Strider

Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.[1][2]

ID: G0041
Associated Groups: ProjectSauron
Version: 1.1
Created: 31 May 2017
Last Modified: 29 June 2020

Associated Group Descriptions

Name Description
ProjectSauron

ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. [2] [3]

Techniques Used

Domain ID Name Use
Enterprise T1564 .005 Hide Artifacts: Hidden File System

Strider has used a hidden file system that is stored as a file on disk.[3]

Enterprise T1556 .002 Modify Authentication Process: Password Filter DLL

Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password.[3]

Enterprise T1090 .001 Proxy: Internal Proxy

Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.[2]

Software

ID Name References Techniques
S0125 Remsec [1][2] Account Discovery: Local Account, Application Layer Protocol: Mail Protocols, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Data from Removable Media, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Physical Medium: Exfiltration over USB, Exploitation for Privilege Escalation, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Modify Authentication Process: Password Filter DLL, Network Service Discovery, Non-Application Layer Protocol, Obfuscated Files or Information, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote System Discovery, Scheduled Task/Job, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery

References