S0692 SILENTTRINITY
SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.21
| Item | Value |
|---|---|
| ID | S0692 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 23 March 2022 |
| Last Modified | 14 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | SILENTTRINITY contains a number of modules that can bypass UAC, including through Window’s Device Manager, Manage Optional Features, and an image hijack on the .msc file extension.3 |
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.001 | Token Impersonation/Theft | SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.3 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.002 | Domain Account | SILENTTRINITY can use System.Security.AccessControl namespaces to retrieve domain user information.3 |
| enterprise | T1010 | Application Window Discovery | SILENTTRINITY can enumerate the active Window during keylogging through execution of GetActiveWindowTitle.3 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | SILENTTRINITY can establish a LNK file in the startup folder for persistence.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | SILENTTRINITY can use PowerShell to execute commands.3 |
| enterprise | T1059.003 | Windows Command Shell | SILENTTRINITY can use cmd.exe to enable lateral movement using DCOM.3 |
| enterprise | T1059.006 | Python | SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.23 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | SILENTTRINITY can establish persistence by creating a new service.3 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.3 |
| enterprise | T1555.004 | Windows Credential Manager | SILENTTRINITY can gather Windows Vault credentials.3 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.001 | Change Default File Association | SILENTTRINITY can conduct an image hijack of an .msc file extension as part of its UAC bypass process.3 |
| enterprise | T1546.003 | Windows Management Instrumentation Event Subscription | SILENTTRINITY can create a WMI Event to execute a payload for persistence.3 |
| enterprise | T1546.015 | Component Object Model Hijacking | SILENTTRINITY can add a CLSID key for payload execution through Registry.CurrentUser.CreateSubKey("Software\\Classes\\CLSID\\{" + clsid + "}\\InProcServer32").3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | SILENTTRINITY can transfer files from an infected host to the C2 server.3 |
| enterprise | T1083 | File and Directory Discovery | SILENTTRINITY has several modules, such as ls.py, pwd.py, and recentFiles.py, to enumerate directories and files.3 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | SILENTTRINITY has the ability to set its window state to hidden.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | SILENTTRINITY‘s amsiPatch.py module can disable Antimalware Scan Interface (AMSI) functions.3 |
| enterprise | T1562.003 | Impair Command History Logging | SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.3 |
| enterprise | T1070 | Indicator Removal | SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.3 |
| enterprise | T1070.004 | File Deletion | SILENTTRINITY can remove files from the compromised host.3 |
| enterprise | T1105 | Ingress Tool Transfer | SILENTTRINITY can load additional files and tools, including Mimikatz.3 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | SILENTTRINITY has a keylogging capability.3 |
| enterprise | T1056.002 | GUI Input Capture | SILENTTRINITY‘s credphisher.py module can prompt a current user for their credentials.3 |
| enterprise | T1556 | Modify Authentication Process | SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook.3 |
| enterprise | T1112 | Modify Registry | SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).3 |
| enterprise | T1106 | Native API | SILENTTRINITY has the ability to leverage API including GetProcAddress and LoadLibrary.3 |
| enterprise | T1046 | Network Service Discovery | SILENTTRINITY can scan for open ports on a compromised machine.3 |
| enterprise | T1135 | Network Share Discovery | SILENTTRINITY can enumerate shares on a compromised host.3 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | SILENTTRINITY can create a memory dump of LSASS via the MiniDumpWriteDump Win32 API call.3 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | SILENTTRINITY can obtain a list of local groups and members.3 |
| enterprise | T1069.002 | Domain Groups | SILENTTRINITY can use System.DirectoryServices namespace to retrieve domain group information.3 |
| enterprise | T1057 | Process Discovery | SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded.3 |
| enterprise | T1055 | Process Injection | SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process.3 |
| enterprise | T1012 | Query Registry | SILENTTRINITY can use the GetRegValue function to check Registry keys within HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives.3 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.003 | Distributed Component Object Model | SILENTTRINITY can use System namespace methods to execute lateral movement using DCOM.3 |
| enterprise | T1021.006 | Windows Remote Management | SILENTTRINITY tracks TrustedHosts and can move laterally to these targets via WinRM.3 |
| enterprise | T1018 | Remote System Discovery | SILENTTRINITY can enumerate and collect the properties of domain computers.3 |
| enterprise | T1113 | Screen Capture | SILENTTRINITY can take a screenshot of the current desktop.3 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service’s virtual SID.1 |
| enterprise | T1558 | Steal or Forge Kerberos Tickets | - |
| enterprise | T1558.003 | Kerberoasting | SILENTTRINITY contains a module to conduct Kerberoasting.3 |
| enterprise | T1082 | System Information Discovery | SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives.3 |
| enterprise | T1033 | System Owner/User Discovery | SILENTTRINITY can gather a list of logged on users.3 |
| enterprise | T1007 | System Service Discovery | SILENTTRINITY can search for modifiable services that could be used for privilege escalation.3 |
| enterprise | T1124 | System Time Discovery | SILENTTRINITY can collect start time information from a compromised host.3 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.006 | Group Policy Preferences | SILENTTRINITY has a module that can extract cached GPP passwords.3 |
| enterprise | T1047 | Windows Management Instrumentation | SILENTTRINITY can use WMI for lateral movement.3 |
References
-
Paganini, P. (2019, July 7). Croatia government agencies targeted with news SilentTrinity malware. Retrieved March 23, 2022. ↩↩
-
Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022. ↩↩
-
Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩