Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Strider
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Strider
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Strider

Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.(Citation: Symantec Strider Blog)(Citation: Kaspersky ProjectSauron Blog)
ID: G0041
Associated Groups: ProjectSauron
Version: 1.1
Created: 31 May 2017
Last Modified: 29 Jun 2020

Associated Group Descriptions
Name Description
ProjectSauron ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog) (Citation: Kaspersky ProjectSauron Full Report)

Techniques Used
Domain ID Name Use
Enterprise T1564 .005 Hide Artifacts: Hidden File System

Strider has used a hidden file system that is stored as a file on disk.(Citation: Kaspersky ProjectSauron Full Report)
Enterprise T1556 .002 Modify Authentication Process: Password Filter DLL

Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password.(Citation: Kaspersky ProjectSauron Full Report)
Enterprise T1090 .001 Proxy: Internal Proxy

Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.(Citation: Kaspersky ProjectSauron Blog)

Software
ID Name References Techniques
S0125 Remsec (Citation: Kaspersky ProjectSauron Blog) (Citation: ProjectSauron) (Citation: Symantec Strider Blog) Dynamic-link Library Injection, Exploitation for Privilege Escalation, Exfiltration over USB, File and Directory Discovery, Exfiltration Over Unencrypted Non-C2 Protocol, Standard Cryptographic Protocol, System Network Connections Discovery, File Deletion, Keylogging, Process Discovery, Obfuscated Files or Information, Password Filter DLL, Match Legitimate Name or Location, Non-Application Layer Protocol, Remote System Discovery, Mail Protocols, Uncommonly Used Port, Ingress Tool Transfer, Security Account Manager, Disable or Modify System Firewall, Data from Removable Media, System Information Discovery, Local Account, Custom Command and Control Protocol, Scheduled Task/Job, System Network Configuration Discovery, System Owner/User Discovery, Web Protocols, Network Service Discovery, Security Software Discovery, DNS

References

  1. Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.
  2. Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
  3. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.