1. Home
  2. Software
  3. SILENTTRINITY

SILENTTRINITY

SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[1][2]

ID: S0692
Type: TOOL
Platforms: Windows
Contributors: Daniel Acevedo, Blackbot
Version: 1.1
Created: 23 March 2022
Last Modified: 23 September 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

SILENTTRINITY can use WMI for lateral movement.[3]
Enterprise T1546 .001 事件触发执行: Change Default File Association

SILENTTRINITY can conduct an image hijack of an .msc file extension as part of its UAC bypass process.[3]
.003 事件触发执行: Windows Management Instrumentation Event Subscription

SILENTTRINITY can create a WMI Event to execute a payload for persistence.[3]
.015 事件触发执行: Component Object Model Hijacking

SILENTTRINITY can add a CLSID key for payload execution through Registry.CurrentUser.CreateSubKey("Software\\Classes\\CLSID\\{" + clsid + "}\\InProcServer32").[3]
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.[3]
.004 从密码存储中获取凭证: Windows Credential Manager

SILENTTRINITY can gather Windows Vault credentials.[3]

Enterprise T1112 修改注册表

SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).[3]
Enterprise T1556 修改身份验证过程

SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook.[3]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

SILENTTRINITY can establish persistence by creating a new service.[3]
Enterprise T1115 剪贴板数据

SILENTTRINITY can monitor Clipboard text and can use System.Windows.Forms.Clipboard.GetText() to collect data from the clipboard.[4]

Enterprise T1620 反射性代码加载

SILENTTRINITY can run a .NET executable within the memory of a sacrificial process by loading the CLR.[4]

Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

SILENTTRINITY can establish a LNK file in the startup folder for persistence.[3]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

SILENTTRINITY can use PowerShell to execute commands.[3]
.003 命令与脚本解释器: Windows Command Shell

SILENTTRINITY can use cmd.exe to enable lateral movement using DCOM.[3]
.006 命令与脚本解释器: Python

SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.[1][3]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

SILENTTRINITY's amsiPatch.py module can disable Antimalware Scan Interface (AMSI) functions.[3]
.003 妨碍防御: Impair Command History Logging

SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.[3]
.010 妨碍防御: Downgrade Attack

SILENTTRINITY can downgrade NTLM to capture NTLM hashes.[4]

Enterprise T1113 屏幕捕获

SILENTTRINITY can take a screenshot of the current desktop.[3]
Enterprise T1010 应用窗口发现

SILENTTRINITY can enumerate the active Window during keylogging through execution of GetActiveWindowTitle.[3]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

SILENTTRINITY can create a memory dump of LSASS via the MiniDumpWriteDump Win32 API call.[3]
Enterprise T1083 文件和目录发现

SILENTTRINITY has several modules, such as ls.py, pwd.py, and recentFiles.py, to enumerate directories and files.[3]

Enterprise T1552 .006 未加密凭证: Group Policy Preferences

SILENTTRINITY has a module that can extract cached GPP passwords.[3]

Enterprise T1106 本机API

SILENTTRINITY has the ability to leverage API including GetProcAddress and LoadLibrary.[3]
Enterprise T1069 .001 权限组发现: Local Groups

SILENTTRINITY can obtain a list of local groups and members.[3]
.002 权限组发现: Domain Groups

SILENTTRINITY can use System.DirectoryServices namespace to retrieve domain group information.[3]
Enterprise T1012 查询注册表

SILENTTRINITY can use the GetRegValue function to check Registry keys within HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives.[3]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the .msc file extension.[3]

Enterprise T1070 移除指标

SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.[3]
.004 File Deletion

SILENTTRINITY can remove files from the compromised host.[3]
Enterprise T1558 .003 窃取或伪造Kerberos票据: Kerberoasting

SILENTTRINITY contains a module to conduct Kerberoasting.[3]
Enterprise T1082 系统信息发现

SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives.[3]
Enterprise T1033 系统所有者/用户发现

SILENTTRINITY can gather a list of logged on users.[3]

Enterprise T1124 系统时间发现

SILENTTRINITY can collect start time information from a compromised host.[3]
Enterprise T1007 系统服务发现

SILENTTRINITY can search for modifiable services that could be used for privilege escalation.[3]
Enterprise T1135 网络共享发现

SILENTTRINITY can enumerate shares on a compromised host.[3]
Enterprise T1046 网络服务发现

SILENTTRINITY can scan for open ports on a compromised machine.[3]
Enterprise T1134 .001 访问令牌操控: Token Impersonation/Theft

SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.[3]
.003 访问令牌操控: Make and Impersonate Token

SILENTTRINITY can make tokens from known credentials.[4]

Enterprise T1087 .002 账号发现: Domain Account

SILENTTRINITY can use System.Security.AccessControl namespaces to retrieve domain user information.[3]

Enterprise T1518 .001 软件发现: Security Software Discovery

SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID.[2]
Enterprise T1105 输入工具传输

SILENTTRINITY can load additional files and tools, including Mimikatz.[3]
Enterprise T1056 .001 输入捕获: Keylogging

SILENTTRINITY has a keylogging capability.[3]
.002 输入捕获: GUI Input Capture

SILENTTRINITY's credphisher.py module can prompt a current user for their credentials.[3]
Enterprise T1057 进程发现

SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded.[3]
Enterprise T1055 进程注入

SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process.[3]
Enterprise T1559 .001 进程间通信: Component Object Model

SILENTTRINITY can insert malicious shellcode into Excel.exe using a Microsoft.Office.Interop object.[4]

Enterprise T1021 .003 远程服务: Distributed Component Object Model

SILENTTRINITY can use System namespace methods to execute lateral movement using DCOM.[3]
.006 远程服务: Windows Remote Management

SILENTTRINITY tracks TrustedHosts and can move laterally to these targets via WinRM.[3]
Enterprise T1018 远程系统发现

SILENTTRINITY can enumerate and collect the properties of domain computers.[3]
Enterprise T1041 通过C2信道渗出

SILENTTRINITY can transfer files from an infected host to the C2 server.[3]
Enterprise T1564 .003 隐藏伪装: Hidden Window

SILENTTRINITY has the ability to set its window state to hidden.[3]

References

  1. Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.
  2. Paganini, P. (2019, July 7). Croatia government agencies targeted with news SilentTrinity malware. Retrieved March 23, 2022.
  1. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  2. byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024.