TH16108
Detected presence of files that embed a raw encrypted executable file.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Attackers commonly hide their malicious payloads in layers of packing and code obfuscation. Encryption is a common data transformation technique used to obfuscate the presence of Windows executable files. Detected software behaviors indicate that the code has the ability to execute executables once decrypted. While presence of dynamic code execution does not imply malicious intent, all of its uses in a software package should be documented and approved. When a software package has behavior traits similar to malicious software, it may become flagged by security solutions. One example of acceptable use for embedding raw encrypted Windows executables is the intent to install or deploy software components.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1027 - Obfuscated Files or Information.
- Consider an alternative delivery mechanism for software packages.
Recommended readingโ
- T1027 - Obfuscated Files or Information (External resource - Mitre ATT&CK documentation)
- Payload (ReversingLabs glossary)