1. Home
  2. Detection Strategies
  3. Detection Strategy for Embedded Payloads

Detection Strategy for Embedded Payloads

Technique Detected:  Embedded Payloads | T1027.009

ID: DET0214
Domains: Enterprise
Analytics: AN0599, AN0600, AN0601
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0599

Detection of executables or scripts containing hidden embedded resources or secondary payloads, often with anomalies in file size vs. functionality or dropped child binaries.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Metadata (DC0059) EDR:file File Metadata Analysis (PE overlays, entropy)
Mutable Elements
Field Description
OverlaySizeThreshold Threshold in bytes where appended sections to binaries are considered suspicious
ProcessTreeDepth Controls how far child process lineage is analyzed for dropped embedded payloads
TimeWindow Defines correlation interval between file write and process execution

AN0600

Detection of shell scripts, ELF binaries, or archives containing embedded secondary payloads, self-extracting components, or unusual compression behavior during runtime.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open, write
File Metadata (DC0059) linux:osquery elf_info, hash, yara_matches
File Access (DC0055) ebpf:syscalls container_file_activity
Mutable Elements
Field Description
FileSectionCount Tuning value for ELF binaries with appended sections or resources
ScriptLength Threshold for long shell scripts with base64-encoded binary content
ExtractedFileCount Number of files written from a single script execution

AN0601

Detection of Mach-O binaries or AppleScripts that contain nested, encoded, or run-only embedded payloads dropped at runtime.

Log Sources
Data Component Name Channel
File Creation (DC0039) macos:unifiedlog logd:file write
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
File Metadata (DC0059) macos:osquery mach_o_info, file_metadata
Mutable Elements
Field Description
ScriptFormatType Run-only AppleScripts or signed scripting payloads may require scoped detection
DroppedBinaryCount Threshold on number of binaries created by the parent payload
ParentProcessName Allows focusing on suspicious interpreter or staging tools