EXPLORE
Sign In
← Back to Actors

Storm-1811

Storm-1811

[Storm-1811](https://attack.mitre.org/groups/G1046) is a financially-motivated entity linked to [Black Basta](https://attack.mitre.org/software/S1070) ransomware deployment. [Storm-1811](https://attack.mitre.org/groups/G1046) is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)(Citation: RedC...

31
Techniques
26
Covered
5
Gaps
84%
Coverage
Coverage26/31

GAPS (5)

T1036.010Masquerade Account NameT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1566.004Spearphishing VoiceT1585.003Cloud AccountsT1667Email Bombing

COVERED (26)

T1021.002SMB/Windows Admin Shares67 det.T1021.004SSH31 det.T1027.013Encrypted/Encoded File7 det.T1033System Owner/User Discovery59 det.T1036Masquerading493 det.T1036.005Match Legitimate Resource Name or Location44 det.T1056Input Capture7 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1074.001Local Data Staging10 det.T1087.002Domain Account55 det.T1105Ingress Tool Transfer170 det.T1140Deobfuscate/Decode Files or Information55 det.T1204.002Malicious File397 det.T1219.002Remote Desktop Software48 det.T1222.001Windows File and Directory Permissions Modification22 det.T1482Domain Trust Discovery38 det.T1486Data Encrypted for Impact339 det.T1547.001Registry Run Keys / Startup Folder50 det.T1566.002Spearphishing Link837 det.T1566.003Spearphishing via Service85 det.T1570Lateral Tool Transfer20 det.T1574.001DLL106 det.T1583.001Domains61 det.T1588.002Tool13 det.T1656Impersonation172 det.