1. Home
  2. Detection Strategies
  3. Detection Strategy for Compile After Delivery - Source Code to Executable Transformation

Detection Strategy for Compile After Delivery - Source Code to Executable Transformation

Technique Detected:  Compile After Delivery | T1027.004

ID: DET0501
Domains: Enterprise
Analytics: AN1381, AN1382, AN1383
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1381

Detects compilation activity using csc.exe, ilasm.exe, or msbuild.exe initiated by user-space processes outside typical development environments, followed by execution or network activity from newly written binaries.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Mutable Elements
Field Description
ParentProcessName Filter for unexpected users (non-dev) launching compilers like csc.exe or msbuild.exe
OutputDirectoryPath Adjust paths for sensitive file write zones (e.g., `C:\Users\Public\`, `%TEMP%`, or Desktop)
TimeWindow Tune the correlation window between compilation and subsequent execution or C2

AN1382

Detects GCC or Clang invoked on suspicious file paths (e.g., /tmp/, ~/Downloads) with output to executable binaries, followed by execution or outbound traffic from these binaries.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Creation (DC0039) auditd:SYSCALL open,create
Network Connection Creation (DC0082) NSM:Flow conn.log
Mutable Elements
Field Description
CompilerBinaryPath Specify path and binaries for detection (e.g., `/usr/bin/gcc`, `/opt/mingw/bin/gcc`)
FilePermissionProfile Match uncommon chmod behavior post-compilation (e.g., +x in `/tmp` or home directories)

AN1383

Detects non-standard compilation activity via Xcode CLI tools or bundled GCC/MONO packages writing new executable files and executing them outside dev environments (e.g., user Downloads folder).

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process activity, exec events
File Creation (DC0039) macos:osquery file_events
Network Connection Creation (DC0082) macos:unifiedlog networkd or socket
Mutable Elements
Field Description
CompilerInvocationPattern Detect calls to `xcodebuild`, `clang`, or `/Applications/Mono.app/...` from non-admin users
OutputBinaryPath Monitor for output files in user-writable paths (e.g., `~/Library/Caches`, `~/Downloads`)