T1027.002 Microsoft Sentinel · KQL

Detect Software Packing in Microsoft Sentinel

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. Common packers include UPX, MPRESS, Themida, VMProtect, and custom packers. APT41, APT39, Lazarus Group, Aoqin Dragon, and many commodity malware families including LockBit, QakBot, and Cobalt Strike use software packing.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.002 Software Packing
Canonical reference
https://attack.mitre.org/techniques/T1027/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let PackerIndicators = dynamic([
  "UPX", "upx", "MPRESS", "Themida", "VMProtect", "Enigma", "Obsidium",
  "PEID", "ExeCryptor", "ASProtect", "PECompact", "WinRAR SFX", "7-Zip SFX"
]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any ("\\Temp\\", "\\Downloads\\", "\\AppData\\Roaming\\", "\\AppData\\Local\\Temp\\")
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("upx.exe", "themida.exe", "vmprotect.exe", "mpress.exe", "enigma.exe")
    | project DeviceName, PackerTool=FileName, PackerCmdLine=ProcessCommandLine, PackerTime=Timestamp
) on DeviceName
| project Timestamp, DeviceName, FolderPath, FileName, FileSize,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         PackerTool, PackerCmdLine, PackerTime
| sort by Timestamp desc
medium severity medium confidence

Detects potential software packing activity by monitoring PE file creation in user-writable directories combined with known packer tool execution. Also surfaces large executables written to staging directories. Software packing is difficult to detect definitively via telemetry alone since the packing happens offline; this query correlates file delivery with known packer tool names and suspicious drop locations.

Data Sources

File: File CreationProcess: Process CreationMicrosoft Defender for Endpoint

Required Tables

DeviceFileEventsDeviceProcessEvents

False Positives & Tuning

  • Legitimate UPX-packed open source tools (many Linux ports to Windows use UPX for size reduction)
  • Game distribution platforms (Steam, Epic) that use custom packers or SFX archives for game installers
  • Self-extracting archives used by IT teams for software deployment that use WinRAR or 7-Zip SFX format
  • Security research environments where packer tools are deliberately run for analysis purposes
Download portable Sigma rule (.yml)

Other platforms for T1027.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Pack an Executable with UPX

    Expected signal: Sysmon Event ID 1: upx.exe process creation with '--best' flag and output path. Sysmon Event ID 11: File Create for packed_target.exe in %TEMP%. The output file will have different SHA256 than the input, smaller file size, and UPX-specific section names (.UPX0, .UPX1).

  2. Test 2Identify Packed Binary with PE Entropy Check

    Expected signal: Sysmon Event ID 1: sigcheck.exe process creation with the target binary path. Output will show section entropy values. For a UPX-packed binary, sections will show entropy near 7.8-8.0.

  3. Test 3Simulate Packed Malware Self-Extraction Pattern

    Expected signal: Sysmon Event ID 1: powershell.exe with Assembly.Load command. Sysmon Event ID 11: Temp file creation followed by deletion. PowerShell ScriptBlock Log Event ID 4104 with the full script including Assembly.Load. This pattern (write to disk + load + delete) is characteristic of packed dropper behavior.

  4. Test 4Download and Execute UPX to Pack a Binary

    Expected signal: Sysmon Event ID 1: PowerShell with Invoke-WebRequest (download cradle). Sysmon Event ID 3: Network connection to github.com. Sysmon Event ID 11: upx.zip download, extraction. Sysmon Event ID 1: upx.exe execution on victim_payload.exe.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1027.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.001Binary PaddingT1027.007Dynamic API ResolutionT1140Deobfuscate/Decode Files or InformationT1055Process InjectionT1620Reflective Code LoadingT1566.001Spearphishing Attachment

Same Tactic: Defense Evasion

Popular Detections