GET /api/techniques/388/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 388,
"key": "kernel-flag-inspection-via-sysctl",
"unprotect_id": "U0135",
"name": "kernel flag inspection via sysctl",
"description": "The `sysctl` anti-debugging technique can be abused by malware to detect and evade debugging tools on macOS or BSD-like systems. By querying the kernel for process information, malware checks flags (e.g., `0x800`) to see if a debugger is attached. If detected, the malware can terminate, alter behavior, or enter a dormant state to avoid analysis. \r\n\r\nThis technique blends with legitimate system calls, it makes detection harder, and allow to bypass sandboxes analysis. BANSHEE Stealer (`11aa6eeca2547fcf807129787bec0d576de1a29b56945c5a8fb16ed8bf68f782`) uses this method to evade reverse-engineering and maintain stealth.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.elastic.co/security-labs/beyond-the-wail",
"creation_date": "2025-01-11T03:00:07.056523Z",
"tags": "",
"modification_date": "2025-01-11T03:40:25.992268Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
