[T1027.008 ] Obfuscated Files or Information: Stripped Payloads β Adversaries remove human-readable symbols and strings from binaries and scripts to hinder analysis and evade detection. Stripped payloads reduce useful metadata and make automated scanning and manual reverse engineering harder. #StrippedBinaries #DefenseEvasion
Keypoints
- Stripped payloads remove symbols and strings from executables to hide intent and functionality.
- Compilers and packers can produce stripped binaries or run-only scripts that lack readable metadata.
- Detection relies on file metadata, entropy, and structural anomalies rather than readable strings.
- Monitoring file creation events and transfer vectors helps spot suspicious stripped artifacts.
- False positives are common; combine static, dynamic, and behavioral analysis for accuracy.
Description:
- Like erasing the labels and notes from a blueprint so a builder canβt tell what a machine does, stripped payloads hide the clues analysts use to understand code.
- Adversaries remove symbol tables, string tables, and other human-readable metadata from binaries or compile scripts into run-only forms to make reverse engineering and automated detection more difficult, enabling stealthier persistence, execution, and delivery of malicious functionality.
Detection:
- Use file metadata and hashes to detect unexpected executables or run-only script files; compare against known-good baselines and software inventories.
- Scan file sections and headers (ELF, PE, Mach-O) for missing symbol tables or abnormal section names using tools like readelf, objdump, pefile, and machotools.
- Measure string density and entropy; high entropy and few readable strings can indicate stripping or packingβuse binwalk, strings, and Viper for automated checks.
- Perform static anomaly detection: flag binaries with zero or minimal symbol/string tables or with compressed/packed sections for deeper analysis.
- Use dynamic execution and sandboxing to observe behavior when static artifacts are stripped; record network, process, and file activity with EDR/sandbox solutions to catch runtime indicators.
- Monitor file creation, execution, and transfer logs (Sysmon, auditd, macOS unified logs, network file transfer logs) for freshly introduced stripped binaries or run-only scripts from unexpected sources.
- Validate findings with layered analysis to reduce false positives: correlate file provenance, code signing, digital certificates, developer origin, and behavioral telemetry before triage.
Tactics:
Defense Evasion
Platforms:
Linux, Network Devices, Windows, macOS
Data Sources:
File: File Metadata
Relationship Citations:
(Citation: SentinelLabs reversing run-only applescripts 2021),(Citation: SentinelOne Cuckoo Stealer May 2024),(Citation: Kandji Cuckoo April 2024),