Detect Compile After Delivery in CrowdStrike LogScale
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe (C# compiler), ilasm.exe (.NET assembler), or GCC/MinGW. Source code payloads may also be encrypted or encoded. Threat actors including MuddyWater, Gamaredon Group, Rocke, Cardinal RAT, and DarkWatchman have used this technique to compile malware on victim systems using built-in compiler utilities.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.004 Compile After Delivery
- Canonical reference
- https://attack.mitre.org/techniques/T1027/004/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\csc\.exe|\\vbc\.exe|\\ilasm\.exe|\\msbuild\.exe|\\jsc\.exe|\\cl\.exe|\\rc\.exe|\\mc\.exe|\bgcc$|\bg\+\+$)/
| CommandLine = /(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\users\\[^\\]+\\)/
| not CommandLine = /(?i)(\\windows\\winsxs\\|visual studio|devenv|vstudio)/
| ParentBaseFileName = /(?i)^(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|cmd\.exe|wmic\.exe|python\.exe|pythonw\.exe)$/
| eval source_from_temp = if(CommandLine = /(?i)(\\temp\\|\\appdata\\|\\downloads\\)/, 1, 0)
| eval parent_suspicious = if(ParentBaseFileName = /(?i)(powershell|wscript|cscript|mshta|cmd|wmic|python)/, 1, 0)
| eval no_dev_tooling = if(CommandLine != /(?i)(visual studio|devenv|vstudio|winsxs)/, 1, 0)
| eval suspicion_score = source_from_temp + parent_suspicious + no_dev_tooling
| where suspicion_score >= 2
| eval compiler_category = case(
ImageFileName = /(?i)msbuild\.exe/, "MSBuild",
ImageFileName = /(?i)(csc|vbc|ilasm|jsc)\.exe/, "DotNet",
ImageFileName = /(?i)(cl|rc|mc)\.exe/, "MSVC",
ImageFileName = /(?i)(gcc|g\+\+)/, "GCC",
true(), "Unknown"
)
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, compiler_category, suspicion_score], function=count(as=event_count))
| sort(field=event_count, order=desc)CrowdStrike LogScale (Falcon) query using ProcessRollup2 events to detect compiler binaries invoked by script interpreters with source files from user-writable paths. Suspicion scoring aggregated by host and user to surface repeated compilation attempts. Maps to T1027.004.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike-protected developer endpoints where csc.exe or msbuild.exe is routinely invoked by PowerShell tasks during .NET SDK tooling operations (dotnet CLI wraps msbuild)
- Endpoint agents for RMM platforms (ConnectWise, Kaseya) that deploy software by invoking compilers through cmd.exe batch scripts in ProgramData or AppData paths
- Automated test frameworks (NUnit, xUnit runners) that compile test fixtures at runtime using Roslyn/csc.exe from a PowerShell test orchestration script
Other platforms for T1027.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Compile and Execute C# Payload via csc.exe
Expected signal: Sysmon Event ID 11: payload.cs created in %TEMP%. Sysmon Event ID 1: csc.exe with /out: argument pointing to %TEMP%. Sysmon Event ID 11: compiled_payload.exe created. Sysmon Event ID 1: compiled_payload.exe execution.
- Test 2MSBuild Execution of Inline C# Task (LOLBin Abuse)
Expected signal: Sysmon Event ID 11: evil.proj created in %TEMP%. Sysmon Event ID 1: MSBuild.exe process creation with %TEMP%\evil.proj argument. The code executes within the MSBuild process itself — no separate child process for the C# code.
- Test 3Compile C Source Code with GCC (Linux/macOS)
Expected signal: Process creation events: gcc with /tmp/payload.c argument, then compiled_payload execution. Syslog/auditd: execve syscalls for gcc and the compiled binary. File creation events for /tmp/payload.c and /tmp/compiled_payload.
- Test 4PowerShell Spawning csc.exe to Compile Downloaded Source
Expected signal: Sysmon Event ID 1: powershell.exe with Set-Content and Start-Process commands. Sysmon Event ID 11: downloaded.cs and output.exe created in %TEMP%. Sysmon Event ID 1: csc.exe with parent PowerShell. Sysmon Event ID 1: output.exe executed.
References (5)
- https://attack.mitre.org/techniques/T1027/004/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
- https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md
Unlock Pro Content
Get the full detection package for T1027.004 including response playbook, investigation guide, and atomic red team tests.