TH16109
Detected presence of files that embed a raw compressed executable file.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Attackers commonly hide their malicious payloads in layers of packing and code obfuscation. Compression is a common data transformation technique used to reduce the file size of Windows executables. Detected software behaviors indicate that the code has the ability to execute decompressed executables. While presence of dynamic code execution does not imply malicious intent, all of its uses in a software package should be documented and approved. When a software package has behavior traits similar to malicious software, it may become flagged by security solutions. One example of acceptable use for embedding raw compressed Windows executables is the intent to install or deploy software components.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1027 - Obfuscated Files or Information.
- Consider an alternative delivery mechanism for software packages.
Recommended readingโ
- T1027 - Obfuscated Files or Information (External resource - Mitre ATT&CK documentation)
- Executable compression (External resource - Wikipedia)