← Back to ATT&CK index
T1055.003sub-technique
Thread Execution Hijacking
View on attack.mitre.org →6 syscalls implement this technique
- NtOpenThread
Opens a handle to an existing thread identified by CLIENT_ID with requested access rights.
- NtSuspendThread
Increments the suspend count of a target thread, halting its execution.
- NtTerminateThread
Terminates the specified thread with the supplied exit status. NULL handle terminates the current thread.
- NtGetContextThread
Retrieves the CPU register context (CONTEXT structure) of a suspended thread.
- NtSetContextThread
Sets the CPU register context of a thread — the kernel primitive behind thread hijacking and shellcode redirection.
- NtGetNextThread
Returns a handle to the next thread within a target process by walking the kernel thread list.