EXPLORE
Sign In
← Back to Actors

Storm-1811

Storm-1811

[Storm-1811](https://attack.mitre.org/groups/G1046) is a financially-motivated entity linked to [Black Basta](https://attack.mitre.org/software/S1070) ransomware deployment. [Storm-1811](https://attack.mitre.org/groups/G1046) is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)(Citation: RedC...

32
Techniques
26
Covered
6
Gaps
81%
Coverage
Coverage26/32

GAPS (6)

T1036.010Masquerade Account NameT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1566.004Spearphishing VoiceT1585.003Cloud AccountsT1667Email BombingT1684.001Impersonation

COVERED (26)

T1021.002SMB/Windows Admin Shares73 det.T1021.004SSH34 det.T1027.013Encrypted/Encoded File8 det.T1033System Owner/User Discovery61 det.T1036Masquerading525 det.T1036.005Match Legitimate Resource Name or Location44 det.T1056Input Capture7 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1074.001Local Data Staging10 det.T1087.002Domain Account57 det.T1105Ingress Tool Transfer183 det.T1140Deobfuscate/Decode Files or Information58 det.T1204.002Malicious File425 det.T1219.002Remote Desktop Software50 det.T1222.001Windows Permissions23 det.T1482Domain Trust Discovery41 det.T1486Data Encrypted for Impact360 det.T1547.001Registry Run Keys / Startup Folder53 det.T1566.002Spearphishing Link904 det.T1566.003Spearphishing via Service88 det.T1570Lateral Tool Transfer22 det.T1574.001DLL109 det.T1583.001Domains61 det.T1588.002Tool13 det.T1656Impersonation184 det.