Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	1
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	2
Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	3
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	3
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	3
Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c)	Attack Pattern	Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1)	Attack Pattern	3
Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3)	Attack Pattern	Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	3
Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	3
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	3
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	3
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f)	Attack Pattern	3
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	3
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	3