Skip to content

DET0023 Obfuscated Binary Unpacking Detection via Behavioral Patterns

Item Value
ID DET0023
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1027.002 (Software Packing)

Analytics

Windows

AN0066

Detection of unpacking behavior through abnormal memory allocation, followed by executable code injection and execution from non-image sections.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
ParentProcessName To scope detections to suspicious parent-child process relationships typical of loaders or droppers.
AllocationSizeThreshold To tune for unusually large virtual memory allocations that might indicate unpacked payloads.

Linux

AN0067

Correlates ELF file execution with high-entropy writable memory segments and self-modifying code patterns.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Process Modification (DC0020) auditd:SYSCALL mprotect
Mutable Elements
Field Description
EntropyThreshold Useful for tuning unpacked sections containing high entropy indicative of compression or encryption.
TimeWindow Can be tuned to correlate file writes to execution within a set timeframe.

macOS

AN0068

Detection of packed Mach-O binaries unpacking into memory and transferring control to dynamically modified code segments.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process::exec
Process Modification (DC0020) macos:endpointsecurity ES_EVENT_MMAP
Mutable Elements
Field Description
SignedBinaryContext Helps to distinguish between signed/unsigned packed binaries (common in legitimate vs. malicious cases).
UserContext Can be used to scope to specific users or service accounts targeted in attacks.