{"description": "Enterprise techniques used by Cuba, ATT&CK software S0625 (v1.0)", "name": "Cuba (S0625)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "comment": "[Cuba](https://attack.mitre.org/software/S0625) has used SeDebugPrivilege and AdjustTokenPrivileges to elevate privileges.(Citation: McAfee Cuba April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Cuba](https://attack.mitre.org/software/S0625) has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts.(Citation: McAfee Cuba April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Cuba](https://attack.mitre.org/software/S0625) has used cmd.exe /c and batch files for execution.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Cuba](https://attack.mitre.org/software/S0625) can modify services by using the OpenService and ChangeServiceConfig functions.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Cuba](https://attack.mitre.org/software/S0625) has the ability to encrypt system data and add the \".cuba\" extension to encrypted files.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Cuba](https://attack.mitre.org/software/S0625) can enumerate files by using a variety of functions.(Citation: McAfee Cuba April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Cuba](https://attack.mitre.org/software/S0625) has executed hidden PowerShell windows.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Cuba](https://attack.mitre.org/software/S0625) can use the command cmd.exe /c del to delete its artifacts from the system.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Cuba](https://attack.mitre.org/software/S0625) can download files from its C2 server.(Citation: McAfee Cuba April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Cuba](https://attack.mitre.org/software/S0625) logs keystrokes via polling by using GetKeyState and VkKeyScan functions.(Citation: McAfee Cuba April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Cuba](https://attack.mitre.org/software/S0625) has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Cuba](https://attack.mitre.org/software/S0625) has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Cuba](https://attack.mitre.org/software/S0625) can discover shared resources using the NetShareEnum API call.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Cuba](https://attack.mitre.org/software/S0625) has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.(Citation: McAfee Cuba April 2021) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Cuba](https://attack.mitre.org/software/S0625) has a packed payload when delivered.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Cuba](https://attack.mitre.org/software/S0625) can enumerate processes running on a victim's machine.(Citation: McAfee Cuba April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[Cuba](https://attack.mitre.org/software/S0625) loaded the payload into memory using PowerShell.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[Cuba](https://attack.mitre.org/software/S0625) has a hardcoded list of services and processes to terminate.(Citation: McAfee Cuba April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Cuba](https://attack.mitre.org/software/S0625) can enumerate local drives, disk type, and disk free space.(Citation: McAfee Cuba April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[Cuba](https://attack.mitre.org/software/S0625) can check if Russian language is installed on the infected machine by using the function GetKeyboardLayoutList.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[Cuba](https://attack.mitre.org/software/S0625) can retrieve the ARP cache from the local system by using GetIpNetTable.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Cuba](https://attack.mitre.org/software/S0625) can use the function GetIpNetTable to recover the last connections to the victim's machine.(Citation: McAfee Cuba April 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Cuba](https://attack.mitre.org/software/S0625) can query service status using QueryServiceStatusEx function.(Citation: McAfee Cuba April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Cuba", "color": "#66b1ff"}]}