title: Stripped Payloads (T1027.008)
id: df00tech-t1027-008
status: experimental
description: "Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variable names and other strings that help developers document code functionality. Symbols are often created by an operating system's linker when executable payloads are compiled. Adversaries use stripped payloads to make malware analysis more difficult. Stripped payload formats include run-only AppleScripts (compiled and stripped AppleScript), stripped ELF binaries on Linux, and stripped PE files on Windows. Cuckoo Stealer and macOS.OSAMiner are notable examples using stripped formats. Golang malware is frequently stripped to remove symbol tables."
references:
  - https://attack.mitre.org/techniques/T1027/008/
  - https://df00tech.com/detections/T1027.008
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators deploying AppleScript automation tools that compile scripts for distribution
  - macOS application builds that compile AppleScript resources as part of their build process
  - "Legitimate automation frameworks (Automator, Script Editor) that save compiled scripts in user directories"
  - Go language toolchain installations that strip symbols as part of release builds
level: medium