Description
Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s linker when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018)
Adversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats, such as run-only AppleScripts, a compiled and stripped version of AppleScript, to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads.(Citation: SentinelLabs reversing run-only applescripts 2021)
Platforms
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1048 | macOS.OSAMiner | Malware | [macOS.OSAMiner](https://attack.mitre.org/software/S1048) has used run-only Applescripts, a compiled and stripped version of [AppleScript](https://att... |
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) is a stripped binary payload.(Citation: Kandji Cuckoo April 2024) (Citation: SentinelOne Cuc... |
References
- Ignacio Sanmillan. (2018, February 7). Executable and Linkable Format 101. Part 2: Symbols. Retrieved September 29, 2022.
- Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
- STEPHEN ECKELS. (2022, February 28). Ready, Set, Go — Golang Internals and Symbol Recovery. Retrieved September 29, 2022.
Frequently Asked Questions
What is T1027.008 (Stripped Payloads)?
T1027.008 is a MITRE ATT&CK technique named 'Stripped Payloads'. It belongs to the Stealth tactic(s). Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings...
How can T1027.008 be detected?
Detection of T1027.008 (Stripped Payloads) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.008?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1027.008?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.