Strider
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| ProjectSauron | ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog) (Citation: Kaspersky ProjectSauron Full Report) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1564 | .005 | Hide Artifacts: Hidden File System |
Strider has used a hidden file system that is stored as a file on disk.(Citation: Kaspersky ProjectSauron Full Report) |
| Enterprise | T1556 | .002 | Modify Authentication Process: Password Filter DLL |
Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password.(Citation: Kaspersky ProjectSauron Full Report) |
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.(Citation: Kaspersky ProjectSauron Blog) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0125 | Remsec | (Citation: Kaspersky ProjectSauron Blog) (Citation: ProjectSauron) (Citation: Symantec Strider Blog) | Dynamic-link Library Injection, Exploitation for Privilege Escalation, Exfiltration over USB, File and Directory Discovery, Exfiltration Over Unencrypted Non-C2 Protocol, Standard Cryptographic Protocol, System Network Connections Discovery, File Deletion, Keylogging, Process Discovery, Obfuscated Files or Information, Password Filter DLL, Match Legitimate Name or Location, Non-Application Layer Protocol, Remote System Discovery, Mail Protocols, Uncommonly Used Port, Ingress Tool Transfer, Security Account Manager, Disable or Modify System Firewall, Data from Removable Media, System Information Discovery, Local Account, Custom Command and Control Protocol, Scheduled Task/Job, System Network Configuration Discovery, System Owner/User Discovery, Web Protocols, Network Service Discovery, Security Software Discovery, DNS |
References
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.
- Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.