Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Storm-1811

Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)(Citation: RedCanary June Insights 2024)

ID: G1046

Associated Groups:

Created: 14 Mar 2025

Last Modified: 14 Mar 2025

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1087	.002	Account Discovery: Domain Account	Storm-1811 has performed domain account enumeration during intrusions.(Citation: Microsoft Storm-1811 2024)
Enterprise	T1583	.001	Acquire Infrastructure: Domains	Storm-1811 has created domains for use with RMM tools.(Citation: rapid7-email-bombing)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.(Citation: rapid7-email-bombing)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Storm-1811 has used PowerShell for multiple purposes, such as using PowerShell scripts executing in an infinite loop to create an SSH connection to a command and control server.(Citation: rapid7-email-bombing)
		.003	Command and Scripting Interpreter: Windows Command Shell	Storm-1811 has used multiple batch scripts during initial access and subsequent actions on victim machines.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)
Enterprise	T1074	.001	Data Staged: Local Data Staging	Storm-1811 has locally staged captured credentials for subsequent manual exfiltration.(Citation: rapid7-email-bombing)
Enterprise	T1585	.003	Establish Accounts: Cloud Accounts	Storm-1811 has created malicious accounts to enable activity via Microsoft Teams, typically spoofing various IT support and helpdesk themes.(Citation: Microsoft Storm-1811 2024)
Enterprise	T1048	.002	Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Storm-1811 has exfiltrated captured user credentials via Secure Copy Protocol (SCP).(Citation: rapid7-email-bombing)
Enterprise	T1222	.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	Storm-1811 has used `cacls.exe` via batch script to modify file and directory permissions in victim environments.(Citation: rapid7-email-bombing)
Enterprise	T1574	.001	Hijack Execution Flow: DLL	Storm-1811 has deployed a malicious DLL (7z.DLL) that is sideloaded by a modified, legitimate installer (7zG.exe) when that installer is executed with an additional command line parameter of `b` at runtime to load a Cobalt Strike beacon payload.(Citation: rapid7-email-bombing)
Enterprise	T1036	.005	Masquerading: Match Legitimate Resource Name or Location	Storm-1811 has disguised Cobalt Strike installers as a malicious DLL masquerading as part of a legitimate 7zip installation package.(Citation: rapid7-email-bombing)
		.010	Masquerading: Masquerade Account Name	Storm-1811 has created Microsoft Teams accounts that spoof IT support and helpdesk members for use in application and voice phishing.(Citation: Microsoft Storm-1811 2024)
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	Storm-1811 XOR encodes a Cobalt Strike installation payload in a DLL file that is decoded with a hardcoded key when called by a legitimate 7zip installation process.(Citation: rapid7-email-bombing)
Enterprise	T1588	.002	Obtain Capabilities: Tool	Storm-1811 acquired various legitimate and malicious tools, such as RMM software and commodity malware packages, for operations.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)
Enterprise	T1566	.002	Phishing: Spearphishing Link	Storm-1811 has distributed malicious links to victims that redirect to EvilProxy-based phishing sites to harvest credentials.(Citation: Microsoft Storm-1811 2024)
		.003	Phishing: Spearphishing via Service	Storm-1811 has used Microsoft Teams to send messages and initiate voice calls to victims posing as IT support personnel.(Citation: Microsoft Storm-1811 2024)
		.004	Phishing: Spearphishing Voice	Storm-1811 has initiated voice calls with victims posing as IT support to prompt users to download and execute scripts and other tools for initial access.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)
Enterprise	T1219	.002	Remote Access Tools: Remote Desktop Software	Storm-1811 has abused multiple types of legitimate remote access software and tools, such as ScreenConnect, NetSupport Manager, and AnyDesk.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)
Enterprise	T1021	.002	Remote Services: SMB/Windows Admin Shares	Storm-1811 has attempted to move laterally in victim environments via SMB using Impacket.(Citation: rapid7-email-bombing)
		.004	Remote Services: SSH	Storm-1811 has used OpenSSH to establish an SSH tunnel to victims for persistent access.(Citation: Microsoft Storm-1811 2024)
Enterprise	T1204	.002	User Execution: Malicious File	Storm-1811 has prompted users to execute downloaded software and payloads as the result of social engineering activity.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)

ID	Name	References	Techniques
Software
S0357	Impacket	(Citation: Impacket Tools) (Citation: rapid7-email-bombing)	LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, Lateral Tool Transfer, LSA Secrets
S0190	BITSAdmin	(Citation: Microsoft BITSAdmin) (Citation: Microsoft Storm-1811 2024) (Citation: RedCanary June Insights 2024)	Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, BITS Jobs
S1070	Black Basta	(Citation: Avertium Black Basta June 2022) (Citation: Cyble Black Basta May 2022) (Citation: Deep Instinct Black Basta August 2022) (Citation: Microsoft Storm-1811 2024) (Citation: Minerva Labs Black Basta May 2022) (Citation: NCC Group Black Basta June 2022) (Citation: Palo Alto Networks Black Basta August 2022) (Citation: rapid7-email-bombing)	Inhibit System Recovery, System Information Discovery, Safe Mode Boot, Code Signing, Virtualization/Sandbox Evasion, Internal Defacement, Remote System Discovery, Modify Registry, File and Directory Discovery, Data Encrypted for Impact, Debugger Evasion, Malicious File, Linux and Mac File and Directory Permissions Modification, Windows Command Shell, System Service Discovery, System Checks, PowerShell, Windows Service, Windows Management Instrumentation, Binary Padding, Native API, System Shutdown/Reboot, Match Legitimate Resource Name or Location, Mutual Exclusion, Masquerade Task or Service
S0154	Cobalt Strike	(Citation: cobaltstrike manual) (Citation: Microsoft Storm-1811 2024) (Citation: rapid7-email-bombing)	Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0650	QakBot	(Citation: ATT QakBot April 2021) (Citation: Kaspersky QakBot September 2021) (Citation: Microsoft Storm-1811 2024) (Citation: Pinkslipbot) (Citation: QBot) (Citation: QuackBot) (Citation: Red Canary Qbot) (Citation: Trend Micro Qakbot December 2020)	Regsvr32, Hidden Files and Directories, System Checks, Remote System Discovery, Data from Local System, External Proxy, PowerShell, Windows Command Shell, Security Software Discovery, Native API, Binary Padding, Windows Service, Domain Generation Algorithms, File and Directory Discovery, Registry Run Keys / Startup Folder, Fileless Storage, Masquerade File Type, Network Share Discovery, Process Hollowing, JavaScript, Msiexec, Deobfuscate/Decode Files or Information, Local Email Collection, Malicious Link, System Time Discovery, Malicious File, Exfiltration Over C2 Channel, System Owner/User Discovery, HTML Smuggling, Internet Connection Discovery, Symmetric Cryptography, Command Obfuscation, Web Protocols, Code Signing, Obfuscated Files or Information, Exploitation of Remote Services, Process Discovery, Local Groups, DLL, System Network Configuration Discovery, Steal Web Session Cookie, Process Injection, Domain Trust Discovery, Local Data Staging, Brute Force, Mark-of-the-Web Bypass, Browser Session Hijacking, Time Based Evasion, Ingress Tool Transfer, Peripheral Device Discovery, Non-Application Layer Protocol, Spearphishing Link, Indicator Removal from Tools, Modify Registry, Spearphishing Attachment, Keylogging, Replication Through Removable Media, Standard Encoding, Visual Basic, System Information Discovery, Windows Management Instrumentation, Application Window Discovery, Software Discovery, System Network Connections Discovery, Scheduled Task, Rundll32, Protocol Tunneling, Credentials from Web Browsers, Software Packing, Disable or Modify Tools, File Deletion
S1209	Quick Assist	(Citation: Microsoft Quick Assist 2024) (Citation: Microsoft Storm-1811 2024)	Web Protocols, Screen Capture, Video Capture
S0029	PsExec	(Citation: Microsoft Storm-1811 2024) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)	SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Storm-1811

Associated Group Descriptions

Techniques Used

Software

References