T1027.008 Google Chronicle · YARA-L

Detect Stripped Payloads in Google Chronicle

Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variable names and other strings that help developers document code functionality. Symbols are often created by an operating system's linker when executable payloads are compiled. Adversaries use stripped payloads to make malware analysis more difficult. Stripped payload formats include run-only AppleScripts (compiled and stripped AppleScript), stripped ELF binaries on Linux, and stripped PE files on Windows. Cuckoo Stealer and macOS.OSAMiner are notable examples using stripped formats. Golang malware is frequently stripped to remove symbol tables.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.008 Stripped Payloads
Canonical reference
https://attack.mitre.org/techniques/T1027/008/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1027_008_stripped_payloads {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1027.008 Stripped Payloads: osacompile run-only, ELF strip, Go -ldflags -s -w, GCC -s, PE symbol removal"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.008"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line, `(?i)(osacompile\s+-x|osascript.*run-only)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)[\\/]strip$`) and
        re.regex($e.target.process.command_line, `(?i)(--strip-all|\s-s\s)`)
      ) or
      (
        re.regex($e.target.process.command_line, `(?i)go\s+build`) and
        re.regex($e.target.process.command_line, `(?i)-ldflags`) and
        re.regex($e.target.process.command_line, `(?i)[\s]-[sw](\s|$)`)
      ) or
      re.regex($e.target.process.command_line, `(?i)(gcc|g\+\+).*\s-s(\s|$)`) or
      re.regex($e.target.process.file.full_path, `(?i)(pdbremove|cv2pdb)(\.exe)?$`)
    )

  condition:
    $e
}
medium severity medium confidence

Chronicle YARA-L 2.0 rule detecting T1027.008 stripped payload creation via UDM PROCESS_LAUNCH events. Uses re.regex() with backtick raw strings for flexible matching against process command lines and image paths. Covers osacompile run-only AppleScript compilation, strip tool with full symbol-removal flags on ELF binaries, Go build with symbol-stripping ldflags, GCC/G++ -s compiler flag, and Windows PE symbol removal utilities.

Data Sources

Google Chronicle SIEMUDM Process EventsCrowdStrike Falcon via ChronicleCarbon Black via ChronicleMicrosoft Defender for Endpoint via Chronicle

Required Tables

UDM Events - PROCESS_LAUNCH

False Positives & Tuning

  • Go application release builds in CI/CD pipelines commonly use -ldflags '-s -w' to produce smaller binaries — high expected volume in engineering environments containing build infrastructure
  • Linux distribution packaging workflows (Debian, RPM, Arch, Gentoo, NixOS) routinely strip compiled binaries post-build as a standard size reduction and distribution step
  • macOS enterprise software packaging using osacompile -x to distribute run-only AppleScript automation to managed fleets — normal activity in Jamf or Mosyle-managed enterprise environments
Download portable Sigma rule (.yml)

Other platforms for T1027.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Run-Only AppleScript (macOS Stripped Payload)

    Expected signal: Process creation events for osacompile (twice) and osascript. File creation events for compiled.scpt and runonly.scpt. The runonly.scpt will fail osadecompile, confirming stripped (run-only) status.

  2. Test 2Strip Symbols from Linux Binary with strip Command

    Expected signal: Process creation for cp, strip, file, and nm commands. File creation and modification events for /tmp/stripped_ls. The 'file' output will show 'stripped', and nm will return 'no symbols'.

  3. Test 3Compile Go Binary with Symbol Stripping Flags

    Expected signal: Process creation for go build with -ldflags '-s -w' arguments. File creation of stripped_go in /tmp. Execution of stripped_go from /tmp. The 'file' command shows stripped ELF.

  4. Test 4Verify Stripped Binary Cannot Be Analyzed with Standard Tools

    Expected signal: Process creation events for cp (twice), strip, and nm (twice). This test demonstrates the before/after comparison an analyst would perform to confirm stripping.

Last updated: 2026-04-13 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1027.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.002Software PackingT1027.007Dynamic API ResolutionT1059.002AppleScriptT1036MasqueradingT1620Reflective Code Loading

Same Tactic: Defense Evasion

Popular Detections