{"description": "Enterprise techniques used by Machete, ATT&CK software S0409 (v2.1)", "name": "Machete (S0409)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Machete](https://attack.mitre.org/software/S0409) uses HTTP for Command & Control.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[Machete](https://attack.mitre.org/software/S0409) uses FTP for Command & Control.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[Machete](https://attack.mitre.org/software/S0409) saves the window names.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1560", "comment": "[Machete](https://attack.mitre.org/software/S0409) stores zipped files with profile data from installed web browsers.(Citation: ESET Machete July 2019) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[Machete](https://attack.mitre.org/software/S0409)'s collected data is encrypted with AES before exfiltration.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1123", "comment": "[Machete](https://attack.mitre.org/software/S0409) captures audio from the computer\u2019s microphone.(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "[Machete](https://attack.mitre.org/software/S0409)\u2019s collected files are exfiltrated automatically to remote servers.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Machete](https://attack.mitre.org/software/S0409) used the startup folder for persistence.(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[Machete](https://attack.mitre.org/software/S0409) retrieves the user profile data (e.g., browsers) from Chrome and Firefox browsers.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "[Machete](https://attack.mitre.org/software/S0409) hijacks the clipboard data by creating an overlapped window that listens to keyboard events.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Machete](https://attack.mitre.org/software/S0409) is written in Python and is used in conjunction with additional Python scripts.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Machete](https://attack.mitre.org/software/S0409) collects stored credentials from several web browsers.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Machete](https://attack.mitre.org/software/S0409) has used base64 encoding.(Citation: Securelist Machete Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Machete](https://attack.mitre.org/software/S0409) searches the File system for files of interest.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "[Machete](https://attack.mitre.org/software/S0409) can find, encrypt, and upload files from fixed and removable drives.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Machete](https://attack.mitre.org/software/S0409) stores files and logs in a folder on the local drive.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Machete](https://attack.mitre.org/software/S0409)\u2019s downloaded data is decrypted using AES.(Citation: ESET Machete July 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Machete](https://attack.mitre.org/software/S0409) has used AES to exfiltrate documents.(Citation: ESET Machete July 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Machete](https://attack.mitre.org/software/S0409) has used TLS-encrypted FTP to exfiltrate data.(Citation: Cylance Machete Mar 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Machete](https://attack.mitre.org/software/S0409)'s collected data is exfiltrated over the same channel used for C2.(Citation: ESET Machete July 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1052", "showSubtechniques": true}, {"techniqueID": "T1052.001", "comment": "[Machete](https://attack.mitre.org/software/S0409) has a feature to copy files from every drive onto a removable drive in a hidden folder.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[Machete](https://attack.mitre.org/software/S0409) has sent data over HTTP if FTP failed, and has also used a fallback server.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Machete](https://attack.mitre.org/software/S0409) produces file listings in order to search for files to be exfiltrated.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[Machete](https://attack.mitre.org/software/S0409) has the capability to exfiltrate stolen data to a hidden folder on a removable drive.(Citation: ESET Machete July 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "Once a file is uploaded, [Machete](https://attack.mitre.org/software/S0409) will delete it from the machine.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": " [Machete](https://attack.mitre.org/software/S0409) can download additional files for execution on the victim\u2019s machine.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Machete](https://attack.mitre.org/software/S0409) logs keystrokes from the victim\u2019s machine.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Machete](https://attack.mitre.org/software/S0409) renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Machete](https://attack.mitre.org/software/S0409) renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Machete](https://attack.mitre.org/software/S0409) has been packed with NSIS.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Machete](https://attack.mitre.org/software/S0409) has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. [Machete](https://attack.mitre.org/groups/G0095) has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[Machete](https://attack.mitre.org/software/S0409) detects the insertion of new devices by listening for the WM_DEVICECHANGE window message.(Citation: ESET Machete July 2019)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Machete](https://attack.mitre.org/software/S0409) has a component to check for running processes to look for web browsers.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "The different components of [Machete](https://attack.mitre.org/software/S0409) are executed by Windows Task Scheduler.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1029", "comment": "[Machete](https://attack.mitre.org/software/S0409) sends stolen data to the C2 server every 10 minutes.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Machete](https://attack.mitre.org/software/S0409) captures screenshots.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Machete](https://attack.mitre.org/software/S0409) collects the hostname of the target computer.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Machete](https://attack.mitre.org/software/S0409) collects the MAC address of the target computer and other network configuration information.(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Machete](https://attack.mitre.org/software/S0409) uses the netsh wlan show networks mode=bssid and netsh wlan show interfaces commands to list all nearby WiFi networks and connected interfaces.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[Machete](https://attack.mitre.org/software/S0409) has scanned and looked for cryptographic keys and certificate file extensions.(Citation: ESET Machete July 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[Machete](https://attack.mitre.org/software/S0409) takes photos from the computer\u2019s web camera.(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Machete", "color": "#66b1ff"}]}