Obfuscated Files or Information: Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.[1]

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.[2]

ID: T1027.004
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
System Requirements: Compiler software (either native to the system or delivered by the adversary)
Permissions Required: User
Data Sources: Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Defense Bypassed: Anti-virus, Binary Analysis, Host intrusion prevention systems, Signature-based detection, Static File Analysis
Contributors: Praetorian; Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
Version: 1.0
Created: 16 March 2020
Last Modified: 29 March 2020

Procedure Examples

ID Name Description
S0348 Cardinal RAT

Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[3]

G0047 Gamaredon Group

Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.[4]

G0069 MuddyWater

MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[1]

S0385 njRAT

njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.[5]

G0106 Rocke

Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).[6]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.[2] Typically these should only be used in specific and limited cases, like for software development.