Compile After Delivery

Information

• Name: Compile After Delivery

• ID: T1027.004

• Tactics:

• Technique:

Introduction

Compile After Delivery (T1027.004) is a sub-technique of the MITRE ATT&CK framework under the parent technique "Obfuscated Files or Information (T1027)." Attackers leverage this technique by delivering source code or scripts to victim systems, which are then compiled or interpreted locally after delivery. This method helps adversaries evade detection mechanisms that primarily focus on identifying pre-compiled malicious binaries or known signatures. By compiling payloads on the target system, attackers can bypass traditional static analysis and signature-based antivirus solutions.

Deep Dive Into Technique

Compile After Delivery involves attackers delivering payloads as source code or scripts, rather than pre-compiled binaries, and then using built-in or pre-installed compilers or interpreters on the victim system to produce executable binaries or execute malicious code directly. The steps involved typically include:

• Payload Delivery: Attackers deliver malicious code in source code formats such as C/C++, C#, Java, Python, PowerShell scripts, or other scripting languages. Delivery methods include:

  • Email phishing attachments containing source code files.

  • Malicious macros in documents that write scripts or source code to disk.

  • Downloads via compromised websites or command-and-control (C2) servers.

• Local Compilation or Interpretation: Attackers rely on system-installed compilers or interpreters, such as:

  • GCC or MSVC compilers for C/C++ code.

  • .NET Framework compilers (csc.exe) for C# code.

  • Python, PowerShell, Perl, or Ruby interpreters.

  • Java Development Kit (JDK) compilers (javac) for Java code.

• Execution of Compiled Payloads: After compilation, attackers execute the resulting binaries or scripts directly to achieve their malicious objectives, such as:

  • Establishing persistence on the compromised host.

  • Escalating privileges or lateral movement.

  • Data exfiltration or command-and-control communication.

• Evasion Advantages: Attackers benefit from:

  • Avoidance of static analysis detection, as source code may not match known malware signatures.

  • Lower suspicion from antivirus and endpoint detection and response (EDR) tools that typically monitor execution of pre-compiled binaries.

  • Increased flexibility in payload customization, allowing attackers to quickly adapt or modify code to evade detection.

When this Technique is Usually Used

This sub-technique is commonly employed across different attack scenarios and stages, including:

• Initial Access and Delivery Stage:

  • Attackers may deliver source code or scripts through phishing emails, malicious document attachments, or web downloads.

• Defense Evasion Stage:

  • Used to bypass static antivirus signatures, file hash-based detection mechanisms, and sandbox analysis tools.

• Persistence and Privilege Escalation Stages:

  • Attackers compile code locally to create persistent backdoors or escalate privileges by leveraging local compilers and interpreters.

• Lateral Movement and Execution Stages:

  • Malicious scripts or code snippets delivered to compromised hosts within a target environment are compiled locally to facilitate movement across systems or networks.

How this Technique is Usually Detected

Detection of Compile After Delivery techniques typically involves multiple monitoring and analysis approaches, including:

• Process Monitoring and Behavioral Analysis:

  • Monitor for unusual or unexpected compiler processes (e.g., gcc.exe, csc.exe, javac.exe) or scripting interpreters (e.g., python.exe, powershell.exe) running on endpoints.

  • Detect anomalous compilation events, especially initiated by user accounts or processes that do not typically perform compilation tasks.

• File System and Artifact Monitoring:

  • Identify suspicious files or scripts written to disk, particularly in temporary directories or unusual locations.

  • Monitor for creation and execution of newly compiled binaries immediately after a compilation event.

• Endpoint Detection and Response (EDR) Tools:

  • Utilize EDR solutions to monitor and alert on suspicious execution chains, including compiler processes spawning unusual child processes.

  • Detect unauthorized or suspicious use of scripting interpreters or compilers by analyzing command-line arguments and execution context.

• Network Monitoring and Logging:

  • Analyze network logs for unusual downloads or transfers of source code files or scripts.

  • Detect command-and-control (C2) traffic patterns after execution of compiled payloads.

• Indicators of Compromise (IoCs):

  • Presence of unexpected compiler or interpreter binaries running on compromised endpoints.

  • Unusual or suspicious source code files (.c, .cpp, .cs, .java, .py, .ps1) found in temporary or hidden directories.

  • Newly created executable files (.exe, .dll, .jar files) appearing shortly after source code or script files appear on disk.

  • Suspicious execution patterns involving compiler processes or interpreters initiated from uncommon locations or user contexts.

Why it is Important to Detect This Technique

Early detection of Compile After Delivery techniques is crucial due to their significant potential impacts, including:

• Evasion of Traditional Security Controls:

  • Attackers bypass static antivirus detection and signature-based security tools, significantly increasing the risk of undetected intrusion.

• Persistence and Privilege Escalation:

  • Malicious binaries or scripts compiled locally can establish persistent footholds, escalating attacker privileges and enabling further compromise.

• Stealthy Lateral Movement:

  • Attackers may leverage locally compiled tools or scripts to move laterally within networks undetected, increasing the scope of compromise and damage.

• Data Exfiltration and System Damage:

  • Compiled payloads can facilitate data theft, ransomware deployment, or destructive actions within compromised environments.

• Complexity of Incident Response:

  • Delayed detection significantly complicates incident response and remediation efforts, increasing resource expenditure and potential downtime.

Examples

Real-world examples and attack scenarios utilizing the Compile After Delivery sub-technique include:

• APT32 (OceanLotus) Operation:

  • Delivered malicious C# source code to victim systems, compiling the payload locally using the legitimate .NET compiler (csc.exe).

  • Achieved successful evasion of antivirus detection and established persistent access, enabling espionage activities.

• PowerShell Empire Framework:

  • Attackers frequently deliver PowerShell scripts to compromised hosts, executing them directly via PowerShell interpreter without prior compilation.

  • Successfully used in penetration testing and real-world attacks to evade detection and maintain stealthy persistence.

• FIN7 Group:

  • Delivered malicious JavaScript or PowerShell scripts embedded within phishing documents.

  • Scripts were executed or compiled locally to download and execute additional payloads, enabling data exfiltration and financial fraud.

• Operation Sharpshooter (Lazarus Group):

  • Delivered malicious source code written in C/C++ to victim systems via spear-phishing emails.

  • Compiled payloads locally using system-installed compilers, effectively bypassing static antivirus detection and enabling espionage operations.

• Meterpreter and Metasploit Framework:

  • Attackers deliver Meterpreter payloads as source code or scripts, compiling or interpreting them locally to evade traditional detection mechanisms.

  • Widely utilized in penetration testing and real-world cyber-attacks to establish persistent backdoors, lateral movement, and data exfiltration.