T1027.002

Software Packing

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. Common packers include UPX, MPRESS, Themida, VMProtect, and custom packers. APT41, APT39, Lazarus Group, Aoqin Dragon, and many commodity malware families including LockBit, QakBot, and Cobalt Strike use software packing.

Microsoft Sentinel / Defender

kusto

let PackerIndicators = dynamic([
  "UPX", "upx", "MPRESS", "Themida", "VMProtect", "Enigma", "Obsidium",
  "PEID", "ExeCryptor", "ASProtect", "PECompact", "WinRAR SFX", "7-Zip SFX"
]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any ("\\Temp\\", "\\Downloads\\", "\\AppData\\Roaming\\", "\\AppData\\Local\\Temp\\")
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("upx.exe", "themida.exe", "vmprotect.exe", "mpress.exe", "enigma.exe")
    | project DeviceName, PackerTool=FileName, PackerCmdLine=ProcessCommandLine, PackerTime=Timestamp
) on DeviceName
| project Timestamp, DeviceName, FolderPath, FileName, FileSize,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         PackerTool, PackerCmdLine, PackerTime
| sort by Timestamp desc

medium severity medium confidence

Data Sources

File: File Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate UPX-packed open source tools (many Linux ports to Windows use UPX for size reduction)
Game distribution platforms (Steam, Epic) that use custom packers or SFX archives for game installers
Self-extracting archives used by IT teams for software deployment that use WinRAR or 7-Zip SFX format
Security research environments where packer tools are deliberately run for analysis purposes

Elastic Security (EQL)

eql

any where
  /* Signal 1: Known packer tool executed outside trusted system paths (mirrors KQL packer process join) */
  (event.category == "process" and event.type == "start" and
   process.name in~ ("upx.exe", "themida.exe", "vmprotect.exe", "mpress.exe",
                     "enigma.exe", "obsidium.exe", "asprotect.exe", "pecompact.exe") and
   not process.executable : ("C:\\Windows\\*", "C:\\Program Files\\*",
                              "C:\\Program Files (x86)\\*"))
  or
  /* Signal 2: Packer-associated DLL/module loaded by a non-system process (mirrors SPL EventCode=7) */
  (event.category == "library" and
   (file.name : ("*upx*", "*themida*", "*vmprotect*", "*mpress*") or
    dll.description : ("*UPX*", "*Themida*", "*VMProtect*", "*packed*")) and
   not process.executable : ("C:\\Windows\\*", "C:\\Program Files\\*",
                              "C:\\Program Files (x86)\\*"))
  or
  /* Signal 3: PE binary dropped into temp/download path by a known packer process (mirrors KQL FileCreated join) */
  (event.category == "file" and event.action == "creation" and
   file.extension in ("exe", "dll") and
   file.path : ("*\\Temp\\*", "*\\Downloads\\*",
                "*\\AppData\\Roaming\\*", "*\\AppData\\Local\\Temp\\*") and
   process.name in~ ("upx.exe", "themida.exe", "vmprotect.exe",
                     "mpress.exe", "enigma.exe"))

high severity high confidence

Data Sources

Elastic Endpoint Security via Elastic Agent Windows Sysmon via Elastic Agent or Beats Elastic Security Integration (endpoint.events.process, endpoint.events.file, endpoint.events.library)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-sysmon.operational-*

False Positives

Legitimate software developers using UPX or MPRESS to compress release binaries — common in open-source projects and indie game development, especially when build scripts write output to a Temp or Downloads directory.
Security researchers and malware analysts running packer tools against samples in dedicated analysis workstations — endpoint telemetry from sandbox or forensics machines will match all three signals.
Commercial software with built-in code protection (anti-cheat, DRM) that bundles VMProtect or Themida — endpoint agents on gaming workstations trigger the module load signal on every game client startup.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(deviceid) AS LogSource,
  sourceip AS HostIP,
  username AS User,
  QIDNAME(qid) AS EventName,
  "EventID" AS SysmonEventID,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ImageLoaded" AS ModuleLoaded,
  "TargetFilename" AS TargetFile,
  "Description" AS FileDescription
FROM events
WHERE
  LOGSOURCETYPEID IN (343)  -- Microsoft Windows Sysmon DSM; confirm ID in Admin > Log Source Types for your instance
  AND (
    /* Sysmon Event ID 1: Known packer tool process creation */
    ("EventID" = '1' AND (
      LOWER("Image") LIKE '%upx.exe'
      OR LOWER("Image") LIKE '%themida.exe'
      OR LOWER("Image") LIKE '%vmprotect.exe'
      OR LOWER("Image") LIKE '%mpress.exe'
      OR LOWER("Image") LIKE '%enigma.exe'
      OR LOWER("Image") LIKE '%obsidium.exe'
      OR LOWER("Image") LIKE '%asprotect.exe'
      OR LOWER("CommandLine") LIKE '%upx%'
      OR LOWER("CommandLine") LIKE '%vmprotect%'
    ))
    OR
    /* Sysmon Event ID 7: Packer-related DLL image load from non-system process */
    ("EventID" = '7' AND (
      LOWER("ImageLoaded") LIKE '%upx%'
      OR LOWER("ImageLoaded") LIKE '%themida%'
      OR LOWER("ImageLoaded") LIKE '%vmprotect%'
      OR LOWER("Description") LIKE '%upx%'
      OR LOWER("Description") LIKE '%packed%'
      OR LOWER("Description") LIKE '%themida%'
      OR LOWER("Description") LIKE '%vmprotect%'
    ) AND LOWER("Image") NOT LIKE 'c:\windows\%'
      AND LOWER("Image") NOT LIKE 'c:\program files\%'
      AND LOWER("Image") NOT LIKE 'c:\program files (x86)\%')
    OR
    /* Sysmon Event ID 11: PE file created in suspicious temp or download path by packer process */
    ("EventID" = '11' AND (
      LOWER("TargetFilename") LIKE '%.exe'
      OR LOWER("TargetFilename") LIKE '%.dll'
    ) AND (
      LOWER("TargetFilename") LIKE '%\temp\%'
      OR LOWER("TargetFilename") LIKE '%\downloads\%'
      OR LOWER("TargetFilename") LIKE '%\appdata\roaming\%'
      OR LOWER("TargetFilename") LIKE '%\appdata\local\temp\%'
    ) AND (
      LOWER("Image") LIKE '%upx.exe'
      OR LOWER("Image") LIKE '%themida.exe'
      OR LOWER("Image") LIKE '%vmprotect.exe'
      OR LOWER("Image") LIKE '%mpress.exe'
    ))
  )
  AND starttime > (NOW() - 86400000)
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Microsoft Windows Sysmon via QRadar Windows Security DSM QRadar Custom Event Properties for Sysmon parsed fields

Required Tables

events

False Positives

Automated software build pipelines using UPX as a post-compilation compression step — CI/CD agents on Windows developer endpoints will produce Event ID 1 hits for every build run invoking UPX.
Endpoint management tools (SCCM, Tanium, PDQ Deploy) that stage packed installers in AppData or Temp directories before deployment trigger the Event ID 11 temp path pattern on managed hosts.
DRM-protected commercial software that invokes Themida or VMProtect during installation writes protected executables to staging paths — common in gaming and enterprise licensing software.

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon" OR _sourceCategory="*Sysmon*")
| parse regex "<EventID>(?<event_id>\d+)</EventID>" nodrop
| parse regex "<Image>(?<image>[^<]+)</Image>" nodrop
| parse regex "<CommandLine>(?<command_line>[^<]+)</CommandLine>" nodrop
| parse regex "<ImageLoaded>(?<image_loaded>[^<]+)</ImageLoaded>" nodrop
| parse regex "<Description>(?<description>[^<]+)</Description>" nodrop
| parse regex "<TargetFilename>(?<target_filename>[^<]+)</TargetFilename>" nodrop
| parse regex "<Computer>(?<computer>[^<]+)</Computer>" nodrop
| parse regex "<User>(?<user>[^<]+)</User>" nodrop
| where event_id in ("1", "7", "11")
| where
  /* Event ID 1: Known packer tool execution */
  (event_id == "1" and (
    matches(image, "*upx.exe") or
    matches(image, "*themida.exe") or
    matches(image, "*vmprotect.exe") or
    matches(image, "*mpress.exe") or
    matches(image, "*enigma.exe") or
    matches(image, "*obsidium.exe") or
    matches(command_line, "*upx*") or
    matches(command_line, "*vmprotect*")
  )) or
  /* Event ID 7: Packer-related DLL image load from non-system process */
  (event_id == "7" and (
    matches(image_loaded, "*upx*") or
    matches(image_loaded, "*themida*") or
    matches(image_loaded, "*vmprotect*") or
    matches(description, "*UPX*") or
    matches(description, "*packed*") or
    matches(description, "*Themida*") or
    matches(description, "*VMProtect*")
  ) and
  !matches(image, "C:\\Windows\\*") and
  !matches(image, "C:\\Program Files\\*")) or
  /* Event ID 11: PE file created in temp or download directory */
  (event_id == "11" and (
    matches(target_filename, "*.exe") or matches(target_filename, "*.dll")
  ) and (
    matches(target_filename, "*\\Temp\\*") or
    matches(target_filename, "*\\Downloads\\*") or
    matches(target_filename, "*\\AppData\\Roaming\\*") or
    matches(target_filename, "*\\AppData\\Local\\Temp\\*")
  ))
| eval detection_type = if(event_id == "1", "Packer Tool Execution",
    if(event_id == "7", "Packer Module Load",
    if(event_id == "11", "PE Created in Temp Path", "Unknown")))
| count as EventCount by computer, user, event_id, detection_type, image, command_line, image_loaded, target_filename
| sort by EventCount desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Microsoft-Windows-Sysmon/Operational channel) Sumo Logic Windows Agent with Sysmon XML collection

Required Tables

windows/sysmon os/windows

False Positives

Authorized penetration testing engagements where red team operators pack payloads on scoped endpoints — suppress during exercise windows using a scheduled suppression for the hostname or user account.
Anti-cheat game clients (Easy Anti-Cheat, BattlEye) that ship VMProtect or Themida-protected DLLs load these modules at game startup — Event ID 7 will fire on every gaming workstation with popular multiplayer titles.
Software publishing workflows where developers run UPX against build artifacts in a scratch directory mapped to AppData or Downloads — common in game modding and open-source cross-platform tool development.

Google Chronicle / SecOps

yaral

rule software_packing_t1027_002 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects known software packing tool execution and packed PE file creation — MITRE T1027.002 Defense Evasion"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.002"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2026-04-13"

  events:
    (
      /* Signal 1: Direct packer tool execution — mirrors KQL packer process join */
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.file.full_path,
        `(?i)(upx|themida|vmprotect|mpress|enigma|obsidium|asprotect|pecompact)\.exe$`) and
      not re.regex($e.principal.process.file.full_path,
        `(?i)^[Cc]:\\(Windows|Program Files)`)
    ) or
    (
      /* Signal 2: PE written to temp/download path by packer process — mirrors KQL FileCreated join */
      $e.metadata.event_type = "FILE_CREATION" and
      re.regex($e.target.file.full_path,
        `(?i)\\(Temp|Downloads|AppData\\Roaming|AppData\\Local\\Temp)\\`) and
      re.regex($e.target.file.full_path, `(?i)\.(exe|dll)$`) and
      re.regex($e.principal.process.file.full_path,
        `(?i)(upx|themida|vmprotect|mpress|enigma)\.exe$`)
    ) or
    (
      /* Signal 3: Packer-named module loaded by non-system process — mirrors SPL EventCode=7 */
      $e.metadata.event_type = "PROCESS_MODULE_LOAD" and
      re.regex($e.target.file.full_path,
        `(?i)(upx|themida|vmprotect|mpress|enigma)`) and
      not re.regex($e.principal.process.file.full_path,
        `(?i)^[Cc]:\\(Windows|Program Files)`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM via Google Security Operations ingestion Sysmon events forwarded to Chronicle via Bindplane Agent or Chronicle Forwarder Google Chronicle Endpoint Detection (GCTI)

Required Tables

UDM events: PROCESS_LAUNCH, FILE_CREATION, PROCESS_MODULE_LOAD

False Positives

Security vendors that protect their agent DLLs with Themida or VMProtect for tamper resistance — endpoint agents from these vendors will trigger module load signals at startup on every managed host across the fleet.
Open-source software projects with automated UPX compression in their release CI pipeline — build artifacts written to temp directories before packaging will match the FILE_CREATION signal if the build agent runs on a managed endpoint.
Malware analysts running packer tools against samples in Chronicle-instrumented analysis VMs — workstations in dedicated sandbox OUs or network segments should be excluded from this rule scope.

CrowdStrike LogScale (CQL)

cql

// T1027.002 Software Packing — CrowdStrike Falcon LogScale (CQL)
// Signal 1: Direct packer tool execution via ProcessRollup2

#event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2)$/
| ImageFileName = /(?i)(\\|\/)(upx|themida|vmprotect|mpress|enigma|obsidium|asprotect|pecompact)\.exe$/
| groupBy(
    [ComputerName, UserName, ImageFileName, ParentImageFileName],
    function=[
      count(as=ExecutionCount),
      collect(CommandLine, limit=10, as=ObservedCommandLines),
      min(timestamp, as=FirstSeen),
      max(timestamp, as=LastSeen)
    ]
  )
| sort(ExecutionCount, order=desc)

// ---
// Signal 2 (run as separate saved query):
// PE binary written to temp/download path by a known packer process
// Uncomment to activate
// ---
// #event_simpleName = NewExecutableWritten
// | TargetFileName = /(?i)\\(Temp|Downloads|AppData\\Roaming|AppData\\Local\\Temp)\\/
// | ImageFileName = /(?i)(upx|themida|vmprotect|mpress|enigma)\.exe$/
// | groupBy(
//     [ComputerName, UserName, ImageFileName, TargetFileName],
//     function=[
//       count(as=FileWriteCount),
//       min(timestamp, as=FirstSeen),
//       max(timestamp, as=LastSeen)
//     ]
//   )
// | sort(FileWriteCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR via Falcon Data Replicator (FDR) or Humio LogScale SIEM connector Falcon Real-Time Response telemetry stream

Required Tables

ProcessRollup2 SyntheticProcessRollup2 NewExecutableWritten

False Positives

Red team operators during authorized adversary simulation exercises using packer tools to evade endpoint controls — apply CrowdStrike detection exclusion policies scoped to specific sensor groups or hostnames for the duration of the engagement window.
Software development teams with CI/CD pipelines on managed Windows endpoints that invoke UPX as a build step — false positive rate is high in developer-dense environments and requires hostname or process tree exclusions.
Game anti-cheat client installers (Easy Anti-Cheat, BattlEye) that ship protected executables — Falcon telemetry on endpoints with popular multiplayer games will generate ProcessRollup2 hits for packer-protected anti-cheat binaries at launch.

Last updated: 2026-04-13 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1027.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Software Packing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections