Group description: Strider

Strider, ProjectSauron, Group G0041 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Strider Strider Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. [1] [2] ID:  G0041 ⓘ Associated Groups : ProjectSauron Version : 1.1 Created:  31 May 2017 Last Modified:  25 April 2025 Version Permalink Live Version Associated Group Descriptions Name Description ProjectSauron ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. [2] [3] ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1564 .005 Hide Artifacts : Hidden File System Strider has used a hidden file system that is stored as a file on disk. [3] Enterprise T1556 .002 Modify Authentication Process : Password Filter DLL Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password. [3] Enterprise T1090 .001 Proxy : Internal Proxy Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access. [2] Software ID Name References Techniques S0125 Remsec [1] [2] Account Discovery : Local Account , Application Layer Protocol : Mail Protocols , Application Layer Protocol : Web Protocols , Application Layer Protocol : DNS , Command and Scripting Interpreter : Lua , Data from Removable Media , Device Driver Discovery , Exfiltration Over Alternative Protocol : Exfiltration Over Unencrypted Non-C2 Protocol , Exfiltration Over Physical Medium : Exfiltration over USB , Exploitation for Privilege Escalation , File and Directory Discovery , Impair Defenses : Disable or Modify System Firewall , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Masquerading : Match Legitimate Resource Name or Location , Modify Authentication Process : Password Filter DLL , Network Service Discovery , Non-Application Layer Protocol , Obfuscated Files or Information : Encrypted/Encoded File , OS Credential Dumping : Security Account Manager , Process Discovery , Process Injection : Dynamic-link Library Injection , Remote System Discovery , Scheduled Task/Job : Scheduled Task , Software Discovery : Security Software Discovery , System Information Discovery , System Network Configuration Discovery , System Network Connections Discovery , System Owner/User Discovery References Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016. Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016. × load more results