T1027.008 Stripped Payloads
Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s linker when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.31
Adversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats, such as run-only AppleScripts, a compiled and stripped version of AppleScript, to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads.2
| Item | Value |
|---|---|
| ID | T1027.008 |
| Sub-techniques | T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011 |
| Tactics | TA0005 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 29 September 2022 |
| Last Modified | 20 October 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1048 | macOS.OSAMiner | macOS.OSAMiner has used run-only Applescripts, a compiled and stripped version of AppleScript, to remove human readable indicators to evade detection.2 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0022 | File | File Metadata |
References
-
Ignacio Sanmillan. (2018, February 7). Executable and Linkable Format 101. Part 2: Symbols. Retrieved September 29, 2022. ↩
-
Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022. ↩↩
-
STEPHEN ECKELS. (2022, February 28). Ready, Set, Go — Golang Internals and Symbol Recovery. Retrieved September 29, 2022. ↩