Obfuscated Files or Information: Software Packing (T1027.002)

Tactic: Stealth · Platforms: Linux, macOS, Windows

The interactive view maps 1 detection strategy, 1 mitigation, 23 threat groups, 73 software entries, 7 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Obfuscated Files or Information (T1027).

Overview

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.

Explore