G0041: Strider
Analyst context for executives and security teams
Strider, also known as ProjectSauron, is an ATT&CK group entry associated with long-running cyber-espionage activity reported since at least 2011 and targeting victims in multiple countries. The business value of this entry is not a single indicator list; it is the pattern of tradecraft linked to the group: modular backdoor use, internal command-and-control proxying, credential capture through Windows password filter DLLs, and hiding activity in file systems. For leaders, this makes Strider most relevant as a test case for whether the organization can detect stealthy, credential-focused intrusion behavior before it becomes an extended investigation or resilience issue.
Executive priority
Prioritize validation around identity infrastructure, endpoint visibility, and internal network monitoring. The supplied ATT&CK relationships point to behaviors that can undermine incident confidence: credential theft at authentication points, concealed files, and command-and-control routed through internal systems. Executives should ask whether domain controllers and other authentication systems have stronger monitoring than standard workstations, whether SOC teams can trace lateral C2 paths, and whether incident responders have evidence sources to investigate hidden storage or backdoor activity. Because ATT&CK provides no official detection text for the group itself, coverage should be demonstrated through technique-level evidence rather than assumed from group naming.
Technical view
SOC and IR teams should map coverage to the related techniques and software: Remsec as a Windows modular backdoor associated with Strider; T1090.001 Internal Proxy for command-and-control relay behavior across ESXi, Linux, macOS, and network devices; T1556.002 Password Filter DLL for Windows persistence and credential access; and T1564.005 Hidden File System for stealth across Linux, macOS, and Windows. Validate that monitoring exists on domain controllers for password filter registration and DLL changes, that internal east-west proxy or port-forwarding behavior can be investigated, and that endpoint and forensic processes can identify hidden or non-standard file system artifacts. Treat this as a behavior-driven detection exercise, not a group-specific alert requirement.
Likely telemetry
- Windows domain controller security, system, and directory service logs
- File and registry change telemetry related to authentication components and password filter DLL configuration
- Endpoint detection and response telemetry for suspicious DLL loading, persistence, and backdoor-like module behavior
- Internal network flow, proxy, firewall, and DNS telemetry for unusual host-to-host relay or command-and-control paths
- Telemetry from Linux, macOS, ESXi, and network devices where internal proxy behavior may occur
Detection direction
- Build detections at the related-technique level because the ATT&CK group object has no official detection guidance.
- For T1556.002, validate alerts for creation or modification of Windows password filter DLL configuration, especially on domain controllers; tune for legitimate password policy products and approved administrative change windows.
- For T1090.001, look for internal systems acting as unexpected relays, unusual port-forwarding patterns, or command-and-control paths that avoid direct outbound connections; account for legitimate proxies, management tunnels, and administrative tooling.
- For T1564.005, ensure endpoint and forensic tooling can examine hidden file system structures rather than relying only on normal file listings.
- For Remsec-related coverage, focus on behavioral evidence of modular backdoor operation on Windows rather than assuming static indicators remain sufficient.
Mitigation priorities
- Harden and monitor Windows authentication infrastructure first, especially domain controllers and password filter DLL configuration paths.
- Restrict and review administrative rights that can modify authentication components or install system-level DLLs.
- Segment and monitor internal network paths so compromised hosts cannot easily function as command-and-control relays.
- Maintain endpoint visibility and forensic readiness across Windows, Linux, macOS, ESXi, and network devices where the related techniques list platform relevance.
- Use change control and compliance evidence for authentication systems, proxy infrastructure, and privileged administration to support incident scoping and audit readiness.
Analyst notes and limits
The object is a group entry, not a procedure-level incident report. The strongest defensive value comes from the supplied relationships: Strider uses Remsec, Internal Proxy, Password Filter DLL, and Hidden File System. The alias ProjectSauron is also used in the references for both the group and the related malware platform, so analysts should be precise when separating group, malware, and technique evidence in reporting.
ATT&CK does not provide platforms, tactics, labels, or official detection text directly on the Strider group object. Country targeting and activity timing are taken only from the official description. Local exposure, current activity, attribution confidence, and detection effectiveness cannot be concluded from these fields alone and require environment-specific telemetry and threat intelligence validation.
Strider
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.CitationKaspersky ProjectSauron Blog |
| Enterprise | T1556.002 | Password Filter DLL Sub-technique | Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password.CitationKaspersky ProjectSauron Full Report |
| Enterprise | T1564.005 | Hidden File System Sub-technique | Strider has used a hidden file system that is stored as a file on disk.CitationKaspersky ProjectSauron Full Report |
Groups, software, and campaigns
S0125: Remsec
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 49276e8055ef… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Strider Blog
Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
Open source URL -
[2]
Kaspersky ProjectSauron Blog
Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.
Open source URL -
[3]
Kaspersky ProjectSauron Full Report
Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
Open source URL -
[4]
ProjectSauron
ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog) (Citation: Kaspersky ProjectSauron Full Report)
-
[5]
Strider
(Citation: Symantec Strider Blog) (Citation: Kaspersky ProjectSauron Blog)
-
[6]
mitre-attack G0041Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.