Exploitation for Privilege Escalation
View on attack.mitre.org →12 syscalls implement this technique
- NtAllocateUserPhysicalPages
Allocates physical memory pages for use with Address Windowing Extensions (AWE).
- NtAdjustGroupsToken
Enables or disables groups (SIDs) in an access token, or resets group attributes to their default state.
- NtSetSystemInformation
Generic kernel setter selected by SYSTEM_INFORMATION_CLASS — gateway to SystemDebugControl, GDI driver loading and more.
- NtAlpcCreatePort
Creates a server-side ALPC connection port that clients can reach with NtAlpcConnectPort.
- NtAlpcConnectPort
Establishes a client ALPC connection to a named server port and exchanges an initial message.
- NtAlpcSendWaitReceivePort
Sends an ALPC message on a port and optionally waits for a reply or the next inbound message.
- NtAlpcImpersonateClientOfPort
ALPC server's primary impersonation primitive — assumes the security context of the client that sent a message.
- NtAlpcOpenSenderProcess
Server-side helper that opens a HANDLE to the process that sent a given ALPC message.
- NtAlpcOpenSenderThread
Server-side helper that opens a HANDLE to the thread that sent a given ALPC message.
- NtDeviceIoControlFile
Sends an IOCTL to a kernel driver — the user-mode entry point for every BYOVD primitive abuse.
- NtLoadDriver
Loads a kernel-mode driver from a registry-described service entry — the BYOVD entry point.
- NtUnloadDriver
Unloads a previously loaded kernel-mode driver — the BYOVD cleanup primitive.