The sub-techniques beta is now live! Read the release blog post for more info.

Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to Obfuscated Files or Information, text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.[1]

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Spearphishing Attachment. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.[2]

ID: T1500
Tactic: Defense Evasion
Platform: Linux, macOS, Windows
System Requirements: Compiler software (either native to the system or delivered by the adversary)
Permissions Required: User
Data Sources: Process command-line parameters, Process monitoring, File monitoring
Defense Bypassed: Static File Analysis, Binary Analysis, Anti-virus, Host intrusion prevention systems, Signature-based detection
Contributors: Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank; Praetorian
Version: 1.0
Created: 25 April 2019
Last Modified: 29 April 2019

Procedure Examples

Name Description
Cardinal RAT

Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[3]


MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[1]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.[2] Typically these should only be used in specific and limited cases, like for software development.