TH16104
Detected presence of files that dynamically execute compressed data.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Attackers commonly hide their malicious payloads in layers of packing and code obfuscation. Compression is a common data transformation technique used to reduce binary data size. Detected software behaviors indicate that the code has the ability to execute data upon its decompression. While presence of dynamic code execution does not imply malicious intent, all of its uses in a software package should be documented and approved. When a software package has behavior traits similar to malicious software, it may become flagged by security solutions. One example of acceptable use for dynamic compressed data execution is transfer of software components over the network.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1027 - Obfuscated Files or Information.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1027 - Obfuscated Files or Information (External resource - Mitre ATT&CK documentation)
- Code obfuscation (ReversingLabs glossary)