Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	1
Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	1
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	2
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	2
Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3)	Attack Pattern	3
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	3
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	3
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	3
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	3
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	3
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	3
Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f)	Attack Pattern	User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	3
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	3
Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c)	Attack Pattern	Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1)	Attack Pattern	3
Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	3