Hide Navigation Hide TOC

Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Confucius - G0142 (6eded342-33e5-4451-b6b2-e1c62863129f)	Intrusion Set	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	2
Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534)	Attack Pattern	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	2
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	2
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)	Malware	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	2
Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	2
Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	2
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	2
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	2
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	3
Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3)	Attack Pattern	3
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	3
Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c)	Attack Pattern	Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1)	Attack Pattern	3
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922)	Attack Pattern	3
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	3
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	3
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	3
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	3
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	3
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	3
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f)	Attack Pattern	3