MITRE ATT&CK Technique
Description
Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. Adversaries may use virtual machine software protection as a form of software packing to protect their code. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:43.472Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Software packing is a method of compressing or encrypting an '
'executable. Packing an executable changes the file signature '
'in an attempt to avoid signature-based detection. Most '
'decompression techniques decompress the executable code in '
'memory.\n'
'\n'
'Utilities used to perform software packing are called '
'packers. Example packers are MPRESS and UPX. A more '
'comprehensive list of known packers is available, (Citation: '
'Wikipedia Exe Compression) but adversaries may create their '
'own packing techniques that do not leave the same artifacts '
'as well-known packers to evade defenses.\n'
'\n'
'Adversaries may use virtual machine software protection as a '
'form of software packing to protect their code. Virtual '
"machine software protection translates an executable's "
'original code into a special format that only a special '
'virtual machine can run. A virtual machine is then called to '
'run this code.(Citation: ESET FinFisher Jan 2018)',
'external_references': [{'external_id': 'T1045',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1045'},
{'external_id': 'CAPEC-570',
'source_name': 'capec',
'url': 'https://capec.mitre.org/data/definitions/570.html'},
{'description': 'Executable compression. (n.d.). '
'Retrieved December 4, 2014.',
'source_name': 'Wikipedia Exe Compression',
'url': 'http://en.wikipedia.org/wiki/Executable_compression'},
{'description': "Kafka, F. (2018, January). ESET's "
'Guide to Deobfuscating and '
'Devirtualizing FinFisher. Retrieved '
'August 12, 2019.',
'source_name': 'ESET FinFisher Jan 2018',
'url': 'https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf'}],
'id': 'attack-pattern--6ff403bc-93e3-48be-8687-e102fdba8c88',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:56.248Z',
'name': 'Software Packing',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Filip Kafka, ESET'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'macOS'],
'x_mitre_version': '1.2'}