Skip to content

T1027.004 Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.1

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.2

Item Value
ID T1027.004
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011
Tactics TA0005
Platforms Linux, Windows, macOS
Permissions required User
Version 1.0
Created 16 March 2020
Last Modified 29 March 2020

Procedure Examples

ID Name Description
S0348 Cardinal RAT Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.6
S0673 DarkWatchman DarkWatchman has used the csc.exe tool to compile a C# executable.5
S0661 FoggyWeb FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.3
G0047 Gamaredon Group Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.7
G0069 MuddyWater MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.1
S0385 njRAT njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.4
G0106 Rocke Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).8


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
DS0009 Process Process Creation