cti/enterprise-attack/attack-pattern/attack-pattern--6ff403bc-93e3-48be-8687-e102fdba8c88.json

{
    "type": "bundle",
    "id": "bundle--93d8ff11-119e-4eed-bd81-daca1068e3bf",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--6ff403bc-93e3-48be-8687-e102fdba8c88",
            "created": "2017-05-31T21:30:43.472Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": true,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1045",
                    "external_id": "T1045"
                },
                {
                    "source_name": "capec",
                    "url": "https://capec.mitre.org/data/definitions/570.html",
                    "external_id": "CAPEC-570"
                },
                {
                    "source_name": "Wikipedia Exe Compression",
                    "description": "Executable compression. (n.d.). Retrieved December 4, 2014.",
                    "url": "http://en.wikipedia.org/wiki/Executable_compression"
                },
                {
                    "source_name": "ESET FinFisher Jan 2018",
                    "description": "Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.",
                    "url": "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-04-14T22:53:14.880Z",
            "name": "Software Packing",
            "description": "Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.\n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.\n\nAdversaries may use virtual machine software protection as a form of software packing to protect their code. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "stealth"
                }
            ],
            "x_mitre_attack_spec_version": "3.2.0",
            "x_mitre_contributors": [
                "Filip Kafka, ESET"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Windows",
                "macOS"
            ],
            "x_mitre_version": "1.2"
        }
    ]
}