{"description": "Enterprise techniques used by Small Sieve, ATT&CK software S1035 (v1.0)", "name": "Small Sieve (S1035)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) can contact actor-controlled C2 servers by using the Telegram API over HTTPS.(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) has the ability to add itself to `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift` for persistence.(Citation: NCSC GCHQ Small Sieve Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) can use `cmd.exe` to execute commands on a victim's system.(Citation: NCSC GCHQ Small Sieve Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) can use Python scripts to execute commands.(Citation: NCSC GCHQ Small Sieve Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: NCSC GCHQ Small Sieve Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel.(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) can only execute correctly if the word `Platypus` is passed to it on the command line.(Citation: NCSC GCHQ Small Sieve Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) has the ability to download files.(Citation: NCSC GCHQ Small Sieve Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) can use variations of Microsoft and Outlook spellings, such as \"Microsift\", in its file names to avoid detection.(Citation: NCSC GCHQ Small Sieve Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.(Citation: NCSC GCHQ Small Sieve Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) can obtain the IP address of a victim host.(Citation: NCSC GCHQ Small Sieve Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) can obtain the id of a logged in user.(Citation: NCSC GCHQ Small Sieve Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Small Sieve](https://attack.mitre.org/software/S1035) has the ability to use the Telegram Bot API from Telegram Messenger to send and receive messages.(Citation: NCSC GCHQ Small Sieve Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Small Sieve", "color": "#66b1ff"}]}