Skip to content


SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.21

Item Value
ID S0692
Associated Names
Version 1.0
Created 23 March 2022
Last Modified 14 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control SILENTTRINITY contains a number of modules that can bypass UAC, including through Window’s Device Manager, Manage Optional Features, and an image hijack on the .msc file extension.3
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.3
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account SILENTTRINITY can use System.Security.AccessControl namespaces to retrieve domain user information.3
enterprise T1010 Application Window Discovery SILENTTRINITY can enumerate the active Window during keylogging through execution of GetActiveWindowTitle.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder SILENTTRINITY can establish a LNK file in the startup folder for persistence.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell SILENTTRINITY can use PowerShell to execute commands.3
enterprise T1059.003 Windows Command Shell SILENTTRINITY can use cmd.exe to enable lateral movement using DCOM.3
enterprise T1059.006 Python SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.23
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service SILENTTRINITY can establish persistence by creating a new service.3
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.3
enterprise T1555.004 Windows Credential Manager SILENTTRINITY can gather Windows Vault credentials.3
enterprise T1546 Event Triggered Execution -
enterprise T1546.001 Change Default File Association SILENTTRINITY can conduct an image hijack of an .msc file extension as part of its UAC bypass process.3
enterprise T1546.003 Windows Management Instrumentation Event Subscription SILENTTRINITY can create a WMI Event to execute a payload for persistence.3
enterprise T1546.015 Component Object Model Hijacking SILENTTRINITY can add a CLSID key for payload execution through Registry.CurrentUser.CreateSubKey("Software\\Classes\\CLSID\\{" + clsid + "}\\InProcServer32").3
enterprise T1041 Exfiltration Over C2 Channel SILENTTRINITY can transfer files from an infected host to the C2 server.3
enterprise T1083 File and Directory Discovery SILENTTRINITY has several modules, such as,, and, to enumerate directories and files.3
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window SILENTTRINITY has the ability to set its window state to hidden.3
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools SILENTTRINITY‘s module can disable Antimalware Scan Interface (AMSI) functions.3
enterprise T1562.003 Impair Command History Logging SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.3
enterprise T1070 Indicator Removal SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.3
enterprise T1070.004 File Deletion SILENTTRINITY can remove files from the compromised host.3
enterprise T1105 Ingress Tool Transfer SILENTTRINITY can load additional files and tools, including Mimikatz.3
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging SILENTTRINITY has a keylogging capability.3
enterprise T1056.002 GUI Input Capture SILENTTRINITY‘s module can prompt a current user for their credentials.3
enterprise T1556 Modify Authentication Process SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook.3
enterprise T1112 Modify Registry SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).3
enterprise T1106 Native API SILENTTRINITY has the ability to leverage API including GetProcAddress and LoadLibrary.3
enterprise T1046 Network Service Discovery SILENTTRINITY can scan for open ports on a compromised machine.3
enterprise T1135 Network Share Discovery SILENTTRINITY can enumerate shares on a compromised host.3
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory SILENTTRINITY can create a memory dump of LSASS via the MiniDumpWriteDump Win32 API call.3
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups SILENTTRINITY can obtain a list of local groups and members.3
enterprise T1069.002 Domain Groups SILENTTRINITY can use System.DirectoryServices namespace to retrieve domain group information.3
enterprise T1057 Process Discovery SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded.3
enterprise T1055 Process Injection SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process.3
enterprise T1012 Query Registry SILENTTRINITY can use the GetRegValue function to check Registry keys within HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives.3
enterprise T1021 Remote Services -
enterprise T1021.003 Distributed Component Object Model SILENTTRINITY can use System namespace methods to execute lateral movement using DCOM.3
enterprise T1021.006 Windows Remote Management SILENTTRINITY tracks TrustedHosts and can move laterally to these targets via WinRM.3
enterprise T1018 Remote System Discovery SILENTTRINITY can enumerate and collect the properties of domain computers.3
enterprise T1113 Screen Capture SILENTTRINITY can take a screenshot of the current desktop.3
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service’s virtual SID.1
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting SILENTTRINITY contains a module to conduct Kerberoasting.3
enterprise T1082 System Information Discovery SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives.3
enterprise T1033 System Owner/User Discovery SILENTTRINITY can gather a list of logged on users.3
enterprise T1007 System Service Discovery SILENTTRINITY can search for modifiable services that could be used for privilege escalation.3
enterprise T1124 System Time Discovery SILENTTRINITY can collect start time information from a compromised host.3
enterprise T1552 Unsecured Credentials -
enterprise T1552.006 Group Policy Preferences SILENTTRINITY has a module that can extract cached GPP passwords.3
enterprise T1047 Windows Management Instrumentation SILENTTRINITY can use WMI for lateral movement.3