[T1027.004 ] Obfuscated Files or Information: Compile After Delivery β Adversaries deliver source code or non-native binaries that must be compiled or assembled on the victim to evade detection and analysis. Watch for unexpected compiler use, cross-platform toolchains, and file creation patterns that indicate in-place compilation. #ObfuscatedFiles #CompileAfterDelivery
Keypoints
- Attackers deliver readable source code or non-native binaries to avoid AV signatures and static analysis.
- Native compilers like csc.exe, ilasm.exe, GCC/MinGW or Mono are used to build payloads on the host.
- Compilation events often produce process creation, command-line activity, and file creation/log writes to detect.
- Non-native or cross-platform binaries on incompatible OSes are strong indicators of malicious intent.
- Correlate compiler execution with network, process, and file events to reduce false positives.
Description:
- Like a paper blueprint smuggled into a building thatβs later turned into a weapon in a hidden workshop, source code or benign-looking files are delivered and then compiled on-site to create a harmful executable.
- Adversaries deliver uncompiled code, encoded source, or non-native binaries that are later assembled or compiled using native toolchains on the victim. This enables defenders to miss payloads during initial delivery and lets attackers bypass protections focused on executables, making post-delivery compilation a stealthy defense-evasion method.
Detection:
- Monitor command-line activity for compiler names and flags (csc.exe, ilasm.exe, gcc, mingw, mono) and alert on unusual invocation contexts.
- Log and inspect process creation events for parent-child chains showing script interpreters or email clients spawning compilers. Use EDR to capture lineage.
- Watch file creation and write events for new binaries, intermediate object files, or build artifacts in user-writable folders and temporary directories.
- Collect file metadata to identify non-native formats on the OS (e.g., .exe on macOS/Linux) and flag cross-platform toolchains installed where not expected.
- Correlate compiler execution with suspicious behaviors (network connections to C2, privilege escalation attempts, persistence changes) to reduce false positives.
- Use YARA or content inspection to scan for embedded/encoded source or build scripts inside documents and archives delivered by phishing.
- Establish baselines for legitimate developer tool usage and restrict or justify compiler/runtime installations via allowlists, application control, and host-based policies.
Tactics:
Defense Evasion
Platforms:
Linux, Windows, macOS
Data Sources:
Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Relationship Citations:
(Citation: Cybereason Sliver Undated),(Citation: Trend Micro njRAT 2018),(Citation: Prevailion DarkWatchman 2021),(Citation: Hunt Sea Turtle 2024),(Citation: Kaspersky ToddyCat June 2022),(Citation: ESET Gamaredon June 2020),(Citation: ClearSky MuddyWater Nov 2018),(Citation: Anomali Rocke March 2019),(Citation: MSTIC FoggyWeb September 2021),(Citation: PaloAlto CardinalRat Apr 2017),