1. Home
  2. Software
  3. SILENTTRINITY

SILENTTRINITY

SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[1][2]

ID: S0692
Type: TOOL
Platforms: Windows
Contributors: Daniel Acevedo, @darmad0, ARMADO
Version: 1.0
Created: 23 March 2022
Last Modified: 14 April 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the .msc file extension.[3]

Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.[3]
Enterprise T1087 .002 Account Discovery: Domain Account

SILENTTRINITY can use System.Security.AccessControl namespaces to retrieve domain user information.[3]

Enterprise T1010 Application Window Discovery

SILENTTRINITY can enumerate the active Window during keylogging through execution of GetActiveWindowTitle.[3]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SILENTTRINITY can establish a LNK file in the startup folder for persistence.[3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

SILENTTRINITY can use PowerShell to execute commands.[3]
.003 Command and Scripting Interpreter: Windows Command Shell

SILENTTRINITY can use cmd.exe to enable lateral movement using DCOM.[3]
.006 Command and Scripting Interpreter: Python

SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.[1][3]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

SILENTTRINITY can establish persistence by creating a new service.[3]
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.[3]
.004 Credentials from Password Stores: Windows Credential Manager

SILENTTRINITY can gather Windows Vault credentials.[3]

Enterprise T1546 .001 Event Triggered Execution: Change Default File Association

SILENTTRINITY can conduct an image hijack of an .msc file extension as part of its UAC bypass process.[3]
.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

SILENTTRINITY can create a WMI Event to execute a payload for persistence.[3]
.015 Event Triggered Execution: Component Object Model Hijacking

SILENTTRINITY can add a CLSID key for payload execution through Registry.CurrentUser.CreateSubKey("Software\\Classes\\CLSID\\{" + clsid + "}\\InProcServer32").[3]
Enterprise T1041 Exfiltration Over C2 Channel

SILENTTRINITY can transfer files from an infected host to the C2 server.[3]
Enterprise T1083 File and Directory Discovery

SILENTTRINITY has several modules, such as ls.py, pwd.py, and recentFiles.py, to enumerate directories and files.[3]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

SILENTTRINITY has the ability to set its window state to hidden.[3]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

SILENTTRINITY's amsiPatch.py module can disable Antimalware Scan Interface (AMSI) functions.[3]
.003 Impair Defenses: Impair Command History Logging

SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.[3]
Enterprise T1070 Indicator Removal

SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.[3]
.004 File Deletion

SILENTTRINITY can remove files from the compromised host.[3]
Enterprise T1105 Ingress Tool Transfer

SILENTTRINITY can load additional files and tools, including Mimikatz.[3]
Enterprise T1056 .001 Input Capture: Keylogging

SILENTTRINITY has a keylogging capability.[3]
.002 Input Capture: GUI Input Capture

SILENTTRINITY's credphisher.py module can prompt a current user for their credentials.[3]
Enterprise T1556 Modify Authentication Process

SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook.[3]
Enterprise T1112 Modify Registry

SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).[3]
Enterprise T1106 Native API

SILENTTRINITY has the ability to leverage API including GetProcAddress and LoadLibrary.[3]
Enterprise T1046 Network Service Discovery

SILENTTRINITY can scan for open ports on a compromised machine.[3]
Enterprise T1135 Network Share Discovery

SILENTTRINITY can enumerate shares on a compromised host.[3]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

SILENTTRINITY can create a memory dump of LSASS via the MiniDumpWriteDump Win32 API call.[3]
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

SILENTTRINITY can obtain a list of local groups and members.[3]
.002 Permission Groups Discovery: Domain Groups

SILENTTRINITY can use System.DirectoryServices namespace to retrieve domain group information.[3]
Enterprise T1057 Process Discovery

SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded.[3]
Enterprise T1055 Process Injection

SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process.[3]
Enterprise T1012 Query Registry

SILENTTRINITY can use the GetRegValue function to check Registry keys within HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives.[3]
Enterprise T1021 .003 Remote Services: Distributed Component Object Model

SILENTTRINITY can use System namespace methods to execute lateral movement using DCOM.[3]
.006 Remote Services: Windows Remote Management

SILENTTRINITY tracks TrustedHosts and can move laterally to these targets via WinRM.[3]
Enterprise T1018 Remote System Discovery

SILENTTRINITY can enumerate and collect the properties of domain computers.[3]
Enterprise T1113 Screen Capture

SILENTTRINITY can take a screenshot of the current desktop.[3]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID.[2]
Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

SILENTTRINITY contains a module to conduct Kerberoasting.[3]
Enterprise T1082 System Information Discovery

SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives.[3]
Enterprise T1033 System Owner/User Discovery

SILENTTRINITY can gather a list of logged on users.[3]

Enterprise T1007 System Service Discovery

SILENTTRINITY can search for modifiable services that could be used for privilege escalation.[3]
Enterprise T1124 System Time Discovery

SILENTTRINITY can collect start time information from a compromised host.[3]
Enterprise T1552 .006 Unsecured Credentials: Group Policy Preferences

SILENTTRINITY has a module that can extract cached GPP passwords.[3]

Enterprise T1047 Windows Management Instrumentation

SILENTTRINITY can use WMI for lateral movement.[3]

References

  1. Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.
  2. Paganini, P. (2019, July 7). Croatia government agencies targeted with news SilentTrinity malware. Retrieved March 23, 2022.
  1. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.