T1027.002SubTechniquedefense-evasionagent-callable

T1027.002Software Packing

Sub-technique of T1027

Platforms: macOS · Windows · Linux

ATT&CK version: 14.1

What it is

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1027/002
  2. https://github.com/dhondta/awesome-executable-packing
  3. https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1027.002: Software Packing | SQUR Knowledge Base