Tool: SILENTTRINITY

Description

[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)

External References

• mitre-attack
• Security Affairs SILENTTRINITY July 2019
• GitHub SILENTTRINITY March 2022

Techniques Used by This Tool

• T1003.001 — LSASS Memory
• T1007 — System Service Discovery
• T1010 — Application Window Discovery
• T1012 — Query Registry
• T1018 — Remote System Discovery
• T1021.003 — Distributed Component Object Model
• T1021.006 — Windows Remote Management
• T1033 — System Owner/User Discovery
• T1041 — Exfiltration Over C2 Channel
• T1046 — Network Service Discovery
• T1047 — Windows Management Instrumentation
• T1055 — Process Injection
• T1056.001 — Keylogging
• T1056.002 — GUI Input Capture
• T1057 — Process Discovery
• T1059.001 — PowerShell
• T1059.003 — Windows Command Shell
• T1059.006 — Python
• T1069.001 — Local Groups
• T1069.002 — Domain Groups
• T1070 — Indicator Removal
• T1070.004 — File Deletion
• T1082 — System Information Discovery
• T1083 — File and Directory Discovery
• T1087.002 — Domain Account
• T1105 — Ingress Tool Transfer
• T1106 — Native API
• T1112 — Modify Registry
• T1113 — Screen Capture
• T1115 — Clipboard Data
• T1124 — System Time Discovery
• T1134.001 — Token Impersonation/Theft
• T1134.003 — Make and Impersonate Token
• T1135 — Network Share Discovery
• T1518.001 — Security Software Discovery
• T1543.003 — Windows Service
• T1546.001 — Change Default File Association
• T1546.003 — Windows Management Instrumentation Event Subscription
• T1546.015 — Component Object Model Hijacking
• T1547.001 — Registry Run Keys / Startup Folder
• T1548.002 — Bypass User Account Control
• T1552.006 — Group Policy Preferences
• T1555.003 — Credentials from Web Browsers
• T1555.004 — Windows Credential Manager
• T1556 — Modify Authentication Process
• T1558.003 — Kerberoasting
• T1559.001 — Component Object Model
• T1562.001 — Disable or Modify Tools
• T1562.003 — Impair Command History Logging
• T1562.010 — Downgrade Attack
• T1564.003 — Hidden Window
• T1620 — Reflective Code Loading