| ID | Name |
|---|---|
| T1406.001 | Steganography |
| T1406.002 | Software Packing |
Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Utilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
| ID | Name | Description |
|---|---|---|
| S1094 | BRATA | |
| S0432 | Bread |
Bread payloads have used several commercially available packers.[2] |
| S0406 | Gustuff |
Gustuff code is both obfuscated and packed with an FTT packer.[3] |
| S1062 | S.O.V.A. |
S.O.V.A. has been distributed in obfuscated and packed form.[4] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | API Calls |
Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code. |