Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
SI-2 | Flaw Remediation | Protects | T1027.002 | Software Packing | |
SI-3 | Malicious Code Protection | Protects | T1027.002 | Software Packing | |
SI-4 | System Monitoring | Protects | T1027.002 | Software Packing | |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1027.002 | Software Packing |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1027.002 | Software Packing |
Comments
This control may quarantine and/or delete malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1027.002 | Software Packing |
Comments
This control may detect malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.
References
|