T1027.002
Obfuscated Files or Information: Software Packing
Description from ATT&CK
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)
Atomic Tests
Atomic Test #1 - Binary simply packed by UPX (linux)
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied.
Supported Platforms: linux
auto_generated_guid: 11c46cd8-e471-450e-acb8-52a1216ae6a4
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx |
Attack Commands: Run with sh!
1
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
Cleanup Commands:
1
rm /tmp/packed_bin
Atomic Test #2 - Binary packed by UPX, with modified headers (linux)
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (
, "1
0x55505821
") was changed to (1
UPX!
, "1
0x4c4f5452
"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.1
LOTR
Supported Platforms: linux
auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed |
Attack Commands: Run with sh!
1
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
Cleanup Commands:
1
rm /tmp/packed_bin
Atomic Test #3 - Binary simply packed by UPX
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied.
Supported Platforms: macos
auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx |
Attack Commands: Run with sh!
1
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
Cleanup Commands:
1
rm /tmp/packed_bin
Atomic Test #4 - Binary packed by UPX, with modified headers
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (
, "1
0x55505821
") was changed to (1
UPX!
, "1
0x4c4f5452
"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.1
LOTR
Supported Platforms: macos
auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed |
Attack Commands: Run with sh!
1
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
Cleanup Commands:
1
rm /tmp/packed_bin