T1027.002 Software Packing

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1027.002 Software Packing
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    PR.IR-01.08 End-user device access Mitigates T1027.002 Software Packing
    Comments
    This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
    References
      PR.PS-01.01 Configuration baselines Mitigates T1027.002 Software Packing
      Comments
      This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
      References
        PR.PS-01.08 End-user device protection Mitigates T1027.002 Software Packing
        Comments
        This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
        References
          PR.PS-05.01 Malware prevention Mitigates T1027.002 Software Packing
          Comments
          Heuristic-based malware detection and signatures for observed malware can be used to identify known software packers or artifacts of packing techniques that conceal malicious content.
          References
            PR.PS-01.08 End-user device protection Mitigates T1027.002 Software Packing
            Comments
            This diagnostic statement protects against Software Packing through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              SI-02 Flaw Remediation mitigates T1027.002 Software Packing
              SI-03 Malicious Code Protection mitigates T1027.002 Software Packing
              SI-07 Software, Firmware, and Information Integrity mitigates T1027.002 Software Packing
              SI-04 System Monitoring mitigates T1027.002 Software Packing

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.002 Software Packing

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1027.002 Software Packing
              Comments
              This control may detect malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.
              References
              microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1027.002 Software Packing
              Comments
              This control may quarantine and/or delete malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.
              References