TH16110
Detected presence of document file formats that embed an executable.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Attackers commonly hide their malicious payloads in layers of packing and code obfuscation. Compression and encryption are common data transformation techniques used to hide the presence of Windows executables. Embedding Windows executables in product documentation is highly unusual, as this is an uncommon way to distribute software. While the presence of one or more executable files in a document does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Presence of documents that embed executables may cause the entire software package to become flagged by security solutions.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1027 - Obfuscated Files or Information.
- Consider an alternative delivery mechanism for software packages.
Recommended readingโ
- T1027 - Obfuscated Files or Information (External resource - Mitre ATT&CK documentation)
- Document file format (External resource - Wikipedia)
- Executable compression (External resource - Wikipedia)