Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
References
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027.002 | Software Packing |
Comments
Heuristic-based malware detection and signatures for observed malware can be used to identify known software packers or artifacts of packing techniques that conceal malicious content.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement protects against Software Packing through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SI-02 | Flaw Remediation | mitigates | T1027.002 | Software Packing | |
| SI-03 | Malicious Code Protection | mitigates | T1027.002 | Software Packing | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1027.002 | Software Packing | |
| SI-04 | System Monitoring | mitigates | T1027.002 | Software Packing |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1027.002 | Software Packing |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1027.002 | Software Packing |
Comments
This control may detect malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.
References
|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1027.002 | Software Packing |
Comments
This control may quarantine and/or delete malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.
References
|