T1027.002 Software Packing Mappings

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-tdt Intel Threat Detection Technology Microsoft Defender T1027.002 Software Packing
Comments
Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs. Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU).
References
intel-tdt Intel Threat Detection Technology CrowdStrike AMS T1027.002 Software Packing
Comments
Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs. Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU). Intel Threat Detection Technology (TDT), combined with CrowdStrike's Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Software Packing exploits. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Software Packing attacks involve adversaries using packing tools to compress or encrypt executable files to evade detection by traditional security tools. These techniques are designed to obscure the true nature of malicious files, making it harder for signature-based detection systems to identify threats. Once unpacked, the malicious payload can execute, often bypassing conventional defenses. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, allowing security teams to detect abnormal behaviors, such as suspicious unpacking processes or code injection attempts that could indicate software packing or other evasion tactics. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, enabling faster, more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, such as attempts to unpack or manipulate files, providing proactive defense against evasive software packing techniques.
References
intel-tdt Intel Threat Detection Technology Microsoft Defender T1027.002 Software Packing
Comments
Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs. Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU). Intel Threat Detection Technology (TDT), combined with CrowdStrike's Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Software Packing exploits. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Software Packing attacks involve adversaries using packing tools to compress or encrypt executable files to evade detection by traditional security tools. These techniques are designed to obscure the true nature of malicious files, making it harder for signature-based detection systems to identify threats. Once unpacked, the malicious payload can execute, often bypassing conventional defenses. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, allowing security teams to detect abnormal behaviors, such as suspicious unpacking processes or code injection attempts that could indicate software packing or other evasion tactics. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, enabling faster, more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, such as attempts to unpack or manipulate files, providing proactive defense against evasive software packing techniques.
References