| ID | Name |
|---|---|
| T1027.001 | Binary Padding |
| T1027.002 | Software Packing |
| T1027.003 | Steganography |
| T1027.004 | Compile After Delivery |
| T1027.005 | Indicator Removal from Tools |
| T1027.006 | HTML Smuggling |
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.[1]
Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.[2]
| ID | Name | Description |
|---|---|---|
| S0348 | Cardinal RAT |
Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[3] |
| S0673 | DarkWatchman |
DarkWatchman has used the |
| S0661 | FoggyWeb |
FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.[5] |
| G0047 | Gamaredon Group |
Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in |
| G0069 | MuddyWater |
MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[1] |
| S0385 | njRAT |
njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.[7] |
| G0106 | Rocke |
Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).[8] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Creation |
| File Metadata | ||
| DS0009 | Process | Process Creation |
Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.[2] Typically these should only be used in specific and limited cases, like for software development.