| enterprise |
T1134 |
Access Token Manipulation |
Cuba has used SeDebugPrivilege and AdjustTokenPrivileges to elevate privileges. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts. |
| enterprise |
T1059.003 |
Windows Command Shell |
Cuba has used cmd.exe /c and batch files for execution. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
Cuba can modify services by using the OpenService and ChangeServiceConfig functions. |
| enterprise |
T1486 |
Data Encrypted for Impact |
Cuba has the ability to encrypt system data and add the “.cuba” extension to encrypted files. |
| enterprise |
T1083 |
File and Directory Discovery |
Cuba can enumerate files by using a variety of functions. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.003 |
Hidden Window |
Cuba has executed hidden PowerShell windows. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
Cuba can use the command cmd.exe /c del to delete its artifacts from the system. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Cuba can download files from its C2 server. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
Cuba logs keystrokes via polling by using GetKeyState and VkKeyScan functions. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs. |
| enterprise |
T1106 |
Native API |
Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum. |
| enterprise |
T1135 |
Network Share Discovery |
Cuba can discover shared resources using the NetShareEnum API call. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload. |
| enterprise |
T1027.002 |
Software Packing |
Cuba has a packed payload when delivered. |
| enterprise |
T1057 |
Process Discovery |
Cuba can enumerate processes running on a victim’s machine. |
| enterprise |
T1620 |
Reflective Code Loading |
Cuba loaded the payload into memory using PowerShell. |
| enterprise |
T1489 |
Service Stop |
Cuba has a hardcoded list of services and processes to terminate. |
| enterprise |
T1082 |
System Information Discovery |
Cuba can enumerate local drives, disk type, and disk free space. |
| enterprise |
T1614 |
System Location Discovery |
- |
| enterprise |
T1614.001 |
System Language Discovery |
Cuba can check if Russian language is installed on the infected machine by using the function GetKeyboardLayoutList. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Cuba can retrieve the ARP cache from the local system by using GetIpNetTable. |
| enterprise |
T1049 |
System Network Connections Discovery |
Cuba can use the function GetIpNetTable to recover the last connections to the victim’s machine. |
| enterprise |
T1007 |
System Service Discovery |
Cuba can query service status using QueryServiceStatusEx function. |