Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. [1] [2]

ID: G0041
Version: 1.0

Associated Group Descriptions

ProjectSauronProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. [2] [3]

Techniques Used

EnterpriseT1090Connection ProxyStrider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.[2]
EnterpriseT1003Credential DumpingStrider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to dump credentials any time a domain, local user, or administrator logs in or changes a password.[3]


S0125Remsec[1][2]Account Discovery, Credential Dumping, Custom Command and Control Protocol, Data from Removable Media, Disabling Security Tools, Exfiltration Over Alternative Protocol, Exfiltration Over Physical Medium, Exploitation for Privilege Escalation, File and Directory Discovery, File Deletion, Input Capture, Masquerading, Network Service Scanning, Obfuscated Files or Information, Password Filter DLL, Process Discovery, Process Injection, Remote File Copy, Remote System Discovery, Scheduled Task, Security Software Discovery, Standard Application Layer Protocol, Standard Cryptographic Protocol, Standard Non-Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Uncommonly Used Port