EXPLORE

← Back to Explore

T1027.004

Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018) Source code payloads may also be encrypted, encoded, and/or embedded ...

LinuxmacOSWindows

9

Detections

3

Sources

4

Threat Actors

BY SOURCE

5sigma3elastic1splunk_escu

PROCEDURES (6)

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (4)

Gamaredon Group MuddyWater Rocke Sea Turtle

DETECTIONS (9)

CSC Net On The Fly Compilation

Csc.EXE Execution Form Potentially Suspicious Parent

Dynamic .NET Compilation Via Csc.EXE

Dynamic CSharp Compile Artefact

GenAI Process Compiling or Generating Executables

Microsoft Build Engine Started an Unusual Process

Potential Application Whitelisting Bypass via Dnx.EXE

Suspicious .NET Code Compilation

Visual Basic Command Line Compiler Usage