Mapping To Machete

Machete is a group that has been active since at least 2010, targeting high-profile government entities in Latin American countries.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0095
Associated Groups:  Machete, El Machete
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1025 - Data from Removable Media In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.
T1025 - Data from Removable Media In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.
T1027 - Obfuscated Files or Information In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.
T1053 - Scheduled Task/Job There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0001 - Admin Access A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools.
T1053 - Scheduled Task/Job There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware.
T1053 - Scheduled Task/Job There is an opportunity to create a detection with a moderately high probability of success. DTE0034 - System Activity Monitoring A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0034 - System Activity Monitoring A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
T1071 - Application Layer Protocol There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1074 - Data Staged In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network.
T1204 - User Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.
T1547 - Boot or Logon Autostart Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.
T1566 - Phishing A phishing email can be detected and blocked from arriving at the intended recipient. DTE0019 - Email Manipulation A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.
T1566 - Phishing A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. DTE0023 - Migrate Attack Vector A defender can move suspicious emails to a decoy system prior to opening and examining the email.
T1566 - Phishing Users trained and encouraged to report phishing can detect attacks that other defenses do not. DTE0035 - User Training A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.
T1566 - Phishing There is an opportunity to discover who or what is being targeting by an adversary. DTE0015 - Decoy Persona A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.
T1568 - Dynamic Resolution If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools. DTE0021 - Hunting A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner.
T1568 - Dynamic Resolution An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure. DTE0026 - Network Manipulation A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure.