Hide Navigation Hide TOC

SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)

SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	1
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	1
SILENTTRINITY - S0692 (1244e058-fa10-48cb-b484-0bcf671107ae)	mitre-tool	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	1
GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	2
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	2
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59)	Attack Pattern	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2