Mimikatz

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

4 syscalls cited

NtReadVirtualMemory
Reads bytes from the virtual address space of a target process into a caller-supplied buffer.
NtOpenProcess
Opens a handle to an existing process with a requested access mask.
NtSetInformationToken
Writes a property on an access token — integrity level, session id, owner, default DACL, audit policy, linked token.
NtReadFile
Reads bytes from a file, device, named pipe or mapped section into a user buffer — the kernel primitive behind ReadFile.