T1027.002 Software Packing Mappings

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
SI-2 Flaw Remediation Protects T1027.002 Software Packing
SI-3 Malicious Code Protection Protects T1027.002 Software Packing
SI-4 System Monitoring Protects T1027.002 Software Packing
SI-7 Software, Firmware, and Information Integrity Protects T1027.002 Software Packing
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027.002 Obfuscated Files or Information: Software Packaging