Skip to content

Hide Navigation Hide TOC

Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)

Cluster A Galaxy A Cluster B Galaxy B Level
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set 1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern 2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 2
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern 2
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 2
Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08) Attack Pattern 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern 2
File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern 2
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 2
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern 2
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 2
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 2
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern 2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2) Attack Pattern 2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 2
File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 3
Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3) Attack Pattern Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 3
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 3
Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c) Attack Pattern Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1) Attack Pattern 3
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 3
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3
Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f) Attack Pattern User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08) Attack Pattern 3
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d) Attack Pattern File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63) Attack Pattern 3
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d) Attack Pattern System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 3
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern 3
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 3
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 3