Obfuscated Files or Information:  Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018) Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)

ID: T1027.004
Sub-technique of:  T1027
Tactic(s): Defense Evasion
Platforms: Linux, macOS, Windows
Permissions Required: User
Data Sources: Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Version: 1.0
Created: 16 Mar 2020
Last Modified: 29 Mar 2020

Procedure Examples

Name Description
Gamaredon Group

Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.(Citation: ESET Gamaredon June 2020)


FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.(Citation: MSTIC FoggyWeb September 2021)


Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).(Citation: Anomali Rocke March 2019)


MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.(Citation: ClearSky MuddyWater Nov 2018)


njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.(Citation: Trend Micro njRAT 2018)

Cardinal RAT

Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.(Citation: PaloAlto CardinalRat Apr 2017)


DarkWatchman has used the csc.exe tool to compile a C# executable.(Citation: Prevailion DarkWatchman 2021)


Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these should only be used in specific and limited cases, like for software development.

