Detect Software Packing in IBM QRadar
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. Common packers include UPX, MPRESS, Themida, VMProtect, and custom packers. APT41, APT39, Lazarus Group, Aoqin Dragon, and many commodity malware families including LockBit, QakBot, and Cobalt Strike use software packing.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.002 Software Packing
- Canonical reference
- https://attack.mitre.org/techniques/T1027/002/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
logsourcename(deviceid) AS LogSource,
sourceip AS HostIP,
username AS User,
QIDNAME(qid) AS EventName,
"EventID" AS SysmonEventID,
"Image" AS ProcessImage,
"CommandLine" AS CommandLine,
"ImageLoaded" AS ModuleLoaded,
"TargetFilename" AS TargetFile,
"Description" AS FileDescription
FROM events
WHERE
LOGSOURCETYPEID IN (343) -- Microsoft Windows Sysmon DSM; confirm ID in Admin > Log Source Types for your instance
AND (
/* Sysmon Event ID 1: Known packer tool process creation */
("EventID" = '1' AND (
LOWER("Image") LIKE '%upx.exe'
OR LOWER("Image") LIKE '%themida.exe'
OR LOWER("Image") LIKE '%vmprotect.exe'
OR LOWER("Image") LIKE '%mpress.exe'
OR LOWER("Image") LIKE '%enigma.exe'
OR LOWER("Image") LIKE '%obsidium.exe'
OR LOWER("Image") LIKE '%asprotect.exe'
OR LOWER("CommandLine") LIKE '%upx%'
OR LOWER("CommandLine") LIKE '%vmprotect%'
))
OR
/* Sysmon Event ID 7: Packer-related DLL image load from non-system process */
("EventID" = '7' AND (
LOWER("ImageLoaded") LIKE '%upx%'
OR LOWER("ImageLoaded") LIKE '%themida%'
OR LOWER("ImageLoaded") LIKE '%vmprotect%'
OR LOWER("Description") LIKE '%upx%'
OR LOWER("Description") LIKE '%packed%'
OR LOWER("Description") LIKE '%themida%'
OR LOWER("Description") LIKE '%vmprotect%'
) AND LOWER("Image") NOT LIKE 'c:\windows\%'
AND LOWER("Image") NOT LIKE 'c:\program files\%'
AND LOWER("Image") NOT LIKE 'c:\program files (x86)\%')
OR
/* Sysmon Event ID 11: PE file created in suspicious temp or download path by packer process */
("EventID" = '11' AND (
LOWER("TargetFilename") LIKE '%.exe'
OR LOWER("TargetFilename") LIKE '%.dll'
) AND (
LOWER("TargetFilename") LIKE '%\temp\%'
OR LOWER("TargetFilename") LIKE '%\downloads\%'
OR LOWER("TargetFilename") LIKE '%\appdata\roaming\%'
OR LOWER("TargetFilename") LIKE '%\appdata\local\temp\%'
) AND (
LOWER("Image") LIKE '%upx.exe'
OR LOWER("Image") LIKE '%themida.exe'
OR LOWER("Image") LIKE '%vmprotect.exe'
OR LOWER("Image") LIKE '%mpress.exe'
))
)
AND starttime > (NOW() - 86400000)
ORDER BY starttime DESC
LIMIT 500QRadar AQL detection for software packing (T1027.002) targeting Sysmon events via the Microsoft Windows Sysmon DSM (LOGSOURCETYPEID 343 — verify in your environment). Queries Sysmon Event ID 1 for known packer tool execution (UPX, Themida, VMProtect, MPRESS, Enigma, Obsidium, ASProtect), Event ID 7 for packer-associated module loads from non-system processes, and Event ID 11 for PE files created in temp/download directories by packer executables. Field names in double quotes ("Image", "CommandLine", "ImageLoaded", "TargetFilename", "Description") correspond to custom event properties parsed by the Sysmon DSM — verify field names match your DSM extension configuration.
Data Sources
Required Tables
False Positives & Tuning
- Automated software build pipelines using UPX as a post-compilation compression step — CI/CD agents on Windows developer endpoints will produce Event ID 1 hits for every build run invoking UPX.
- Endpoint management tools (SCCM, Tanium, PDQ Deploy) that stage packed installers in AppData or Temp directories before deployment trigger the Event ID 11 temp path pattern on managed hosts.
- DRM-protected commercial software that invokes Themida or VMProtect during installation writes protected executables to staging paths — common in gaming and enterprise licensing software.
Other platforms for T1027.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Pack an Executable with UPX
Expected signal: Sysmon Event ID 1: upx.exe process creation with '--best' flag and output path. Sysmon Event ID 11: File Create for packed_target.exe in %TEMP%. The output file will have different SHA256 than the input, smaller file size, and UPX-specific section names (.UPX0, .UPX1).
- Test 2Identify Packed Binary with PE Entropy Check
Expected signal: Sysmon Event ID 1: sigcheck.exe process creation with the target binary path. Output will show section entropy values. For a UPX-packed binary, sections will show entropy near 7.8-8.0.
- Test 3Simulate Packed Malware Self-Extraction Pattern
Expected signal: Sysmon Event ID 1: powershell.exe with Assembly.Load command. Sysmon Event ID 11: Temp file creation followed by deletion. PowerShell ScriptBlock Log Event ID 4104 with the full script including Assembly.Load. This pattern (write to disk + load + delete) is characteristic of packed dropper behavior.
- Test 4Download and Execute UPX to Pack a Binary
Expected signal: Sysmon Event ID 1: PowerShell with Invoke-WebRequest (download cradle). Sysmon Event ID 3: Network connection to github.com. Sysmon Event ID 11: upx.zip download, extraction. Sysmon Event ID 1: upx.exe execution on victim_payload.exe.
References (5)
Unlock Pro Content
Get the full detection package for T1027.002 including response playbook, investigation guide, and atomic red team tests.