title: Software Packing (T1027.002)
id: df00tech-t1027-002
status: experimental
description: "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. Common packers include UPX, MPRESS, Themida, VMProtect, and custom packers. APT41, APT39, Lazarus Group, Aoqin Dragon, and many commodity malware families including LockBit, QakBot, and Cobalt Strike use software packing."
references:
  - https://attack.mitre.org/techniques/T1027/002/
  - https://df00tech.com/detections/T1027.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate UPX-packed open source tools (many Linux ports to Windows use UPX for size reduction)
  - "Game distribution platforms (Steam, Epic) that use custom packers or SFX archives for game installers"
  - Self-extracting archives used by IT teams for software deployment that use WinRAR or 7-Zip SFX format
  - Security research environments where packer tools are deliberately run for analysis purposes
level: medium