Esc
Compile After Delivery - T1027.004
(ATT&CK® Technique)
Definition
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1027004["Compile After Delivery"] --> |creates| ExecutableFile["Executable File"]; class T1027004 OffensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; click T1027004 href "/offensive-technique/attack/T1027.004/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableFile["Executable File"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1027004["Compile After Delivery"] ; class DecoyFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableFile["Executable File"]; DynamicAnalysis["Dynamic Analysis"] -.-> | may-detect | T1027004["Compile After Delivery"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | may-detect | T1027004["Compile After Delivery"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableFile["Executable File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1027004["Compile After Delivery"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableFile["Executable File"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1027004["Compile After Delivery"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEviction["File Eviction"] --> | deletes | ExecutableFile["Executable File"]; FileEviction["File Eviction"] -.-> | may-evict | T1027004["Compile After Delivery"] ; class FileEviction DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableFile["Executable File"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | may-isolate | T1027004["Compile After Delivery"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableFile["Executable File"]; ExecutableDenylisting["Executable Denylisting"] -.-> | may-isolate | T1027004["Compile After Delivery"] ; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] --> | restores | ExecutableFile["Executable File"]; RestoreFile["Restore File"] -.-> | may-restore | T1027004["Compile After Delivery"] ; class RestoreFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1027004["Compile After Delivery"] ; class FileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | ExecutableFile["Executable File"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1027004["Compile After Delivery"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; FileEncryption["File Encryption"] --> | encrypts | ExecutableFile["Executable File"]; FileEncryption["File Encryption"] -.-> | may-harden | T1027004["Compile After Delivery"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption";