Conti
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
14 syscalls cited
- NtTestAlert
Tests whether the calling thread has a pending alert and, if so, delivers any queued user-mode APCs.
- NtTerminateProcess
Terminates a target process and all of its threads with a given exit status.
- NtOpenProcessToken
Opens the access token associated with a process and returns a handle to it.
- NtOpenProcessTokenEx
Opens the access token of a process and lets the caller specify handle attributes such as OBJ_INHERIT.
- NtAdjustPrivilegesToken
Enables or disables privileges in a specified access token.
- NtDuplicateToken
Creates a new access token that duplicates an existing token, optionally changing its type and impersonation level.
- NtCreateNamedPipeFile
Creates the server end of a named pipe in the \Device\NamedPipe device namespace.
- NtWriteFile
Writes data to an open file, pipe, or device — the kernel companion to NtCreateFile for dropping payloads.
- NtSetInformationFile
Sets file metadata via FILE_INFORMATION_CLASS — rename, dispose (delete), allocate, end-of-file, etc.
- NtLockFile
Acquires a byte-range lock on an open file, optionally exclusive and optionally asynchronous.
- NtQueryVolumeInformationFile
Retrieves filesystem and volume properties (label, size, device type, attributes) for the volume backing a file handle.
- NtOpenDirectoryObject
Opens an existing directory object in the Windows object manager namespace.
- NtQueryDirectoryObject
Enumerates the entries (name + type) inside an object-manager directory.
- NtInitiatePowerAction
Requests the power manager to perform a system-wide power action (sleep, hibernate, shutdown, reboot).