S0125: Remsec
Analyst context for executives and security teams
Remsec is a Windows modular backdoor described by ATT&CK as primarily espionage-oriented and used by Strider. Its value for defenders is not a single signature; it is the behavior set around long-running access: credential access from the SAM, extensive host and network discovery, Lua-based execution, persistence via scheduled tasks, DLL injection, multiple command-and-control protocol options, and exfiltration paths including USB/removable media. For leaders, this makes Remsec a useful planning case for whether the organization can find quiet, modular intrusion activity before it turns into data loss or prolonged unauthorized access.
Executive priority
Prioritize this as a readiness and assurance question: can Windows endpoint, identity, network, removable-media, and incident-response controls prove they would expose an espionage-style backdoor that blends discovery, credential access, persistence, and exfiltration? The business risk is strongest where sensitive data, government communications, restricted networks, or air-gapped/USB-dependent workflows exist. Budget and audit discussions should focus on evidence of coverage across credential protection, endpoint logging, scheduled task governance, removable media control, DNS/web/mail egress visibility, and response procedures for suspected long-dwell backdoors.
Technical view
Validate coverage around the ATT&CK relationships rather than relying on an official Remsec detection, because none is provided. On Windows hosts, review detections for SAM access or dumping behavior, scheduled task creation or modification, DLL injection indicators, keylogging-like input capture, Lua script or embedded Lua execution where unusual, process/file/user/system/network discovery bursts, file deletion after tool activity, and use of legitimate-looking names or locations. Network teams should validate visibility for web, mail, and DNS command-and-control patterns and unencrypted non-C2 exfiltration. IR teams should include removable media and USB exfiltration handling in scoping, especially when investigating segmented or disconnected environments.
Likely telemetry
- Windows endpoint process creation, command-line, parent/child process, module load, and script execution telemetry
- Windows Registry and file access events relevant to SAM credential material
- Scheduled task creation, modification, and execution records
- Endpoint detection telemetry for process injection, DLL loading, suspicious file placement, and file deletion
- Authentication and local account context for discovered or targeted users
Detection direction
- Build detections from the related behaviors: credential access from SAM, discovery clustering, scheduled task persistence, DLL injection, Lua execution, C2 over common application protocols, file cleanup, and removable-media collection or exfiltration.
- Correlate low-severity discovery events with higher-risk events such as SAM access, new scheduled tasks, process injection, or unusual outbound DNS/web/mail traffic from the same host or user context.
- Tune for administrative false positives: system inventory tools, vulnerability scanners, help desk scripts, backup agents, and legitimate scheduled tasks can resemble portions of the behavior. Require baselines and change context.
- Validate blind spots around encrypted or encoded files, legitimate-looking file names or locations, and activity that uses common protocols rather than obviously malicious ports.
- For USB scenarios, confirm whether device events are collected at all; many SOCs lack sufficient telemetry to connect removable media insertion to file collection and exfiltration.
Mitigation priorities
- Harden credential access first: restrict administrative rights, protect local account material, and alert on SAM access patterns that require elevated privileges.
- Control persistence and execution paths: monitor and govern scheduled tasks, suspicious DLL loading, unusual script execution, and unapproved interpreters such as Lua where not expected.
- Improve egress governance: log and restrict outbound DNS, web, mail, and unencrypted protocols according to business need, with host attribution for investigations.
- Apply removable media policy and monitoring where sensitive or segmented environments depend on USB workflows.
- Strengthen endpoint visibility on Windows systems, especially for process, file, registry, module load, and persistence events.
Analyst notes and limits
ATT&CK identifies Remsec as a modular backdoor used by Strider and notes that many modules are written in Lua. The relationship set is broad and spans credential access, discovery, collection, stealth, execution, persistence, privilege escalation, command-and-control, and exfiltration. The strongest defensive value is to use Remsec as a coverage exercise for espionage-style Windows intrusion behavior, not as proof of current activity in any environment.
The official ATT&CK object lists Windows as the platform but does not specify tactics or provide official detection guidance. External references are limited to the supplied Kaspersky and Symantec reporting citations. This take does not assert active exploitation, customer exposure, or guaranteed detection. Local asset criticality, logging depth, egress architecture, USB policy, and baseline administrative behavior are required to determine actual risk and coverage.
Remsec
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Remsec can perform DLL injection.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1052.001 | Exfiltration over USB Sub-technique | Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.CitationKaspersky ProjectSauron Full Report |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.CitationKaspersky ProjectSauron Full Report |
| Enterprise | T1049 | System Network Connections Discovery | Remsec can obtain a list of active connections and open ports.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1070.004 | File Deletion Sub-technique | Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.CitationSymantec Remsec IOCsCitationKaspersky ProjectSauron Full ReportCitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1056.001 | Keylogging Sub-technique | Remsec contains a keylogger component.CitationSymantec Remsec IOCsCitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1057 | Process Discovery | Remsec can obtain a process list from the victim.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.CitationSymantec Remsec IOCsCitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1556.002 | Password Filter DLL Sub-technique | Remsec harvests plain-text credentials as a password filter registered on domain controllers.CitationKaspersky ProjectSauron Full Report |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.CitationComputerWeekly StriderCitationKaspersky ProjectSauron Full Report |
| Enterprise | T1095 | Non-Application Layer Protocol | Remsec is capable of using ICMP, TCP, and UDP for C2.CitationSymantec Remsec IOCsCitationKaspersky ProjectSauron Full Report |
| Enterprise | T1018 | Remote System Discovery | Remsec can ping or traceroute a remote host.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | Remsec is capable of using SMTP for C2.CitationSymantec Remsec IOCsCitationKaspersky ProjectSauron Full ReportCitationKaspersky ProjectSauron Technical AnalysisCitationThreatpost Sauron |
| Enterprise | T1059.011 | Lua Sub-technique | Remsec can use modules written in Lua for execution.CitationKaspersky Lua |
| Enterprise | T1105 | Ingress Tool Transfer | Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.CitationSymantec Remsec IOCsCitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Remsec can dump the SAM database.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1025 | Data from Removable Media | Remsec has a package that collects documents from any inserted USB sticks.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Remsec schedules the execution one of its modules by creating a new scheduler task.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1082 | System Information Discovery | Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1087.001 | Local Account Sub-technique | Remsec can obtain a list of users.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1016 | System Network Configuration Discovery | Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1033 | System Owner/User Discovery | Remsec can obtain information about the current user.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1652 | Device Driver Discovery | Remsec has a plugin to detect active drivers of some security products.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Remsec is capable of using HTTP and HTTPS for C2.CitationSymantec Remsec IOCsCitationKaspersky ProjectSauron Full ReportCitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1046 | Network Service Discovery | Remsec has a plugin that can perform ARP scanning as well as port scanning.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Remsec has a plugin detect security products via active drivers.CitationKaspersky ProjectSauron Technical Analysis |
| Enterprise | T1071.004 | DNS Sub-technique | Remsec is capable of using DNS for C2.CitationSymantec Remsec IOCsCitationKaspersky ProjectSauron Full ReportCitationKaspersky ProjectSauron Technical Analysis |
Groups, software, and campaigns
G0041: Strider
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.5 | Current bundle | c15f99ff2a8b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Strider Blog
Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
Open source URL -
[2]
Kaspersky ProjectSauron Blog
Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.
Open source URL -
[3]
ProjectSauron
ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog)
-
[4]
mitre-attack S0125Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.