Remote Devices" for your specific customer.

 

NOTE: The default stale-date for Slingshot inventories is 30 days since the device was last inventoried. If the device is not re-inventoried in this time period, the device will be removed from the Combine portal inventory.

The data gathered by Slingshot can be viewed in the following reports:

  • Operating Systems
  • Installed Software
  • Missing Software
  • Missing AntiVirus
  • Windows Hotfix Overview
  • Software Vulnerabilities
  • Browser Standardization
  • Windows CryptoAPI Spoofing
  • Meltdown Exposure
  • BlueKeep Exposure
  • WannaCry/Bad Rabbit Exposure
  • Local Storage