Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Storm-1811

Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)(Citation: RedCanary June Insights 2024)

ID: G1046

Associated Groups:

Version: 1.0

Created: 14 Mar 2025

Last Modified: 14 Mar 2025

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1087	.002	Account Discovery: Domain Account	Storm-1811 has performed domain account enumeration during intrusions.(Citation: Microsoft Storm-1811 2024)
Enterprise	T1583	.001	Acquire Infrastructure: Domains	Storm-1811 has created domains for use with RMM tools.(Citation: rapid7-email-bombing)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.(Citation: rapid7-email-bombing)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Storm-1811 has used PowerShell for multiple purposes, such as using PowerShell scripts executing in an infinite loop to create an SSH connection to a command and control server.(Citation: rapid7-email-bombing)
		.003	Command and Scripting Interpreter: Windows Command Shell	Storm-1811 has used multiple batch scripts during initial access and subsequent actions on victim machines.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)
Enterprise	T1074	.001	Data Staged: Local Data Staging	Storm-1811 has locally staged captured credentials for subsequent manual exfiltration.(Citation: rapid7-email-bombing)
Enterprise	T1585	.003	Establish Accounts: Cloud Accounts	Storm-1811 has created malicious accounts to enable activity via Microsoft Teams, typically spoofing various IT support and helpdesk themes.(Citation: Microsoft Storm-1811 2024)
Enterprise	T1048	.002	Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Storm-1811 has exfiltrated captured user credentials via Secure Copy Protocol (SCP).(Citation: rapid7-email-bombing)
Enterprise	T1222	.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	Storm-1811 has used `cacls.exe` via batch script to modify file and directory permissions in victim environments.(Citation: rapid7-email-bombing)
Enterprise	T1574	.001	Hijack Execution Flow: DLL	Storm-1811 has deployed a malicious DLL (7z.DLL) that is sideloaded by a modified, legitimate installer (7zG.exe) when that installer is executed with an additional command line parameter of `b` at runtime to load a Cobalt Strike beacon payload.(Citation: rapid7-email-bombing)
Enterprise	T1036	.005	Masquerading: Match Legitimate Resource Name or Location	Storm-1811 has disguised Cobalt Strike installers as a malicious DLL masquerading as part of a legitimate 7zip installation package.(Citation: rapid7-email-bombing)
		.010	Masquerading: Masquerade Account Name	Storm-1811 has created Microsoft Teams accounts that spoof IT support and helpdesk members for use in application and voice phishing.(Citation: Microsoft Storm-1811 2024)
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	Storm-1811 XOR encodes a Cobalt Strike installation payload in a DLL file that is decoded with a hardcoded key when called by a legitimate 7zip installation process.(Citation: rapid7-email-bombing)
Enterprise	T1588	.002	Obtain Capabilities: Tool	Storm-1811 acquired various legitimate and malicious tools, such as RMM software and commodity malware packages, for operations.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)
Enterprise	T1566	.002	Phishing: Spearphishing Link	Storm-1811 has distributed malicious links to victims that redirect to EvilProxy-based phishing sites to harvest credentials.(Citation: Microsoft Storm-1811 2024)
		.003	Phishing: Spearphishing via Service	Storm-1811 has used Microsoft Teams to send messages and initiate voice calls to victims posing as IT support personnel.(Citation: Microsoft Storm-1811 2024)
		.004	Phishing: Spearphishing Voice	Storm-1811 has initiated voice calls with victims posing as IT support to prompt users to download and execute scripts and other tools for initial access.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)
Enterprise	T1219	.002	Remote Access Tools: Remote Desktop Software	Storm-1811 has abused multiple types of legitimate remote access software and tools, such as ScreenConnect, NetSupport Manager, and AnyDesk.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)
Enterprise	T1021	.002	Remote Services: SMB/Windows Admin Shares	Storm-1811 has attempted to move laterally in victim environments via SMB using Impacket.(Citation: rapid7-email-bombing)
		.004	Remote Services: SSH	Storm-1811 has used OpenSSH to establish an SSH tunnel to victims for persistent access.(Citation: Microsoft Storm-1811 2024)
Enterprise	T1204	.002	User Execution: Malicious File	Storm-1811 has prompted users to execute downloaded software and payloads as the result of social engineering activity.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)

ID	Name	References	Techniques
Software
S0357	Impacket	(Citation: Impacket Tools) (Citation: rapid7-email-bombing)	Windows Management Instrumentation, Security Account Manager, LSA Secrets, Network Sniffing, Ccache Files, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Lateral Tool Transfer, NTDS, Service Execution, Kerberoasting
S0190	BITSAdmin	(Citation: Microsoft BITSAdmin) (Citation: Microsoft Storm-1811 2024) (Citation: RedCanary June Insights 2024)	Lateral Tool Transfer, BITS Jobs, Ingress Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol
S1070	Black Basta	(Citation: Avertium Black Basta June 2022) (Citation: Cyble Black Basta May 2022) (Citation: Deep Instinct Black Basta August 2022) (Citation: Microsoft Storm-1811 2024) (Citation: Minerva Labs Black Basta May 2022) (Citation: NCC Group Black Basta June 2022) (Citation: Palo Alto Networks Black Basta August 2022) (Citation: rapid7-email-bombing)	Windows Management Instrumentation, Linux and Mac File and Directory Permissions Modification, Match Legitimate Resource Name or Location, Malicious File, Safe Mode Boot, Windows Service, System Checks, System Service Discovery, Code Signing, System Information Discovery, Native API, Mutual Exclusion, Modify Registry, Binary Padding, File and Directory Discovery, Masquerade Task or Service, Virtualization/Sandbox Evasion, Internal Defacement, PowerShell, Data Encrypted for Impact, Windows Command Shell, Remote System Discovery, Debugger Evasion, Inhibit System Recovery, System Shutdown/Reboot
S0154	Cobalt Strike	(Citation: Microsoft Storm-1811 2024) (Citation: cobaltstrike manual) (Citation: rapid7-email-bombing)	Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0650	QakBot	(Citation: ATT QakBot April 2021) (Citation: Kaspersky QakBot September 2021) (Citation: Microsoft Storm-1811 2024) (Citation: Pinkslipbot) (Citation: QBot) (Citation: QuackBot) (Citation: Red Canary Qbot) (Citation: Trend Micro Qakbot December 2020)	Scheduled Task, Windows Management Instrumentation, Fileless Storage, System Owner/User Discovery, Rundll32, Standard Encoding, Keylogging, JavaScript, Steal Web Session Cookie, Domain Generation Algorithms, Internet Connection Discovery, Local Data Staging, Local Email Collection, Masquerade File Type, Malicious File, Symmetric Cryptography, Windows Service, System Checks, Spearphishing Link, Spearphishing Attachment, DLL, Code Signing, Network Share Discovery, Peripheral Device Discovery, System Information Discovery, Msiexec, Native API, Replication Through Removable Media, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Application Window Discovery, Time Based Evasion, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Credentials from Web Browsers, Binary Padding, External Proxy, System Network Configuration Discovery, Domain Trust Discovery, File and Directory Discovery, System Network Connections Discovery, Mark-of-the-Web Bypass, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Local Groups, Brute Force, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Obfuscated Files or Information, Regsvr32, Non-Application Layer Protocol, Security Software Discovery, Windows Command Shell, HTML Smuggling, Command Obfuscation, File Deletion, Software Packing, Web Protocols, Visual Basic, Remote System Discovery, Software Discovery, Ingress Tool Transfer, Hidden Files and Directories, Malicious Link, System Time Discovery
S1209	Quick Assist	(Citation: Microsoft Quick Assist 2024) (Citation: Microsoft Storm-1811 2024)	Screen Capture, Video Capture, Web Protocols
S0029	PsExec	(Citation: Microsoft Storm-1811 2024) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)	Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Storm-1811

Associated Group Descriptions

Techniques Used

Software

References