Esc
Compile After Delivery - T1027.004
(ATT&CK® Technique)
Definition
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1027004["Compile After Delivery"] --> |creates| ExecutableFile["Executable File"]; class T1027004 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "../../../dao/artifact/d3f:ExecutableFile";
click T1027004 href "../../../offensive-technique/attack/T1027.004/"; click ExecutableFile href "../../../dao/artifact/d3f:ExecutableFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1027004["Compile After Delivery"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
FileEviction["File Eviction"] -.->
| may-evict | T1027004["Compile After Delivery"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1027004["Compile After Delivery"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1027004["Compile After Delivery"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1027004["Compile After Delivery"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "../../../technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1027004["Compile After Delivery"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "../../../technique/d3f:DynamicAnalysis"; ContentModification["Content Modification"] -->
| modifies | ExecutableFile["Executable File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1027004["Compile After Delivery"] ;
class ContentModification DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | ExecutableFile["Executable File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1027004["Compile After Delivery"] ;
class ContentQuarantine DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1027004["Compile After Delivery"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1027004["Compile After Delivery"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "../../../technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
RestoreFile["Restore File"] -.->
| may-restore | T1027004["Compile After Delivery"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1027004["Compile After Delivery"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "../../../technique/d3f:ExecutableAllowlisting"; ContentFiltering["Content Filtering"] -->
| filters | ExecutableFile["Executable File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1027004["Compile After Delivery"] ;
class ContentFiltering DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1027004["Compile After Delivery"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1027004["Compile After Delivery"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation";