Execute Operator’s Is my host protected against Cuba ransomware?
chain on each host in your environment to test if you are vulnerable.
This chain is configured to focus on Cuba ransomware's recent post-exploitation activities first by dumping user credentials using Mimikatz and then attempting to initiate a Remote Desktop Protocol (RDP) connection before attempting to exploit the ZeroLogon vulnerability to gain Domain Administrator privileges and ending with capturing and staging a series of screenshots prior to exfiltration.
To protect yourself from CUBA Ransomware, you should review CISA's mitigation recommendations and take appropriate measures to reduce the risk of compromise by Cuba ransomware available here.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec