Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

SILENTTRINITY

SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)
ID: S0692
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 23 Mar 2022
Last Modified: 23 Sep 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the `.msc` file extension.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.(Citation: GitHub SILENTTRINITY Modules July 2019)

.003 Access Token Manipulation: Make and Impersonate Token

SILENTTRINITY can make tokens from known credentials.(Citation: Github_SILENTTRINITY)

Enterprise T1087 .002 Account Discovery: Domain Account

SILENTTRINITY can use `System.Security.AccessControl` namespaces to retrieve domain user information.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SILENTTRINITY can establish a LNK file in the startup folder for persistence.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

SILENTTRINITY can use PowerShell to execute commands.(Citation: GitHub SILENTTRINITY Modules July 2019)

.003 Command and Scripting Interpreter: Windows Command Shell

SILENTTRINITY can use `cmd.exe` to enable lateral movement using DCOM.(Citation: GitHub SILENTTRINITY Modules July 2019)

.006 Command and Scripting Interpreter: Python

SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.(Citation: GitHub SILENTTRINITY March 2022)(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

SILENTTRINITY can establish persistence by creating a new service.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.(Citation: GitHub SILENTTRINITY Modules July 2019)

.004 Credentials from Password Stores: Windows Credential Manager

SILENTTRINITY can gather Windows Vault credentials.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1546 .001 Event Triggered Execution: Change Default File Association

SILENTTRINITY can conduct an image hijack of an `.msc` file extension as part of its UAC bypass process.(Citation: GitHub SILENTTRINITY Modules July 2019)

.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

SILENTTRINITY can create a WMI Event to execute a payload for persistence.(Citation: GitHub SILENTTRINITY Modules July 2019)

.015 Event Triggered Execution: Component Object Model Hijacking

SILENTTRINITY can add a CLSID key for payload execution through `Registry.CurrentUser.CreateSubKey("Software\\Classes\\CLSID\\{" + clsid + "}\\InProcServer32")`.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

SILENTTRINITY has the ability to set its window state to hidden.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

SILENTTRINITY's `amsiPatch.py` module can disable Antimalware Scan Interface (AMSI) functions.(Citation: GitHub SILENTTRINITY Modules July 2019)

.003 Impair Defenses: Impair Command History Logging

SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.(Citation: GitHub SILENTTRINITY Modules July 2019)

.010 Impair Defenses: Downgrade Attack

SILENTTRINITY can downgrade NTLM to capture NTLM hashes.(Citation: Github_SILENTTRINITY)

Enterprise T1070 .004 Indicator Removal: File Deletion

SILENTTRINITY can remove files from the compromised host.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1056 .001 Input Capture: Keylogging

SILENTTRINITY has a keylogging capability.(Citation: GitHub SILENTTRINITY Modules July 2019)

.002 Input Capture: GUI Input Capture

SILENTTRINITY's `credphisher.py` module can prompt a current user for their credentials.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

SILENTTRINITY can insert malicious shellcode into Excel.exe using a `Microsoft.Office.Interop` object.(Citation: Github_SILENTTRINITY)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

SILENTTRINITY can create a memory dump of LSASS via the `MiniDumpWriteDump Win32` API call.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

SILENTTRINITY can obtain a list of local groups and members.(Citation: GitHub SILENTTRINITY Modules July 2019)

.002 Permission Groups Discovery: Domain Groups

SILENTTRINITY can use `System.DirectoryServices` namespace to retrieve domain group information.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1021 .003 Remote Services: Distributed Component Object Model

SILENTTRINITY can use `System` namespace methods to execute lateral movement using DCOM.(Citation: GitHub SILENTTRINITY Modules July 2019)

.006 Remote Services: Windows Remote Management

SILENTTRINITY tracks `TrustedHosts` and can move laterally to these targets via WinRM.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID.(Citation: Security Affairs SILENTTRINITY July 2019)

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

SILENTTRINITY contains a module to conduct Kerberoasting.(Citation: GitHub SILENTTRINITY Modules July 2019)

Enterprise T1552 .006 Unsecured Credentials: Group Policy Preferences

SILENTTRINITY has a module that can extract cached GPP passwords.(Citation: GitHub SILENTTRINITY Modules July 2019)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.