Executable or script payloads lacking symbol information and readable strings that are created or dropped by unusual or short-lived processes.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Metadata (DC0059) | EDR:file | File Metadata Inspection (Low String Entropy, Missing PDB) |
| Field | Description |
|---|---|
| EntropyThreshold | Payloads with extremely low string entropy may indicate stripped or obfuscated binaries |
| ParentProcessName | Used to scope or whitelist common system builders, compilers, or admin tools |
| TimeWindow | Correlates file creation and process spawning within a short timeframe |
Executable or binary files created without symbol tables or with stripped sections, especially by non-user shell processes or compilers invoked outside standard dev paths.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:EXECVE | EXECVE |
| File Modification (DC0061) | auditd:SYSCALL | open, write |
| File Metadata (DC0059) | linux:osquery | hash, elf_info, file_metadata |
| Field | Description |
|---|---|
| StripFlags | Flag combinations in compiled binaries indicating symbol table removal |
| DirectoryScope | Whitelist compiler output directories to reduce false positives |
| FileSizeRange | Heuristic boundaries for abnormal small or overly large stripped binaries |
Creation of run-only AppleScripts or Mach-O binaries lacking symbol table and string references, especially when dropped by user space scripting engines or staging apps.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | macos:unifiedlog | file write |
| Process Creation (DC0032) | macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_EXEC |
| File Metadata (DC0059) | macos:osquery | code_signing, file_metadata |
| Field | Description |
|---|---|
| RunOnlyFlag | AppleScript flag to disable reverse engineering (run-only compiled scripts) |
| ParentProcess | Filter to isolate staging or suspicious scripting engines |
| SignedStatus | Tuning based on unsigned vs. developer-signed payloads |
Inbound binary payloads transferred over HTTP/S with compressed or encoded headers, lacking signature markers or metadata indicative of compiler/toolchain.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | http.log, files.log |
| Field | Description |
|---|---|
| MIMEType | Tune for octet-stream or mismatched Content-Type headers |
| PayloadSize | Payload threshold for executable-sized artifacts |
| TransferEncoding | Suspicious base64 or chunked encoding not matching normal app behavior |