SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[1][2]

ID: S0692
Type: TOOL
Platforms: Windows
Contributors: Daniel Acevedo, Blackbot
Version: 1.0
Created: 23 March 2022
Last Modified: 21 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the .msc file extension.[3]

Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.[3]

Enterprise T1087 .002 Account Discovery: Domain Account

SILENTTRINITY can use System.Security.AccessControl namespaces to retrieve domain user information.[3]

Enterprise T1010 Application Window Discovery

SILENTTRINITY can enumerate the active Window during keylogging through execution of GetActiveWindowTitle.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SILENTTRINITY can establish a LNK file in the startup folder for persistence.[3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

SILENTTRINITY can use PowerShell to execute commands.[3]

.003 Command and Scripting Interpreter: Windows Command Shell

SILENTTRINITY can use cmd.exe to enable lateral movement using DCOM.[3]

.006 Command and Scripting Interpreter: Python

SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.[1][3]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

SILENTTRINITY can establish persistence by creating a new service.[3]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.[3]

.004 Credentials from Password Stores: Windows Credential Manager

SILENTTRINITY can gather Windows Vault credentials.[3]

Enterprise T1546 .001 Event Triggered Execution: Change Default File Association

SILENTTRINITY can conduct an image hijack of an .msc file extension as part of its UAC bypass process.[3]

.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

SILENTTRINITY can create a WMI Event to execute a payload for persistence.[3]

.015 Event Triggered Execution: Component Object Model Hijacking

SILENTTRINITY can add a CLSID key for payload execution through Registry.CurrentUser.CreateSubKey("Software\\Classes\\CLSID\\{" + clsid + "}\\InProcServer32").[3]

Enterprise T1041 Exfiltration Over C2 Channel

SILENTTRINITY can transfer files from an infected host to the C2 server.[3]

Enterprise T1083 File and Directory Discovery

SILENTTRINITY has several modules, such as,, and, to enumerate directories and files.[3]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

SILENTTRINITY has the ability to set its window state to hidden.[3]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

SILENTTRINITY's module can disable Antimalware Scan Interface (AMSI) functions.[3]

.003 Impair Defenses: Impair Command History Logging

SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.[3]

Enterprise T1070 Indicator Removal

SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.[3]

.004 File Deletion

SILENTTRINITY can remove files from the compromised host.[3]

Enterprise T1105 Ingress Tool Transfer

SILENTTRINITY can load additional files and tools, including Mimikatz.[3]

Enterprise T1056 .001 Input Capture: Keylogging

SILENTTRINITY has a keylogging capability.[3]

.002 Input Capture: GUI Input Capture

SILENTTRINITY's module can prompt a current user for their credentials.[3]

Enterprise T1556 Modify Authentication Process

SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook.[3]

Enterprise T1112 Modify Registry

SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).[3]

Enterprise T1106 Native API

SILENTTRINITY has the ability to leverage API including GetProcAddress and LoadLibrary.[3]

Enterprise T1046 Network Service Discovery

SILENTTRINITY can scan for open ports on a compromised machine.[3]

Enterprise T1135 Network Share Discovery

SILENTTRINITY can enumerate shares on a compromised host.[3]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

SILENTTRINITY can create a memory dump of LSASS via the MiniDumpWriteDump Win32 API call.[3]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

SILENTTRINITY can obtain a list of local groups and members.[3]

.002 Permission Groups Discovery: Domain Groups

SILENTTRINITY can use System.DirectoryServices namespace to retrieve domain group information.[3]

Enterprise T1057 Process Discovery

SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded.[3]

Enterprise T1055 Process Injection

SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process.[3]

Enterprise T1012 Query Registry

SILENTTRINITY can use the GetRegValue function to check Registry keys within HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives.[3]

Enterprise T1021 .003 Remote Services: Distributed Component Object Model

SILENTTRINITY can use System namespace methods to execute lateral movement using DCOM.[3]

.006 Remote Services: Windows Remote Management

SILENTTRINITY tracks TrustedHosts and can move laterally to these targets via WinRM.[3]

Enterprise T1018 Remote System Discovery

SILENTTRINITY can enumerate and collect the properties of domain computers.[3]

Enterprise T1113 Screen Capture

SILENTTRINITY can take a screenshot of the current desktop.[3]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID.[2]

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

SILENTTRINITY contains a module to conduct Kerberoasting.[3]

Enterprise T1082 System Information Discovery

SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives.[3]

Enterprise T1033 System Owner/User Discovery

SILENTTRINITY can gather a list of logged on users.[3]

Enterprise T1007 System Service Discovery

SILENTTRINITY can search for modifiable services that could be used for privilege escalation.[3]

Enterprise T1124 System Time Discovery

SILENTTRINITY can collect start time information from a compromised host.[3]

Enterprise T1552 .006 Unsecured Credentials: Group Policy Preferences

SILENTTRINITY has a module that can extract cached GPP passwords.[3]

Enterprise T1047 Windows Management Instrumentation

SILENTTRINITY can use WMI for lateral movement.[3]