Skip to content

DET0019 Detection Strategy for Stripped Payloads Across Platforms

Item Value
ID DET0019
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1027.008 (Stripped Payloads)

Analytics

Windows

AN0055

Executable or script payloads lacking symbol information and readable strings that are created or dropped by unusual or short-lived processes.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Metadata (DC0059) EDR:file File Metadata Inspection (Low String Entropy, Missing PDB)
Mutable Elements
Field Description
EntropyThreshold Payloads with extremely low string entropy may indicate stripped or obfuscated binaries
ParentProcessName Used to scope or whitelist common system builders, compilers, or admin tools
TimeWindow Correlates file creation and process spawning within a short timeframe

Linux

AN0056

Executable or binary files created without symbol tables or with stripped sections, especially by non-user shell processes or compilers invoked outside standard dev paths.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:EXECVE EXECVE
File Modification (DC0061) auditd:SYSCALL open, write
File Metadata (DC0059) linux:osquery hash, elf_info, file_metadata
Mutable Elements
Field Description
StripFlags Flag combinations in compiled binaries indicating symbol table removal
DirectoryScope Whitelist compiler output directories to reduce false positives
FileSizeRange Heuristic boundaries for abnormal small or overly large stripped binaries

macOS

AN0057

Creation of run-only AppleScripts or Mach-O binaries lacking symbol table and string references, especially when dropped by user space scripting engines or staging apps.

Log Sources
Data Component Name Channel
File Creation (DC0039) macos:unifiedlog file write
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
File Metadata (DC0059) macos:osquery code_signing, file_metadata
Mutable Elements
Field Description
RunOnlyFlag AppleScript flag to disable reverse engineering (run-only compiled scripts)
ParentProcess Filter to isolate staging or suspicious scripting engines
SignedStatus Tuning based on unsigned vs. developer-signed payloads

Network Devices

AN0058

Inbound binary payloads transferred over HTTP/S with compressed or encoded headers, lacking signature markers or metadata indicative of compiler/toolchain.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow http.log, files.log
Mutable Elements
Field Description
MIMEType Tune for octet-stream or mismatched Content-Type headers
PayloadSize Payload threshold for executable-sized artifacts
TransferEncoding Suspicious base64 or chunked encoding not matching normal app behavior