MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Mapping To Machete
Machete is a group that has been active since at least 2010, targeting high-profile government entities in Latin American countries.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
Details
ATT&CK ID:
G0095
Associated Groups:
Machete, El Machete
Note:
This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique |
Opportunity Space | AD Technique | Use Case |
|---|---|---|---|
| T1025 - Data from Removable Media | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
| T1025 - Data from Removable Media | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
| T1027 - Obfuscated Files or Information | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. | DTE0017 - Decoy System | A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information. |
| T1053 - Scheduled Task/Job | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0001 - Admin Access | A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools. |
| T1053 - Scheduled Task/Job | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware. |
| T1053 - Scheduled Task/Job | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0034 - System Activity Monitoring | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
| T1071 - Application Layer Protocol | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
| T1074 - Data Staged | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network. |
| T1204 - User Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0018 - Detonate Malware | A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence. |
| T1547 - Boot or Logon Autostart Execution | There is an opportunity to use tools and controls to stop an adversary's activity. | DTE0006 - Baseline | A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup. |
| T1566 - Phishing | A phishing email can be detected and blocked from arriving at the intended recipient. | DTE0019 - Email Manipulation | A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target. |
| T1566 - Phishing | A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. | DTE0023 - Migrate Attack Vector | A defender can move suspicious emails to a decoy system prior to opening and examining the email. |
| T1566 - Phishing | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
| T1566 - Phishing | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
| T1568 - Dynamic Resolution | If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools. | DTE0021 - Hunting | A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner. |
| T1568 - Dynamic Resolution | An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure. | DTE0026 - Network Manipulation | A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure. |