Find sigma rule
Attack: Obfuscated Files or Information: Software Packing
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable’s original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)
MITRE
Tactic
- defense-evasion
technique
- T1027.002
Test : Binary packed by UPX, with modified headers
OS
- macos
Description:
Copies and then runs a simple binary (just outputting “the cake is a lie”), that was packed by UPX.
The UPX magic number (0x55505821
, “UPX!
”) was changed to (0x4c4f5452
, “LOTR
”). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.
Executor
sh