S0692: SILENTTRINITY
SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[1][2]
Analyst context for executives and security teams
SILENTTRINITY matters because it is an open source remote administration and post-exploitation framework for Windows, with stagers in PowerShell, C, and Boo and a Python-based framework. ATT&CK links it to behaviors that span credential access, discovery, execution, lateral movement, collection, stealth, and exfiltration. For leaders, the practical issue is not the tool name alone; it is whether the organization can see and control the Windows administration paths an intruder could abuse after initial access.
Executive priority
Prioritize SILENTTRINITY as a readiness test for Windows endpoint visibility, privileged-access governance, and incident response decision-making. The relationship set includes LSASS memory access, PowerShell and command-shell execution, WMI, DCOM, WinRM, group and system discovery, keylogging/input capture, file deletion, and exfiltration over an existing C2 channel. Executives should ask whether SOC evidence can distinguish legitimate administration from post-exploitation activity, whether privileged credentials are protected from endpoint compromise, and whether IR teams can reconstruct activity if files or indicators are removed.
Technical view
The object has no official ATT&CK detection guidance, so defenders should validate coverage against the related techniques rather than relying on a tool signature. On Windows, focus on correlated behavior: script or command execution followed by discovery of users, groups, services, processes, registry, files, and remote systems; suspicious LSASS access; WMI, DCOM, or WinRM activity used for remote execution or movement; process injection indicators; keylogging or GUI credential prompt behavior where telemetry exists; file deletion after tool activity; and outbound data movement over the same channel used for command and control. Tune detections to account for legitimate administrative tooling, especially PowerShell, WMI, WinRM, DCOM, service queries, and domain/group enumeration.
Likely telemetry
- Windows process creation and command-line telemetry for PowerShell, cmd, Python, service queries, registry queries, user/group discovery, and file discovery
- PowerShell logging and script block/module logging where enabled
- Windows event logs for WMI, WinRM, DCOM-related remote activity, service control, and authentication context
- Endpoint telemetry for LSASS process access, memory access attempts, process injection, and suspicious child-process chains
- Registry access telemetry for discovery-oriented queries
Detection direction
- Build behavior-based detections around the ATT&CK relationships, not just the SILENTTRINITY name or hash.
- Correlate execution plus discovery: PowerShell/cmd/Python activity followed by service, process, registry, user, group, file, or remote-system enumeration is higher value than any single command.
- Validate alerting for LSASS memory access and credential-access precursors, especially from unusual processes or administrative sessions.
- Review WMI, WinRM, and DCOM use by account, host, and time of day; these are common administrative paths and require baselining to reduce false positives.
- Look for cleanup behavior such as file deletion after execution or discovery activity, because indicator removal may reduce forensic evidence.
Mitigation priorities
- Harden privileged access first: limit administrative rights, monitor privileged sessions, and reduce opportunities for LSASS credential theft.
- Control and audit Windows remote administration paths such as WMI, WinRM, and DCOM according to business need.
- Constrain script and command execution where operationally feasible, with special attention to PowerShell and Python use on Windows endpoints.
- Improve logging retention and centralization so file deletion or indicator removal does not eliminate the only evidence of intrusion activity.
- Segment and monitor systems where remote discovery and lateral movement would create high business impact.
Analyst notes and limits
SILENTTRINITY is described by ATT&CK as open source and was reported in a 2019 campaign against Croatian government agencies by unidentified cyber actors. The supplied object is Windows-focused, while several related techniques have broader platform descriptions; this take treats the tool platform as Windows and uses the relationships to identify defensive validation areas.
ATT&CK provides no official detection text for this software object, and the object-level tactics are not specified. The relationship context supports likely behavior categories, but local telemetry, baselines, controls, and incident evidence are required to determine actual exposure or detection coverage. This summary does not assert current exploitation, attribution, or customer impact.
SILENTTRINITY
SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1552.006 | Group Policy Preferences Sub-technique | SILENTTRINITY has a module that can extract cached GPP passwords.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1620 | Reflective Code Loading | SILENTTRINITY can run a .NET executable within the memory of a sacrificial process by loading the CLR.CitationGithub_SILENTTRINITY |
| Enterprise | T1069.002 | Domain Groups Sub-technique | SILENTTRINITY can use `System.DirectoryServices` namespace to retrieve domain group information.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | SILENTTRINITY can load additional files and tools, including Mimikatz.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1546.001 | Change Default File Association Sub-technique | SILENTTRINITY can conduct an image hijack of an `.msc` file extension as part of its UAC bypass process.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1115 | Clipboard Data | SILENTTRINITY can monitor Clipboard text and can use `System.Windows.Forms.Clipboard.GetText()` to collect data from the clipboard.CitationGithub_SILENTTRINITY |
| Enterprise | T1070 | Indicator Removal | SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | SILENTTRINITY can create a memory dump of LSASS via the `MiniDumpWriteDump Win32` API call.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1135 | Network Share Discovery | SILENTTRINITY can enumerate shares on a compromised host.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | SILENTTRINITY has the ability to set its window state to hidden.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1543.003 | Windows Service Sub-technique | SILENTTRINITY can establish persistence by creating a new service.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1069.001 | Local Groups Sub-technique | SILENTTRINITY can obtain a list of local groups and members.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1685 | Disable or Modify Tools | SILENTTRINITY's `amsiPatch.py` module can disable Antimalware Scan Interface (AMSI) functions.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1113 | Screen Capture | SILENTTRINITY can take a screenshot of the current desktop.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1047 | Windows Management Instrumentation | SILENTTRINITY can use WMI for lateral movement.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1055 | Process Injection | SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1112 | Modify Registry | SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1124 | System Time Discovery | SILENTTRINITY can collect start time information from a compromised host.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | SILENTTRINITY can create a WMI Event to execute a payload for persistence.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1556 | Modify Authentication Process | SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1012 | Query Registry | SILENTTRINITY can use the `GetRegValue` function to check Registry keys within `HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated` and `HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated`. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1689 | Downgrade Attack | SILENTTRINITY can downgrade NTLM to capture NTLM hashes.CitationGithub_SILENTTRINITY |
| Enterprise | T1087.002 | Domain Account Sub-technique | SILENTTRINITY can use `System.Security.AccessControl` namespaces to retrieve domain user information.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1018 | Remote System Discovery | SILENTTRINITY can enumerate and collect the properties of domain computers.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1690 | Prevent Command History Logging | SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | SILENTTRINITY can remove files from the compromised host.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1134.003 | Make and Impersonate Token Sub-technique | SILENTTRINITY can make tokens from known credentials.CitationGithub_SILENTTRINITY |
| Enterprise | T1059.006 | Python Sub-technique | SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.CitationGitHub SILENTTRINITY March 2022CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1046 | Network Service Discovery | SILENTTRINITY can scan for open ports on a compromised machine.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | SILENTTRINITY can use PowerShell to execute commands.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1106 | Native API | SILENTTRINITY has the ability to leverage API including `GetProcAddress` and `LoadLibrary`.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1558.003 | Kerberoasting Sub-technique | SILENTTRINITY contains a module to conduct Kerberoasting.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | SILENTTRINITY can add a CLSID key for payload execution through `Registry.CurrentUser.CreateSubKey("Software\\Classes\\CLSID\\{" + clsid + "}\\InProcServer32")`.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | SILENTTRINITY can transfer files from an infected host to the C2 server.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1555.004 | Windows Credential Manager Sub-technique | SILENTTRINITY can gather Windows Vault credentials.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1021.003 | Distributed Component Object Model Sub-technique | SILENTTRINITY can use `System` namespace methods to execute lateral movement using DCOM.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1083 | File and Directory Discovery | SILENTTRINITY has several modules, such as `ls.py`, `pwd.py`, and `recentFiles.py`, to enumerate directories and files.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1680 | Local Storage Discovery | SILENTTRINITY can collect information related to a compromised host, including a list of drives.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the `.msc` file extension.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | SILENTTRINITY can insert malicious shellcode into Excel.exe using a `Microsoft.Office.Interop` object.CitationGithub_SILENTTRINITY |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SILENTTRINITY can use `cmd.exe` to enable lateral movement using DCOM.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1010 | Application Window Discovery | SILENTTRINITY can enumerate the active Window during keylogging through execution of `GetActiveWindowTitle`.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1021.006 | Windows Remote Management Sub-technique | SILENTTRINITY tracks `TrustedHosts` and can move laterally to these targets via WinRM.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | SILENTTRINITY can establish a LNK file in the startup folder for persistence.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1057 | Process Discovery | SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | SILENTTRINITY's `credphisher.py` module can prompt a current user for their credentials.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | SILENTTRINITY has a keylogging capability.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1033 | System Owner/User Discovery | SILENTTRINITY can gather a list of logged on users.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID.CitationSecurity Affairs SILENTTRINITY July 2019 |
| Enterprise | T1082 | System Information Discovery | SILENTTRINITY can collect information related to a compromised host, including OS version.CitationGitHub SILENTTRINITY Modules July 2019 |
| Enterprise | T1007 | System Service Discovery | SILENTTRINITY can search for modifiable services that could be used for privilege escalation.CitationGitHub SILENTTRINITY Modules July 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0c1c78c2627c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GitHub SILENTTRINITY March 2022
Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.
Open source URL -
[2]
Security Affairs SILENTTRINITY July 2019
Paganini, P. (2019, July 7). Croatia government agencies targeted with news SilentTrinity malware. Retrieved March 23, 2022.
Open source URL -
[3]
SILENTTRINITY
(Citation: GitHub SILENTTRINITY March 2022)
-
[4]
mitre-attack S0692Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.