Group: Strider, ProjectSauron

From ATT&CK
Jump to: navigation, search
Strider, ProjectSauron
Group
ID G0041
Aliases Strider, ProjectSauron

Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.12

Alias Descriptions

  • ProjectSauron - ProjectSauron is used to refer both to the threat group also known as Strider as well as the malware platform also known as Remsec.2

Techniques Used

  • Connection Proxy - Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.2
  • Credential Dumping - Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to dump credentials any time a domain, local user, or administrator logs in or changes a password.3

Software