Description
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
Platforms
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has compiled the source code for a downloader directly on the infected system using the built... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).(Citatio... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used the .NET csc.exe tool to compile executables from downloaded C# code.(Citation: ClearSky ... |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) downloaded source code files from remote addresses then compiled them locally via GCC in victim en... |
Associated Software (6)
| ID | Name | Type | Context |
|---|---|---|---|
| S0633 | Sliver | Tool | [Sliver](https://attack.mitre.org/software/S0633) includes functionality to retrieve source code and compile locally prior to execution in victim envi... |
| S0661 | FoggyWeb | Malware | [FoggyWeb](https://attack.mitre.org/software/S0661) can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.... |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) has used AutoIt to compile the payload and main script into a single executable after delivery.(Citat... |
| S0348 | Cardinal RAT | Malware | [Cardinal RAT](https://attack.mitre.org/software/S0348) and its watchdog component are compiled and executed after being delivered to victims as embed... |
| S1099 | Samurai | Malware | [Samurai](https://attack.mitre.org/software/S1099) can compile and execute downloaded modules at runtime.(Citation: Kaspersky ToddyCat June 2022) |
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) has used the <code>csc.exe</code> tool to compile a C# executable.(Citation: Prevailion DarkWa... |
References
- ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
- Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske. (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land Binaries. Retrieved July 15, 2024.
- Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.
Frequently Asked Questions
What is T1027.004 (Compile After Delivery)?
T1027.004 is a MITRE ATT&CK technique named 'Compile After Delivery'. It belongs to the Stealth tactic(s). Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protec...
How can T1027.004 be detected?
Detection of T1027.004 (Compile After Delivery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.004?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1027.004?
Known threat groups using T1027.004 include: Gamaredon Group, Rocke, MuddyWater, Sea Turtle.