T1027.004: Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-942: Subrule_CSC_Start_And_File_Create: Starting a csc.exe process with a parent powershell.exe process and creating a library by a process is detected mitre_attck_defense_evasion: PT-CR-930: AMSI_Bypass_Via_Powershell: AMSI bypass method use is detected mitre_attck_defense_evasion: PT-CR-194: Csc_AWL_Bypass: An attempt to bypass application-start restrictions by using csc.exe (a built-in Microsoft Windows utility used by .NET to compile C# code)

Detection

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for actions that could be taken to gather common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

IDDS0022Data source and componentFile: File CreationDescription

Monitor for newly constructed files for payloads

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly constructed processes and/or command-lines that look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development.

IDDS0022Data source and componentFile: File MetadataDescription

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.