JUST RELEASED: ATT&CK for Industrial Control Systems


Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. [1] [2]

ID: G0041
Associated Groups: ProjectSauron
Version: 1.0
Created: 31 May 2017
Last Modified: 25 March 2019

Associated Group Descriptions

Name Description
ProjectSauron ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. [2] [3]

Techniques Used

Domain ID Name Use
Enterprise T1090 Connection Proxy

Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.[2]

Enterprise T1003 Credential Dumping

Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to dump credentials any time a domain, local user, or administrator logs in or changes a password.[3]


ID Name References Techniques
S0125 Remsec [1] [2] Account Discovery, Credential Dumping, Custom Command and Control Protocol, Data from Removable Media, Disabling Security Tools, Exfiltration Over Alternative Protocol, Exfiltration Over Physical Medium, Exploitation for Privilege Escalation, File and Directory Discovery, File Deletion, Input Capture, Masquerading, Network Service Scanning, Obfuscated Files or Information, Password Filter DLL, Process Discovery, Process Injection, Remote File Copy, Remote System Discovery, Scheduled Task, Security Software Discovery, Standard Application Layer Protocol, Standard Cryptographic Protocol, Standard Non-Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Uncommonly Used Port