T1027.008 Stripped Payloads Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("osascript", "osacompile")
    or FileName in~ ("osascript", "osacompile")
| where ProcessCommandLine has_any ("-x ", "-o ", "compile", ".scpt", ".scptd", "run-only")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
| union (
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileCreated"
    | where FileName endswith ".scpt" or FileName endswith ".scptd"
    | where FolderPath !has "/Library/Scripts/"
        and FolderPath !has "/System/Library/"
    | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
             FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
)

medium severity medium confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

IT administrators deploying AppleScript automation tools that compile scripts for distribution
macOS application builds that compile AppleScript resources as part of their build process
Legitimate automation frameworks (Automator, Script Editor) that save compiled scripts in user directories
Go language toolchain installations that strip symbols as part of release builds

Splunk

spl

index=syslog OR index=osquery sourcetype=linux_secure OR sourcetype=osquery
| eval is_strip=if(match(cmdline, "strip\s+(--strip-all|-s)\s+"), 1, 0)
| eval is_stripped_exec=if(match(cmdline, "(go build.*-ldflags.*-s.*-w|gcc.*-s |g\+\+.*-s )"), 1, 0)
| eval is_osa=if(match(cmdline, "osacompile.*-x"), 1, 0)
| where is_strip=1 OR is_stripped_exec=1 OR is_osa=1
| table _time, host, user, cmdline, is_strip, is_stripped_exec, is_osa
| sort - _time
| append [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      (CommandLine="*strip*" OR CommandLine="*-ldflags*-s*-w*" OR CommandLine="*pdbremove*")
      NOT (Image="C:\\Windows\\*" OR Image="C:\\Program Files\\*")
    | table _time, host, User, Image, CommandLine
]

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_secure

False Positives

Legitimate Go builds with -ldflags '-s -w' for production size optimization — this is standard practice in Go release builds
Linux kernel module builds and system software compilation with strip commands
Cross-compilation toolchains for embedded systems that strip debug info from binaries
CI/CD pipelines that strip symbols from production builds to reduce binary size

Elastic Security (EQL)

eql

process where event.type == "start" and (
  (process.name in~ ("osascript", "osacompile") and
   (process.command_line : "* -x *" or process.command_line : "*run-only*")) or
  (process.name == "strip" and
   (process.command_line : "*--strip-all*" or process.command_line : "* -s *")) or
  (process.name == "go" and process.args == "build" and
   process.command_line : "*-ldflags*" and
   (process.command_line : "* -s *" or process.command_line : "* -w *")) or
  (process.name in ("gcc", "g++", "cc") and process.command_line : "* -s ") or
  (process.name in~ ("pdbremove", "cv2pdb") and
   not process.executable : ("C:\\Windows\\*", "C:\\Program Files\\*", "/usr/bin/*"))
)

medium severity medium confidence

Data Sources

Elastic Endpoint Security Agent Auditbeat Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* logs-system.syslog-*

False Positives

Go release CI/CD builds commonly use -ldflags '-s -w' to minimize binary size in production artifacts and Docker images — expect high volume on build servers and engineering workstations
System administrators and Linux package maintainers invoking strip --strip-all on compiled binaries during build and deployment workflows (make install, dpkg-buildpackage, rpmbuild)
macOS developers using osacompile -x to create run-only AppleScript distributions for enterprise endpoint deployment via Jamf or other MDM solutions

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Source IP",
  username AS "Username",
  "devicehostname" AS "Hostname",
  QIDNAME(qid) AS "Event Name",
  "Command" AS "Command Line",
  LOGSOURCETYPENAME(devicetype) AS "Log Source Type"
FROM events
WHERE (
  ("Command" ILIKE '%osacompile%' AND ("Command" ILIKE '% -x %' OR "Command" ILIKE '%run-only%'))
  OR ("Command" ILIKE '% strip %' AND ("Command" ILIKE '%--strip-all%' OR "Command" ILIKE '% -s %'))
  OR ("Command" ILIKE '%go build%' AND "Command" ILIKE '%-ldflags%'
      AND ("Command" ILIKE '% -s %' OR "Command" ILIKE '% -w %'))
  OR (("Command" ILIKE '%gcc %' OR "Command" ILIKE '%g++ %') AND "Command" ILIKE '% -s ')
  OR "Command" ILIKE '%pdbremove%'
  OR "Command" ILIKE '%cv2pdb%'
)
AND LOGSOURCETYPENAME(devicetype) NOT IN ('Custom Rule Engine', 'Flow Stitching Engine')
LAST 24 HOURS

medium severity medium confidence

Data Sources

IBM QRadar SIEM Linux OS DSM Microsoft Windows DSM Apple macOS DSM Sysmon DSM

Required Tables

events

False Positives

Go microservice release pipelines (Jenkins, GitLab CI, GitHub Actions runners) using -ldflags '-s -w' for binary size optimization in production build environments
Linux distribution package build systems (dpkg-buildpackage, rpmbuild, Buildroot, Yocto) invoking strip --strip-all as a standard post-compilation packaging step
macOS enterprise deployment workflows using osacompile -x to produce run-only AppleScript automation packages distributed via Jamf, Mosyle, or Kandji MDM

Sumo Logic CSE

sql

(_sourceCategory=*endpoint* OR _sourceCategory=*syslog* OR _sourceCategory=*osquery* OR _sourceCategory=*edr*)
| where commandLine matches "(?i)osacompile\s+-x"
   OR commandLine matches "(?i)osascript.*run-only"
   OR commandLine matches "(?i)\bstrip\b.*(--strip-all|\s-s\s)"
   OR commandLine matches "(?i)go\s+build.*-ldflags.*(-s|-w)"
   OR commandLine matches "(?i)(gcc|g\+\+)\s+.*\s-s(\s|$)"
   OR commandLine matches "(?i)pdbremove"
   OR commandLine matches "(?i)cv2pdb"
| fields _time, hostname, src_user, process_name, commandLine
| sort by _time desc

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Endpoint Security Telemetry Linux Syslog macOS Unified Log via osquery Sysmon for Windows

Required Tables

_sourceCategory=*endpoint* _sourceCategory=*syslog* _sourceCategory=*osquery*

False Positives

Developer workstations and CI systems running Go release builds with -ldflags '-s -w' to reduce binary size — extremely common in containerized application pipelines and Docker multistage builds
Build automation systems (Ansible playbooks, CMake install targets, Makefile post-install rules) invoking strip on compiled artifacts as a standard deployment step
Security researchers and red teamers on authorized assessments using osacompile -x or strip to prepare test payloads for approved engagements

Google Chronicle / SecOps

yaral

rule t1027_008_stripped_payloads {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1027.008 Stripped Payloads: osacompile run-only, ELF strip, Go -ldflags -s -w, GCC -s, PE symbol removal"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.008"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line, `(?i)(osacompile\s+-x|osascript.*run-only)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)[\\/]strip$`) and
        re.regex($e.target.process.command_line, `(?i)(--strip-all|\s-s\s)`)
      ) or
      (
        re.regex($e.target.process.command_line, `(?i)go\s+build`) and
        re.regex($e.target.process.command_line, `(?i)-ldflags`) and
        re.regex($e.target.process.command_line, `(?i)[\s]-[sw](\s|$)`)
      ) or
      re.regex($e.target.process.command_line, `(?i)(gcc|g\+\+).*\s-s(\s|$)`) or
      re.regex($e.target.process.file.full_path, `(?i)(pdbremove|cv2pdb)(\.exe)?$`)
    )

  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM UDM Process Events CrowdStrike Falcon via Chronicle Carbon Black via Chronicle Microsoft Defender for Endpoint via Chronicle

Required Tables

UDM Events - PROCESS_LAUNCH

False Positives

Go application release builds in CI/CD pipelines commonly use -ldflags '-s -w' to produce smaller binaries — high expected volume in engineering environments containing build infrastructure
Linux distribution packaging workflows (Debian, RPM, Arch, Gentoo, NixOS) routinely strip compiled binaries post-build as a standard size reduction and distribution step
macOS enterprise software packaging using osacompile -x to distribute run-only AppleScript automation to managed fleets — normal activity in Jamf or Mosyle-managed enterprise environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(osacompile\s+-x|osascript.*run-only|\bstrip\b.*(--strip-all|\s-s\s)|go\s+build.*-ldflags.*(-s|-w)|(gcc|g\+\+).*\s-s(\s|$)|pdbremove|cv2pdb)/
| ImageFileName != /(?i)(\\Windows\\System32\\|\\Program Files\\|\\Program Files \(x86\)\\|\/usr\/bin\/strip$)/
| select([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine])
| sort(field=_time, order=desc)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Platform Falcon Insight XDR CrowdStrike LogScale SIEM

Required Tables

ProcessRollup2

False Positives

Go application CI/CD release builds using -ldflags '-s -w' generate very high volume in development and build environments — consider adding ComputerName or OU-based exclusions for known build infrastructure
Linux package build automation (make, cmake, meson, bitbake, Yocto) invoking strip as a post-build step is standard behavior on dedicated build servers and will produce sustained false positive volume
Red team and penetration testing tooling on authorized engagements compiling Go implants or stripping PE payloads — correlate with change management records and active engagement scope

Stripped Payloads

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections