SILENTTRINITY
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the `.msc` file extension.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.(Citation: GitHub SILENTTRINITY Modules July 2019) |
.003 | Access Token Manipulation: Make and Impersonate Token |
SILENTTRINITY can make tokens from known credentials.(Citation: Github_SILENTTRINITY) |
||
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
SILENTTRINITY can use `System.Security.AccessControl` namespaces to retrieve domain user information.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
SILENTTRINITY can establish a LNK file in the startup folder for persistence.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
SILENTTRINITY can use PowerShell to execute commands.(Citation: GitHub SILENTTRINITY Modules July 2019) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
SILENTTRINITY can use `cmd.exe` to enable lateral movement using DCOM.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
.006 | Command and Scripting Interpreter: Python |
SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.(Citation: GitHub SILENTTRINITY March 2022)(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
SILENTTRINITY can establish persistence by creating a new service.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.(Citation: GitHub SILENTTRINITY Modules July 2019) |
.004 | Credentials from Password Stores: Windows Credential Manager |
SILENTTRINITY can gather Windows Vault credentials.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
Enterprise | T1546 | .001 | Event Triggered Execution: Change Default File Association |
SILENTTRINITY can conduct an image hijack of an `.msc` file extension as part of its UAC bypass process.(Citation: GitHub SILENTTRINITY Modules July 2019) |
.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
SILENTTRINITY can create a WMI Event to execute a payload for persistence.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
.015 | Event Triggered Execution: Component Object Model Hijacking |
SILENTTRINITY can add a CLSID key for payload execution through `Registry.CurrentUser.CreateSubKey("Software\\Classes\\CLSID\\{" + clsid + "}\\InProcServer32")`.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
SILENTTRINITY has the ability to set its window state to hidden.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
SILENTTRINITY's `amsiPatch.py` module can disable Antimalware Scan Interface (AMSI) functions.(Citation: GitHub SILENTTRINITY Modules July 2019) |
.003 | Impair Defenses: Impair Command History Logging |
SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
.010 | Impair Defenses: Downgrade Attack |
SILENTTRINITY can downgrade NTLM to capture NTLM hashes.(Citation: Github_SILENTTRINITY) |
||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
SILENTTRINITY can remove files from the compromised host.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
SILENTTRINITY has a keylogging capability.(Citation: GitHub SILENTTRINITY Modules July 2019) |
.002 | Input Capture: GUI Input Capture |
SILENTTRINITY's `credphisher.py` module can prompt a current user for their credentials.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
SILENTTRINITY can insert malicious shellcode into Excel.exe using a `Microsoft.Office.Interop` object.(Citation: Github_SILENTTRINITY) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
SILENTTRINITY can create a memory dump of LSASS via the `MiniDumpWriteDump Win32` API call.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
SILENTTRINITY can obtain a list of local groups and members.(Citation: GitHub SILENTTRINITY Modules July 2019) |
.002 | Permission Groups Discovery: Domain Groups |
SILENTTRINITY can use `System.DirectoryServices` namespace to retrieve domain group information.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
Enterprise | T1021 | .003 | Remote Services: Distributed Component Object Model |
SILENTTRINITY can use `System` namespace methods to execute lateral movement using DCOM.(Citation: GitHub SILENTTRINITY Modules July 2019) |
.006 | Remote Services: Windows Remote Management |
SILENTTRINITY tracks `TrustedHosts` and can move laterally to these targets via WinRM.(Citation: GitHub SILENTTRINITY Modules July 2019) |
||
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID.(Citation: Security Affairs SILENTTRINITY July 2019) |
Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
SILENTTRINITY contains a module to conduct Kerberoasting.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Enterprise | T1552 | .006 | Unsecured Credentials: Group Policy Preferences |
SILENTTRINITY has a module that can extract cached GPP passwords.(Citation: GitHub SILENTTRINITY Modules July 2019) |
References
- Paganini, P. (2019, July 7). Croatia government agencies targeted with news SilentTrinity malware. Retrieved March 23, 2022.
- Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
- byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.