FIN7

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

4 syscalls cited

NtOpenProcessToken
Opens the access token associated with a process and returns a handle to it.
NtQueryInformationToken
Retrieves a specified class of information about an access token.
NtImpersonateThread
Causes the server thread to impersonate the security context of the client thread.
NtDuplicateObject
Duplicates a handle from a source process into a target process, optionally adjusting access or closing the source.