← Back to ATT&CK index
T1486
Data Encrypted for Impact
View on attack.mitre.org →7 syscalls implement this technique
- NtWriteFile
Writes data to an open file, pipe, or device — the kernel companion to NtCreateFile for dropping payloads.
- NtSetInformationFile
Sets file metadata via FILE_INFORMATION_CLASS — rename, dispose (delete), allocate, end-of-file, etc.
- NtLockFile
Acquires a byte-range lock on an open file, optionally exclusive and optionally asynchronous.
- NtUnlockFile
Releases a previously-acquired byte-range lock on an open file.
- NtNotifyChangeDirectoryFileEx
Extended directory-change notification that lets the caller pick the FILE_NOTIFY_INFORMATION class returned in the buffer.
- NtQueryVolumeInformationFile
Retrieves filesystem and volume properties (label, size, device type, attributes) for the volume backing a file handle.
- NtSetVolumeInformationFile
Modifies writable volume properties — primarily the volume label — for the volume backing a file handle.