Brute Ratel
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
7 syscalls cited
- NtProtectVirtualMemory
Changes the protection on a region of committed virtual memory in a target process.
- NtWriteVirtualMemory
Writes a buffer from the caller into the virtual address space of a target process.
- NtOpenProcess
Opens a handle to an existing process with a requested access mask.
- NtCreateThreadEx
Creates a new thread in a target process, optionally suspended, with rich attribute list support.
- NtGetNextProcess
Walks the kernel's process list and returns a handle to the next process after a given one.
- NtResumeThread
Decrements the suspend count of a thread, resuming execution when the count reaches zero.
- NtGetNextThread
Returns a handle to the next thread within a target process by walking the kernel thread list.