← Back to ATT&CK index
T1055.013sub-technique
Process Doppelgänging
View on attack.mitre.org →6 syscalls implement this technique
- NtCreateSection
Creates a section object backed by a file or the system pagefile for shared memory mapping.
- NtMapViewOfSection
Maps a view of a section object into the virtual address space of a target process.
- NtCreateTransaction
Creates a new KTM (Kernel Transaction Manager) transaction object used to wrap NTFS operations atomically.
- NtOpenTransaction
Opens an existing KTM transaction object by name or unit-of-work GUID.
- NtCommitTransaction
Commits a KTM transaction, atomically persisting every change made under it to disk.
- NtRollbackTransaction
Rolls back a KTM transaction, discarding every change made under it.