MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Mapping To Strider
Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
Details
ATT&CK ID:
G0041
Associated Groups:
Strider, ProjectSauron
Note:
This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique |
Opportunity Space | AD Technique | Use Case |
|---|---|---|---|
| T1090 - Proxy | There is an opportunity to block an adversary that is seeking to use a proxied connection. | DTE0026 - Network Manipulation | A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists. |
| T1556 - Modify Authentication Process | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender could implement security controls to force an adversary to modify the authentication process if they want to collect or utilize credentials on a system. |
| T1556 - Modify Authentication Process | There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. | DTE0034 - System Activity Monitoring | A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system. |
| T1564 - Hide Artifacts | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would. |
| T1564 - Hide Artifacts | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0034 - System Activity Monitoring | A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts. |