Esc
Software Packing - T1027.002

(ATT&CK® Technique)
Definition

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1027002["Software Packing"] --> |obfuscates| ExecutableFile["Executable File"]; class T1027002 OffensiveTechniqueNode;
        class ExecutableFile ArtifactNode; click ExecutableFile href "../../../dao/artifact/d3f:ExecutableFile";
        click T1027002 href "../../../offensive-technique/attack/T1027.002/"; click ExecutableFile href "../../../dao/artifact/d3f:ExecutableFile";             FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | ExecutableFile["Executable File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1027002["Software Packing"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | ExecutableFile["Executable File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1027002["Software Packing"] ;
          class FileEviction DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileEviction href "../../../technique/d3f:FileEviction";                           FileEncryption["File Encryption"] -->
          | encrypts | ExecutableFile["Executable File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1027002["Software Packing"] ;
          class FileEncryption DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileEncryption href "../../../technique/d3f:FileEncryption";              DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1027002["Software Packing"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click DynamicAnalysis href "../../../technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1027002["Software Packing"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click EmulatedFileAnalysis href "../../../technique/d3f:EmulatedFileAnalysis";                           ContentModification["Content Modification"] -->
          | modifies | ExecutableFile["Executable File"];

          ContentModification["Content Modification"] -.->
            | may-isolate | T1027002["Software Packing"] ;
          class ContentModification DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ContentModification href "../../../technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
          | quarantines | ExecutableFile["Executable File"];

          ContentQuarantine["Content Quarantine"] -.->
            | may-isolate | T1027002["Software Packing"] ;
          class ContentQuarantine DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ContentQuarantine href "../../../technique/d3f:ContentQuarantine";                   DecoyFile["Decoy File"] -->
          | spoofs | ExecutableFile["Executable File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1027002["Software Packing"] ;
          class DecoyFile DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click DecoyFile href "../../../technique/d3f:DecoyFile";            ExecutableDenylisting["Executable Denylisting"] -->
          | blocks | ExecutableFile["Executable File"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1027002["Software Packing"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ExecutableDenylisting href "../../../technique/d3f:ExecutableDenylisting"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | ExecutableFile["Executable File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1027002["Software Packing"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions";                           ExecutableAllowlisting["Executable Allowlisting"] -->
          | blocks | ExecutableFile["Executable File"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1027002["Software Packing"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ExecutableAllowlisting href "../../../technique/d3f:ExecutableAllowlisting";              ContentFiltering["Content Filtering"] -->
          | filters | ExecutableFile["Executable File"];

          ContentFiltering["Content Filtering"] -.->
            | may-isolate | T1027002["Software Packing"] ;
          class ContentFiltering DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ContentFiltering href "../../../technique/d3f:ContentFiltering"; FileAnalysis["File Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1027002["Software Packing"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileAnalysis href "../../../technique/d3f:FileAnalysis";           RestoreFile["Restore File"] -->
          | restores | ExecutableFile["Executable File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1027002["Software Packing"] ;
          class RestoreFile DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click RestoreFile href "../../../technique/d3f:RestoreFile";                                  RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | ExecutableFile["Executable File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1027002["Software Packing"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation";
json