Pivot por familia de malware
Syscalls agrupados por las familias de malware y herramientas ofensivas que los usan públicamente. Las atribuciones provienen de informes abiertos — útil para hunting y redacción de informes.
443 familias referenciadas en el catálogo de syscalls
- Cobalt Strike42
- Sliver31
- Brute Ratel C422
- Qakbot19
- IcedID16
- Conti14
- Emotet13
- ESPecter13
- TrickBot13
- BumbleBee11
- CosmicStrand10
- FinFisher9
- GuLoader9
- Lazarus tooling9
- BlackCat / ALPHV8
- Havoc8
- LockBit8
- BlackLotus7
- Brute Ratel7
- Bumblebee7
- Legacy XP/2003-era user-mode rootkits (historical)7
- MoonBounce (APT41)7
- BruteRatel6
- Royal6
- ScareCrow6
- Academic VBS-enclave shellcode loader (Yuste / Soriano-Salvador, Recon 2023)5
- Cobalt Strike (Ekko sleep mask)5
- Cronos sleep mask5
- Foliage sleep mask5
- HermeticWiper5
- MosaicRegressor / LoJax (APT28)5
- Pre-ALPC IPC research / red-team educational tooling5
- Themida-packed loaders5
- TrickBoot5
- VMProtect-packed loaders5
- CaddyWiper4
- Donut loader4
- Dridex (2017 wave)4
- Ekko sleep mask4
- enSilo Atom Bombing PoC (Tal Liberman 2016)4
- FIN74
- Hancitor4
- Mimikatz4
- Mimikatz (tooling)4
- NanoDump4
- RedLine Stealer4
- SynAck ransomware4
- Themida packed loaders4
- VMProtect packed loaders4
- (no documented malware abuse)3
- (no widely reported family use)3
- AgentTesla3
- Akira3
- APT29 / Cozy Bear3
- BlackCat (ALPHV)3
- BlackSuit3
- Cobalt Strike (Sleep Mask Kit)3
- Cobalt Strike Sleep_Mask UDRL3
- Cronos sleep mask (Timer2 branch)3
- CVE-2018-8440 ALPC LPE PoC (SandboxEscaper)3
- Driver-assisted kernel R/W toolkits3
- Ekko (sleep-mask PoC)3
- enSilo Process Doppelgänging PoC3
- FIN7 Carbanak3
- Foliage / FOLIAGE-style sleep masks3
- Hidden Bee3
- Impacket secretsdump3
- JuicyPotato / RoguePotato (tooling)3
- LummaC23
- Osiris banker (Kronos variant)3
- PoolParty (SafeBreach Labs research family)3
- PoolParty (timer-queue variants)3
- PrintNightmare exploits (CVE-2021-1675 / 34527)3
- Royal ransomware3
- Royal Ransomware3
- ScareCrow loader3
- ThreatNeedle (Lazarus)3
- Turla3
- Vidar3
- Zilean sleep mask3
- APT29 (Cozy Bear)2
- BlackCat/ALPHV2
- BlackEnergy2
- Cobalt Strike (BOFs)2
- Cobalt Strike (RPC lateral movement)2
- Cobalt Strike (user-defined sleep mask)2
- ContainerEscaper2
- Cronos sleep obfuscator2
- Custom multi-stage TxF loaders2
- Custom sleep-obfuscation loaders using unnamed sync primitives2
- CVE-2018-8440 ALPC LPE PoC (SandboxEscaper, Task Scheduler)2
- CVE-2019-0808 PoCs (KillerBeez chain)2
- Donut-generated stagers2
- Dridex2
- Ekko sleep obfuscator2
- Enigma Protector samples2
- FIN7 (CARBANAK)2
- FIN7 (TxF-based loaders)2
- Foliage sleep obfuscator2
- FormBook2
- Forshaw symboliclink-testing-tools2
- Hancitor (transacted hollowing variants)2
- Hancitor / Chanitor2
- HandleKatz2
- Impacket secretsdump (offline-hive variants)2
- IsaacWiper2
- Lazarus2
- LoJax (Sednit / APT28)2
- Mimikatz (lsadump::sam)2
- Mimikatz (mimidrv)2
- Mimikatz lsadump::sam /system /sam2
- MosaicRegressor / LoJax2
- No widely documented commodity family abuses this syscall directly; research/PoC only.2
- Pafish (POC)2
- Petya / NotPetya2
- PikaBot2
- PoolParty PoC2
- PPLFault (research PoC)2
- PrintSpoofer (tooling)2
- Project Zero AppContainer Escape PoCs2
- QakBot2
- QuarksPwDump2
- Raccoon Stealer2
- RefleXXion2
- Scattered Spider POORTRY/STONESTOP2
- Sliver (newer scheduler backends)2
- Snake / Turla2
- Stuxnet (early variants)2
- Themida (self-debug anti-attach)2
- VMProtect (self-debug variants)2
- (academic) kernel-scheduler side-channel PoCs1
- (no documented commodity malware abuse)1
- (rare) timing-based anti-debugger PoCs1
- Agent Tesla1
- ALPC LPE PoCs (server-side primitive in exploit chains)1
- Amadey1
- Anti-analysis crypters (proof-of-concept stage)1
- Anti-forensics red-team loaders1
- AppContainer-aware staging loaders (private-hive config caches)1
- APT29 (Cozy Bear) — timestomping toolchain1
- Astaroth (ADS staging)1
- AsyncRAT1
- AsyncRAT droppers1
- Atomic Stealer (Win port)1
- Autoruns-like recon by FIN7 BIRDDOG1
- AvosLocker (anti-rootkit driver abuse)1
- AvosLocker (asWarPot.sys)1
- AvosLocker (gdrv BYOVD)1
- BabLock1
- Babuk (selected affiliates)1
- Bagle (16-bit DOS dropper variants, 2004, 32-bit XP only)1
- BazarLoader1
- Black Basta1
- Black Basta (worker-queue dedup)1
- BlackByte (BYOVD recon)1
- BlackByte (BYOVD via RTCore64.sys)1
- BlackByte (RTCore64 BYOVD)1
- BlackByte (RTCore64.sys)1
- BlackByte (RTCore64)1
- BlackCat / ALPHV — encryptor self-deletion1
- BlackCat/ALPHV (junction redirect)1
- BlackEnergy 2 (kernel-driver variant)1
- BlackLotus (CVE-2022-21894 Baton Drop)1
- BlackLotus (UEFI bootkit, CVE-2022-21894)1
- BlackMatter1
- BloodHound-style recon tooling (local variants)1
- Browser sandbox escapes (historical, various — Chromium / Edge research)1
- Browser sandbox-escape PoCs (Project Zero class)1
- Browser-resident loaders mimicking JIT call-target opt-in1
- Brute Ratel (manual map variants)1
- Brute Ratel (post-LSASS workflows)1
- Brute Ratel C4 (anecdotal — community-shared PoolParty modules)1
- BumbleBee (loader variants)1
- BumbleBee loader1
- Carbanak (service ACL weakening)1
- Carbanak / FIN7 (service ACL surveys)1
- Chromium sandbox abuse research (PoCs)1
- CIG-bypass research tooling1
- Cobalt Strike (4.7+ built-in mask)1
- Cobalt Strike (BOFs that pre-flight DACLs)1
- Cobalt Strike (Early Bird loader variants)1
- Cobalt Strike (Early Bird variants)1
- Cobalt Strike (Ekko / Foliage sleep masks)1
- Cobalt Strike (external-C2 bridge, server-side panel)1
- Cobalt Strike (historic mailslot SMB transport)1
- Cobalt Strike (lateral movement via RPC)1
- Cobalt Strike (lateral RPC tooling)1
- Cobalt Strike (make_token / steal_token modules)1
- Cobalt Strike (memory-only loader variants)1
- Cobalt Strike (Module Stomping / BoF loaders)1
- Cobalt Strike (named-mutex AV sweep)1
- Cobalt Strike (ntdll unhooking variants)1
- Cobalt Strike (per-session BNO rendezvous)1
- Cobalt Strike (persistence add-ons)1
- Cobalt Strike (post-LSASS workflows)1
- Cobalt Strike (rumored PoolParty BOFs in red-team kits)1
- Cobalt Strike (sandbox-escape modules)1
- Cobalt Strike (SMB beacon)1
- Cobalt Strike (spawnto / spoof-parent)1
- Cobalt Strike (third-party Atom Bomb module)1
- Cobalt Strike (timestomp command in Beacon)1
- Cobalt Strike (UDRLs with built-in unhook stage)1
- Cobalt Strike Artifact Kit unhook stubs1
- Cobalt Strike BOFs using direct syscalls1
- Cobalt Strike user-defined reflective loaders1
- Conti — log and dropper cleanup1
- Conti (encryptor self-protection)1
- Conti (post-encryption reboot variants)1
- Conti (raw NTFS shadow extraction)1
- Conti ransomware1
- ConVME PoC1
- CrackMapExec / NetExec (sam / lsa modules)1
- CrackMapExec / NetExec (sam command)1
- CrackMapExec / NetExec local-SAM1
- Crash-dump hijack research PoCs1
- Custom C2 transports piggybacking on overlapped I/O (broad category)1
- Custom Cobalt Strike sleep-mask variants1
- Custom EDR-hook-bypass tooling (race-cancel PoCs)1
- Custom EoP PoCs1
- Custom implant frameworks (graceful pipe teardown)1
- Custom in-place binary patchers1
- Custom NT-subsystem manual loaders1
- Custom red-team frameworks (rare)1
- Custom red-team injection cleanup tooling1
- Custom red-team loaders (anti-pagefile-forensics)1
- Custom red-team loaders (FreshyCalls/SysWhispers chains)1
- Custom red-team loaders (stealth ETW logging)1
- Custom staged shellcode loaders1
- CVE-2018-8440 ALPC LPE PoC (SandboxEscaper) — cleanup phase1
- CVE-2018-8440 ALPC Task Scheduler LPE PoC (SandboxEscaper)1
- CVE-2019-1130 UMPS impersonation LPE PoC1
- CVE-2019-1322 SVCMOVER PoC1
- CVE-2020-0668 Windows Service Tracing LPE PoC1
- CVE-2022-21882 PoCs1
- CVE-2022-21882 PoCs (win32k EA LPE family)1
- DarkSide (selected affiliates)1
- DCSync auxiliaries1
- Donut shellcode generator1
- Donut shellcode generator (loader stubs)1
- Donut shellcode generator (PIC stagers)1
- Dridex (watchdog module)1
- DSInternals (Get-ADDBAccount on dumped hives)1
- Dumpert1
- Edge/Chromium sandbox-escape PoCs (research)1
- EDR-allowlist-evasion red-team loaders1
- EDR-aware loaders1
- EDRKillShifter1
- EDRKillShifter (RansomHub affiliate tooling)1
- Education / red-team LPC research tooling1
- Ekko-style sleep obfuscation (uses completion ports defensively)1
- Ekko-style sleep-mask designs (and lookalikes)1
- Ekko-style sleep-mask designs (wake half of the pair)1
- Ekko-style sleep-mask variants1
- Emotet (early sandbox checks)1
- Emotet (persistence rotators)1
- Emotet (sandbox-evasion samples)1
- Empire Persistence enumeration1
- Equation GrayFish1
- Equation Group GrayFish1
- fgdump / PwDump1
- FIN7 (offline hive credential staging)1
- FIN7 (scheduled-task ACL tampering)1
- FIN7 BIRDDOG1
- FIN7 BOOSTWRITE1
- FIN7 Carbanak loader (dead-drop variants)1
- Finfisher1
- Forshaw sandbox-escape catalogue (Project Zero — multiple Spooler / Search Indexer LPEs)1
- Generic ADS-using droppers (e.g. legacy Zeus variants)1
- Generic ALPC fuzzers (RpcView / NtObjectManager / WinAFL-RPC) — connect/disconnect loops1
- Generic ALPC fuzzers (RpcView / NtObjectManager / WinAFL-RPC) — context lifetime probes1
- Generic ALPC fuzzers (RpcView / NtObjectManager / WinAFL-RPC) — lifetime checks1
- Generic capability-probing payloads1
- Generic clean-exit / sandbox-escape PoCs1
- Generic commodity loaders performing anti-analysis environmental keying1
- Generic indicator-removal modules in modern loaders1
- Generic Nt*-only filesystem stealer modules1
- Generic packers / loaders using burst-style worker wakeup1
- Generic persistence-installer droppers (write-then-flush pattern)1
- Generic post-ex reconnaissance scripts1
- Generic registry-watchdog implants1
- Generic sandbox-escape PoCs1
- Generic sandboxed-stager red-team tooling1
- Generic token-demotion red-team tooling1
- GhostPack SharpToken / Rubeus (post-exploitation)1
- GodPotato (tooling)1
- GootLoader1
- Hasherezade Transacted Hollowing PoC1
- Hell's Hall / Tartarus' Gate variants1
- Hell's Hall loaders1
- HermeticWiper (DEV-0586 / FoxBlade)1
- Hive1
- HotPotato (tooling)1
- IcedID loader1
- Impacket secretsdump.py (offline SAM mode)1
- Impacket secretsdump.py / reg.py save1
- KnownDlls hijack PoCs1
- Kovter (Run-key self-heal)1
- Kovter (selective Run-value cleanup pre-detonation)1
- Latrodectus1
- Lazarus (LSASS handle inspection)1
- Lazarus / Hidden Cobra — payload timestamp masking1
- Lazarus AppleJeus persistence enumerator1
- Lazarus FudModule (kernel-side equivalent)1
- Lazarus FudModule (rootkit loader)1
- LazyScripter / FIN7 (BYOVD chains)1
- Legacy BIOS-era implants (negligible modern offensive use)1
- Legacy BIOS-era utilities (negligible modern offensive use)1
- Legacy local-EoP toolkits (negligible modern offensive use)1
- Legacy process-hollowing loaders (pre-2010s)1
- loaders using self-lock anti-analysis (no widely-attributed family)1
- LockBit (3.0+) — self-wipe of stagers1
- LockBit (all generations)1
- LockBit (Backstab + procexp)1
- LockBit (Backstab/Spyboy)1
- LockBit (pairs with note locking)1
- LockBit (ransom-note DACL hardening)1
- LockBit (ransom-note locking)1
- LockBit 3.01
- LockBit 3.0 ('Black')1
- LPC research / red-team educational tooling1
- LSA Notification Package persistence implants1
- MDSec / TrustedSec enclave-loader PoCs (research)1
- MemoryModule1
- MemoryModule-based reflective PE loaders1
- Mimikatz (legacy variants)1
- Mimikatz (lsadump::sam offline mode)1
- Mimikatz (lsadump::sam, lsadump::secrets)1
- Mimikatz (token::create)1
- MiniDumpWriteDump credential-theft chains1
- Modern CFG/XFG-aware shellcode loaders1
- Modern infostealers (environment fingerprinting)1
- Modular implants using ALPC for intra-host IPC (generic)1
- MosaicRegressor1
- MosaicRegressor (APT41-adjacent)1
- Multi-threaded C2 implants (clean teardown)1
- Necurs1
- Nighthawk1
- No documented malware family abuses this syscall directly1
- NotPetya1
- Open-source PoolParty re-implementations 20241
- PassTheHash toolkit (legacy)1
- Perun's Fart (ntdll unhooker PoC)1
- Perun's Fart / FreshyCalls unhookers1
- Phantom DLL Hollowing PoC (Forrest Orr)1
- Phantom DLL Hollowing variants (Ex form for address-requirements)1
- Phantom DLL Hollowing variants (REG_APP_HIVE backing-file abuse)1
- PingPull1
- Play1
- PlugX1
- PoC EDR worker-thread unstickers1
- PoC EDR-hook bypasses (race-cancel)1
- PoC red-team frameworks (Outflank, etc., mailslot C2 demos)1
- PoolParty PoC — 'Start Routine Overwrite' variant1
- PoolParty PoC — 'Worker via Completion Port'1
- PoolParty PoC (cleanup phase)1
- PoolParty PoC (completion-port and start-routine variants)1
- PoolParty PoC (completion-port variant)1
- PoolParty PoC (handshake-emulating variants only)1
- PoolParty PoC (plumbing for all variants)1
- PoolParty PoC (recon + overwrite)1
- PoolParty PoC (SafeBreach / Alon Leviev)1
- PoolParty PoCs1
- PoshC2 (ADS payload hiding)1
- PoshC2 modules1
- PowerSploit Get-PassHashes1
- PowerSploit Persistence module1
- PowerSploit Persistence module (registry vectors)1
- Pre-attack UEFI reconnaissance (BlackLotus, MoonBounce, ESPecter)1
- PrintNightmare ALPC-adjacent exploit chains (CVE-2021-1675 / 34527)1
- PrintNightmare exploit chains (CVE-2021-1675 / 34527)1
- PrintSpoofer (SeImpersonatePrivilege → admin chain)1
- Process Hollowing PoCs (generic)1
- PsExec / Impacket psexec1
- Public CFG-bypass research (academic / red-team)1
- PwDump / fgdump1
- QakBot (Run-key persistence with watchers)1
- Ramnit1
- Ransomware persistence flush prior to host disruption1
- Ransomware service-DLL swap pre-reboot (observed in LockBit variants)1
- Ransomware variants forcing dirty-page writeback before reboot1
- Red-team ALPC recon tooling (SharpRPC, RPCView-derived utilities)1
- Red-team C2 frameworks adopting PoolParty Variant 61
- Red-team C2 frameworks adopting PoolParty Variant 71
- Red-team DoS / resource-exhaustion tooling1
- Red-team registry-tamper rollback frameworks1
- Red-team telemetry-isolation tooling (research)1
- Red-team timestomp scripts (PowerShell Set-MactimeFromRef)1
- RedLine Stealer (differential exfil)1
- RemcosRAT1
- RobbinHood1
- Rotten/Juicy Potato (token-abuse chain)1
- RottenPotato (tooling)1
- Royal ransomware (extended-info dedupe)1
- rpcview / alpc-fuzzing research tooling (Rouault, Forshaw)1
- Rustock (XP/Vista-era rootkit)1
- Ryuk / Conti1
- Sandbox-aware loaders (LRPC-endpoint fingerprinting)1
- Scattered Spider (BYOVD tooling)1
- ScyllaHide (defensive, but uses the same primitives)1
- Sednit (APT28) Zebrocy1
- Sleep-mask gadgets using threadpool idle tuning (rare, anecdotal)1
- Sliver (custom IOCP-based transports)1
- Sliver (named-pipe transport)1
- Sliver implants1
- Smoke Loader1
- SmokeLoader1
- Sober (16-bit DOS components, 2003-2005, 32-bit XP only)1
- Spyboy Terminator (Zemana zam64.sys abuse)1
- Stephen Fewer Reflective DLL Injection1
- Stuxnet1
- Stuxnet (junction abuse)1
- Stuxnet (named shared memory IPC)1
- SweetPotato (tooling)1
- Sysmon (legitimate user — same primitive)1
- SysWhispers-generated loaders (Nt* enumeration chains)1
- SysWhispers3 (+unhook)1
- Targeted AD enumeration utilities1
- Targeted APT loaders (persistence guards)1
- TDL4 / Alureon1
- Telemetry-decoy droppers1
- Themida (packed binaries)1
- Themida packer (anti-debug runtime)1
- Token Kidnapping PoCs (Cesar Cerrudo research, 2008)1
- TrickBoot (TrickBot module)1
- TrickBoot (TrickBot UEFI module)1
- TrickBoot (TrickBot UEFI reconnaissance module)1
- TrickBot (loader anti-analysis)1
- Turla Carbon1
- Various 2024 open-source PoolParty re-implementations1
- various commodity loaders with self-lock anti-analysis1
- Various crypters (Themida, VMProtect runtime checks)1
- various low-volume persistence rotators (no widely-attributed family)1
- Various PoSh credential-grabber scripts1
- Various red-team SAM/SYSTEM offline-parse tools1
- various registry-enumeration recon tools1
- Various sleep-mask gadgets (Ekko / foliage-derived)1
- VMProtect (packed binaries)1
- VMProtect packer (anti-debug runtime)1
- W^X aliasing PoCs1
- WhisperGate1
- WhisperGate (DEV-0586)1
- WinSCP/PuTTY session stealers (commodity infostealers)1
- ZeroAccess1