Detect Software Packing in Google Chronicle
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. Common packers include UPX, MPRESS, Themida, VMProtect, and custom packers. APT41, APT39, Lazarus Group, Aoqin Dragon, and many commodity malware families including LockBit, QakBot, and Cobalt Strike use software packing.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.002 Software Packing
- Canonical reference
- https://attack.mitre.org/techniques/T1027/002/
YARA-L Detection Query
rule software_packing_t1027_002 {
meta:
author = "Argus Detection Engineering"
description = "Detects known software packing tool execution and packed PE file creation — MITRE T1027.002 Defense Evasion"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1027.002"
severity = "HIGH"
confidence = "MEDIUM"
version = "1.0"
created = "2026-04-13"
events:
(
/* Signal 1: Direct packer tool execution — mirrors KQL packer process join */
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.target.process.file.full_path,
`(?i)(upx|themida|vmprotect|mpress|enigma|obsidium|asprotect|pecompact)\.exe$`) and
not re.regex($e.principal.process.file.full_path,
`(?i)^[Cc]:\\(Windows|Program Files)`)
) or
(
/* Signal 2: PE written to temp/download path by packer process — mirrors KQL FileCreated join */
$e.metadata.event_type = "FILE_CREATION" and
re.regex($e.target.file.full_path,
`(?i)\\(Temp|Downloads|AppData\\Roaming|AppData\\Local\\Temp)\\`) and
re.regex($e.target.file.full_path, `(?i)\.(exe|dll)$`) and
re.regex($e.principal.process.file.full_path,
`(?i)(upx|themida|vmprotect|mpress|enigma)\.exe$`)
) or
(
/* Signal 3: Packer-named module loaded by non-system process — mirrors SPL EventCode=7 */
$e.metadata.event_type = "PROCESS_MODULE_LOAD" and
re.regex($e.target.file.full_path,
`(?i)(upx|themida|vmprotect|mpress|enigma)`) and
not re.regex($e.principal.process.file.full_path,
`(?i)^[Cc]:\\(Windows|Program Files)`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting software packing (T1027.002) across three UDM event types. Signal 1 matches PROCESS_LAUNCH events where the target process filename matches known packer tools (UPX, Themida, VMProtect, MPRESS, Enigma, Obsidium, ASProtect, PECompact) outside trusted system directories — mirrors the KQL packer process join. Signal 2 matches FILE_CREATION events where a packer process writes a PE to a temp or download path — mirrors the KQL FileCreated correlation. Signal 3 matches PROCESS_MODULE_LOAD events for packer-named modules loaded by non-system processes — mirrors the SPL EventCode=7 image load filter. Each signal fires independently via the single $e condition.
Data Sources
Required Tables
False Positives & Tuning
- Security vendors that protect their agent DLLs with Themida or VMProtect for tamper resistance — endpoint agents from these vendors will trigger module load signals at startup on every managed host across the fleet.
- Open-source software projects with automated UPX compression in their release CI pipeline — build artifacts written to temp directories before packaging will match the FILE_CREATION signal if the build agent runs on a managed endpoint.
- Malware analysts running packer tools against samples in Chronicle-instrumented analysis VMs — workstations in dedicated sandbox OUs or network segments should be excluded from this rule scope.
Other platforms for T1027.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Pack an Executable with UPX
Expected signal: Sysmon Event ID 1: upx.exe process creation with '--best' flag and output path. Sysmon Event ID 11: File Create for packed_target.exe in %TEMP%. The output file will have different SHA256 than the input, smaller file size, and UPX-specific section names (.UPX0, .UPX1).
- Test 2Identify Packed Binary with PE Entropy Check
Expected signal: Sysmon Event ID 1: sigcheck.exe process creation with the target binary path. Output will show section entropy values. For a UPX-packed binary, sections will show entropy near 7.8-8.0.
- Test 3Simulate Packed Malware Self-Extraction Pattern
Expected signal: Sysmon Event ID 1: powershell.exe with Assembly.Load command. Sysmon Event ID 11: Temp file creation followed by deletion. PowerShell ScriptBlock Log Event ID 4104 with the full script including Assembly.Load. This pattern (write to disk + load + delete) is characteristic of packed dropper behavior.
- Test 4Download and Execute UPX to Pack a Binary
Expected signal: Sysmon Event ID 1: PowerShell with Invoke-WebRequest (download cradle). Sysmon Event ID 3: Network connection to github.com. Sysmon Event ID 11: upx.zip download, extraction. Sysmon Event ID 1: upx.exe execution on victim_payload.exe.
References (5)
Unlock Pro Content
Get the full detection package for T1027.002 including response playbook, investigation guide, and atomic red team tests.