Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.[1][2]

ID: G0041
Associated Groups: ProjectSauron
Version: 1.1
Created: 31 May 2017
Last Modified: 29 June 2020

Associated Group Descriptions

Name Description

ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. [2] [3]

Techniques Used

Domain ID Name Use
Enterprise T1564 .005 Hide Artifacts: Hidden File System

Strider has used a hidden file system that is stored as a file on disk.[3]

Enterprise T1556 .002 Modify Authentication Process: Password Filter DLL

Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password.[3]

Enterprise T1090 .001 Proxy: Internal Proxy

Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.[2]