1. Home
  2. ATT&CK Techniques
  3. T1027.008 Stripped Payloads

T1027.008 Stripped Payloads Mappings

Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s linker when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018)

Adversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats, such as run-only AppleScripts, a compiled and stripped version of AppleScript, to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads.(Citation: SentinelLabs reversing run-only applescripts 2021)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-tdt Intel Threat Detection Technology Microsoft Defender T1027.008 Stripped Payloads
Comments
Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs. Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU).
References
  1. https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/threat-detection-technology.html
  2. https://learn.microsoft.com/en-us/defender-endpoint/hardware-acceleration-and-mdav
intel-tdt Intel Threat Detection Technology Microsoft Defender T1027.008 Stripped Payloads
Comments
Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs. Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU).
References
  1. https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/threat-detection-technology.html
  2. https://learn.microsoft.com/en-us/defender-endpoint/hardware-acceleration-and-mdav