Cobalt Strike (Sleep Mask Kit)

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

3 syscalls cited

NtGetWriteWatch
Retrieves the set of pages written to within a MEM_WRITE_WATCH region since the last reset.
NtContinue
Restores a CPU CONTEXT into the current thread and resumes execution at CONTEXT.Rip.
NtDelayExecution
Suspends the calling thread for a specified interval, optionally in an alertable state.