T1027.004 Compile After Delivery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let CompilerPaths = dynamic([
  "csc.exe", "vbc.exe", "jsc.exe", "ilasm.exe", "msbuild.exe",
  "gcc", "g++", "cl.exe", "rc.exe", "mc.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (CompilerPaths)
| where FolderPath has_any (
    "\\Windows\\Microsoft.NET\\",
    "\\Microsoft Visual Studio\\",
    "\\MinGW\\",
    "\\Temp\\",
    "\\AppData\\"
)
| where ProcessCommandLine !contains "\\Windows\\WinSxS\\"
    and ProcessCommandLine !contains "Visual Studio"
    and ProcessCommandLine !contains "msbuild /t:Build"
| extend IsCSC = FileName =~ "csc.exe"
| extend IsMSBuild = FileName =~ "msbuild.exe"
| extend SourceFromTemp = ProcessCommandLine has_any ("\\Temp\\", "\\AppData\\", "\\Users\\", "\\Downloads\\")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsCSC, IsMSBuild, SourceFromTemp
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software development activity on developer workstations where devs compile projects in user home directories
MSBuild invocations by Visual Studio or CI/CD build agents that legitimately compile in workspace directories
Package managers and build tools (NuGet, npm, Cargo) that invoke compilers as part of dependency compilation
System administration scripts that use csc.exe to compile small C# utilities for automation tasks

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\csc.exe" OR Image="*\\vbc.exe" OR Image="*\\ilasm.exe" OR Image="*\\msbuild.exe"
   OR Image="*\\jsc.exe" OR Image="*\\cl.exe")
| eval cmdline=lower(CommandLine)
| eval SourceFromTemp=if(match(cmdline, "(\\\\temp\\\\|\\\\appdata\\\\|\\\\downloads\\\\|\\\\users\\\\[^\\\\]+\\\\desktop)"), 1, 0)
| eval ParentSuspicious=if(match(lower(ParentImage), "(powershell|wscript|cscript|mshta|cmd)"), 1, 0)
| eval NoVisualStudio=if(NOT match(cmdline, "(visual studio|devenv|vstudio)"), 1, 0)
| eval SuspicionScore=SourceFromTemp + ParentSuspicious + NoVisualStudio
| where SuspicionScore >= 2
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developers who use PowerShell scripts to drive compilation workflows will trigger the ParentSuspicious flag
Automated testing pipelines that run compilers from scripting contexts as part of CI build processes
MSBuild project files that reference source in non-standard locations for modular build systems
Software deployment scripts that compile helper utilities on first run in temp directories

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start"
    and process.name in~ ("csc.exe", "vbc.exe", "jsc.exe", "ilasm.exe", "msbuild.exe", "gcc", "g++", "cl.exe", "rc.exe", "mc.exe")
    and (
      process.executable : ("*\\Windows\\Microsoft.NET\\*", "*\\Microsoft Visual Studio\\*", "*\\MinGW\\*", "*\\Temp\\*", "*\\AppData\\*")
      or process.args : ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*", "*\\Users\\*")
    )
    and not process.args : ("*\\Windows\\WinSxS\\*", "*Visual Studio*", "*devenv*")
    and process.parent.name in~ ("powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "python.exe", "wmic.exe")
  ]
  [file where event.type in ("creation", "change")
    and file.extension in ("exe", "dll", "bin")
    and file.path : ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*", "*\\Users\\*")
  ]

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

Legitimate developer workstations running .NET or C++ build pipelines where build output lands in user temp directories during CI/CD agent execution
IT automation tooling (e.g. SCCM, Ansible) that compiles scripts on-the-fly during software deployment to standard user paths
Security software and EDR agents that use embedded compilers for JIT compilation or instrumentation, spawned from service processes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "processname" AS process_name,
  "commandline" AS command_line,
  "parentprocessname" AS parent_process,
  CASE
    WHEN LOWER("commandline") LIKE '%\temp\%' OR LOWER("commandline") LIKE '%\appdata\%' OR LOWER("commandline") LIKE '%\downloads\%' THEN 1
    ELSE 0
  END AS source_from_temp,
  CASE
    WHEN LOWER("parentprocessname") LIKE '%powershell%' OR LOWER("parentprocessname") LIKE '%wscript%'
      OR LOWER("parentprocessname") LIKE '%cscript%' OR LOWER("parentprocessname") LIKE '%mshta%'
      OR LOWER("parentprocessname") LIKE '%cmd%' THEN 1
    ELSE 0
  END AS parent_suspicious,
  CASE
    WHEN LOWER("commandline") NOT LIKE '%visual studio%' AND LOWER("commandline") NOT LIKE '%devenv%' THEN 1
    ELSE 0
  END AS no_visual_studio
FROM events
WHERE devicetime > NOW() - 86400000
  AND LOGSOURCETYPEID IN (12, 13, 352)
  AND eventid = 1
  AND (
    LOWER("processname") = 'csc.exe'
    OR LOWER("processname") = 'vbc.exe'
    OR LOWER("processname") = 'ilasm.exe'
    OR LOWER("processname") = 'msbuild.exe'
    OR LOWER("processname") = 'jsc.exe'
    OR LOWER("processname") = 'cl.exe'
    OR LOWER("processname") = 'gcc'
    OR LOWER("processname") = 'g++'
  )
  AND NOT LOWER("commandline") LIKE '%winsx%'
HAVING (source_from_temp + parent_suspicious + no_visual_studio) >= 2
ORDER BY event_time DESC

high severity medium confidence

Data Sources

Sysmon via WinCollect/DSM Windows Security Event Log DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Build servers or developer VMs ingested into QRadar where msbuild/csc regularly run from AppData paths during NuGet restore and build operations
PowerShell-based deployment scripts that invoke csc.exe to compile helper utilities as part of a legitimate bootstrapping workflow
Security testing labs and red-team infrastructure where compilers are routinely executed by cmd.exe or PowerShell during tool preparation

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*
| where EventID = "1"
| parse field=Image "*\\*" as image_dir, image_file nodrop
| where image_file in ("csc.exe", "vbc.exe", "ilasm.exe", "msbuild.exe", "jsc.exe", "cl.exe", "gcc", "g++", "rc.exe", "mc.exe")
| eval cmdline_lower = toLowerCase(CommandLine)
| eval source_from_temp = if(cmdline_lower matches ".*\\\\(temp|appdata|downloads|desktop)\\\\.*", 1, 0)
| eval parent_suspicious = if(toLowerCase(ParentImage) matches ".*(powershell|wscript|cscript|mshta|cmd\.exe|python).*", 1, 0)
| eval no_dev_env = if(!(cmdline_lower matches ".*(visual studio|devenv|vstudio|winsxs).*"), 1, 0)
| eval suspicion_score = source_from_temp + parent_suspicious + no_dev_env
| where suspicion_score >= 2
| eval compiler_type = if(image_file = "msbuild.exe", "MSBuild",
    if(image_file in ("csc.exe", "vbc.exe", "jsc.exe", "ilasm.exe"), "DotNet",
    if(image_file in ("gcc", "g++", "cl.exe"), "NativeCompiler", "Other")))
| fields _messageTime, Computer, User, image_file, CommandLine, ParentImage, ParentCommandLine, suspicion_score, compiler_type
| sort - _messageTime

high severity high confidence

Data Sources

Sysmon (Windows) Sumo Logic Installed Collector with Windows Event Log Source Sumo Logic Cloud-to-Cloud (Microsoft 365 Defender)

Required Tables

_sourceCategory=*windows*sysmon*

False Positives

Automated software packaging pipelines where csc.exe or msbuild.exe are invoked by cmd.exe from AppData local paths during per-user MSI installations
Chocolatey, WinGet, or Scoop package managers that compile source packages during installation, often spawned from PowerShell under user AppData
Game modding tools or creative software that bundle lightweight .NET compilers and invoke csc.exe from user home directories as part of scripting workflows

Google Chronicle / SecOps

yaral

rule t1027_004_compile_after_delivery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1027.004 Compile After Delivery - compiler binaries executing with source from user-writable paths, spawned by script interpreters"
    mitre_attack_technique = "T1027.004"
    mitre_attack_tactic = "Defense Evasion"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    reference = "https://attack.mitre.org/techniques/T1027/004/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(csc\.exe|vbc\.exe|ilasm\.exe|msbuild\.exe|jsc\.exe|cl\.exe|rc\.exe|mc\.exe|\bgcc\b|\bg\+\+\b)/
    (
      $e.target.process.command_line = /(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\users\\[^\\]+\\desktop)/
      or $e.target.process.file.full_path = /(?i)(\\temp\\|\\appdata\\|\\downloads\\)/
    )
    not $e.target.process.command_line = /(?i)(\\windows\\winsxs\\|visual studio|devenv|vstudio)/
    $e.principal.process.file.full_path = /(?i)(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|cmd\.exe|wmic\.exe|python\.exe)/
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid

  match:
    $hostname, $user over 10m

  condition:
    #e >= 1
}

high severity high confidence

Data Sources

Google Chronicle UDM (Windows Endpoint) Sysmon forwarded via Chronicle Forwarder Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM events (PROCESS_LAUNCH)

False Positives

Developer workstations with Visual Studio Code remote extensions that invoke csc.exe via integrated terminal (PowerShell parent) with workspace files under user AppData
Managed enterprise build agents (Azure Pipelines, Jenkins) running on developer hardware where msbuild is invoked by PowerShell bootstrap scripts
Security tooling such as BloodHound, Covenant, or Cobalt Strike simulators used in authorized red team exercises that compile payloads on endpoint

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\csc\.exe|\\vbc\.exe|\\ilasm\.exe|\\msbuild\.exe|\\jsc\.exe|\\cl\.exe|\\rc\.exe|\\mc\.exe|\bgcc$|\bg\+\+$)/
| CommandLine = /(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\users\\[^\\]+\\)/
| not CommandLine = /(?i)(\\windows\\winsxs\\|visual studio|devenv|vstudio)/
| ParentBaseFileName = /(?i)^(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|cmd\.exe|wmic\.exe|python\.exe|pythonw\.exe)$/
| eval source_from_temp = if(CommandLine = /(?i)(\\temp\\|\\appdata\\|\\downloads\\)/, 1, 0)
| eval parent_suspicious = if(ParentBaseFileName = /(?i)(powershell|wscript|cscript|mshta|cmd|wmic|python)/, 1, 0)
| eval no_dev_tooling = if(CommandLine != /(?i)(visual studio|devenv|vstudio|winsxs)/, 1, 0)
| eval suspicion_score = source_from_temp + parent_suspicious + no_dev_tooling
| where suspicion_score >= 2
| eval compiler_category = case(
    ImageFileName = /(?i)msbuild\.exe/, "MSBuild",
    ImageFileName = /(?i)(csc|vbc|ilasm|jsc)\.exe/, "DotNet",
    ImageFileName = /(?i)(cl|rc|mc)\.exe/, "MSVC",
    ImageFileName = /(?i)(gcc|g\+\+)/, "GCC",
    true(), "Unknown"
  )
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, compiler_category, suspicion_score], function=count(as=event_count))
| sort(field=event_count, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2) CrowdStrike Falcon Data Replicator (FDR) Humio/LogScale Falcon SIEM Connector

Required Tables

ProcessRollup2

False Positives

CrowdStrike-protected developer endpoints where csc.exe or msbuild.exe is routinely invoked by PowerShell tasks during .NET SDK tooling operations (dotnet CLI wraps msbuild)
Endpoint agents for RMM platforms (ConnectWise, Kaseya) that deploy software by invoking compilers through cmd.exe batch scripts in ProgramData or AppData paths
Automated test frameworks (NUnit, xUnit runners) that compile test fixtures at runtime using Roslyn/csc.exe from a PowerShell test orchestration script

Compile After Delivery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections