SILENTTRINITY
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the `.msc` file extension.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
SILENTTRINITY can use `System.Security.AccessControl` namespaces to retrieve domain user information.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
SILENTTRINITY can establish a LNK file in the startup folder for persistence.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
SILENTTRINITY can use PowerShell to execute commands.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
SILENTTRINITY can use `cmd.exe` to enable lateral movement using DCOM.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
| .006 | Command and Scripting Interpreter: Python |
SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.(Citation: GitHub SILENTTRINITY March 2022)(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
SILENTTRINITY can establish persistence by creating a new service.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| .004 | Credentials from Password Stores: Windows Credential Manager |
SILENTTRINITY can gather Windows Vault credentials.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
| Enterprise | T1546 | .001 | Event Triggered Execution: Change Default File Association |
SILENTTRINITY can conduct an image hijack of an `.msc` file extension as part of its UAC bypass process.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
SILENTTRINITY can create a WMI Event to execute a payload for persistence.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
| .015 | Event Triggered Execution: Component Object Model Hijacking |
SILENTTRINITY can add a CLSID key for payload execution through `Registry.CurrentUser.CreateSubKey("Software\\Classes\\CLSID\\{" + clsid + "}\\InProcServer32")`.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
SILENTTRINITY has the ability to set its window state to hidden.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
SILENTTRINITY's `amsiPatch.py` module can disable Antimalware Scan Interface (AMSI) functions.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| .003 | Impair Defenses: Impair Command History Logging |
SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
SILENTTRINITY can remove files from the compromised host.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
SILENTTRINITY has a keylogging capability.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| .002 | Input Capture: GUI Input Capture |
SILENTTRINITY's `credphisher.py` module can prompt a current user for their credentials.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
SILENTTRINITY can create a memory dump of LSASS via the `MiniDumpWriteDump Win32` API call.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
SILENTTRINITY can obtain a list of local groups and members.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| .002 | Permission Groups Discovery: Domain Groups |
SILENTTRINITY can use `System.DirectoryServices` namespace to retrieve domain group information.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
| Enterprise | T1021 | .003 | Remote Services: Distributed Component Object Model |
SILENTTRINITY can use `System` namespace methods to execute lateral movement using DCOM.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| .006 | Remote Services: Windows Remote Management |
SILENTTRINITY tracks `TrustedHosts` and can move laterally to these targets via WinRM.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID.(Citation: Security Affairs SILENTTRINITY July 2019) |
| Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
SILENTTRINITY contains a module to conduct Kerberoasting.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| Enterprise | T1552 | .006 | Unsecured Credentials: Group Policy Preferences |
SILENTTRINITY has a module that can extract cached GPP passwords.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.