← Back to ATT&CK index
T1564
Hide Artifacts
View on attack.mitre.org →5 syscalls implement this technique
- NtCreateJobObject
Creates a job object — the kernel container used to apply limits, accounting and termination policy to a set of processes.
- NtAssignProcessToJobObject
Attaches a process to a job object so that the job's limits, accounting and termination policy apply to it.
- NtSetInformationJobObject
Sets a policy or limit on a job object via one of the JOBOBJECTINFOCLASS information classes.
- NtSetEaFile
Writes NTFS extended attributes (EAs) attached to a file handle.
- NtQueryEaFile
Reads NTFS extended attributes (EAs) from a file handle, optionally filtered or paged.