T1027.004 IBM QRadar · QRadar

Detect Compile After Delivery in IBM QRadar

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe (C# compiler), ilasm.exe (.NET assembler), or GCC/MinGW. Source code payloads may also be encrypted or encoded. Threat actors including MuddyWater, Gamaredon Group, Rocke, Cardinal RAT, and DarkWatchman have used this technique to compile malware on victim systems using built-in compiler utilities.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.004 Compile After Delivery
Canonical reference
https://attack.mitre.org/techniques/T1027/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "processname" AS process_name,
  "commandline" AS command_line,
  "parentprocessname" AS parent_process,
  CASE
    WHEN LOWER("commandline") LIKE '%\temp\%' OR LOWER("commandline") LIKE '%\appdata\%' OR LOWER("commandline") LIKE '%\downloads\%' THEN 1
    ELSE 0
  END AS source_from_temp,
  CASE
    WHEN LOWER("parentprocessname") LIKE '%powershell%' OR LOWER("parentprocessname") LIKE '%wscript%'
      OR LOWER("parentprocessname") LIKE '%cscript%' OR LOWER("parentprocessname") LIKE '%mshta%'
      OR LOWER("parentprocessname") LIKE '%cmd%' THEN 1
    ELSE 0
  END AS parent_suspicious,
  CASE
    WHEN LOWER("commandline") NOT LIKE '%visual studio%' AND LOWER("commandline") NOT LIKE '%devenv%' THEN 1
    ELSE 0
  END AS no_visual_studio
FROM events
WHERE devicetime > NOW() - 86400000
  AND LOGSOURCETYPEID IN (12, 13, 352)
  AND eventid = 1
  AND (
    LOWER("processname") = 'csc.exe'
    OR LOWER("processname") = 'vbc.exe'
    OR LOWER("processname") = 'ilasm.exe'
    OR LOWER("processname") = 'msbuild.exe'
    OR LOWER("processname") = 'jsc.exe'
    OR LOWER("processname") = 'cl.exe'
    OR LOWER("processname") = 'gcc'
    OR LOWER("processname") = 'g++'
  )
  AND NOT LOWER("commandline") LIKE '%winsx%'
HAVING (source_from_temp + parent_suspicious + no_visual_studio) >= 2
ORDER BY event_time DESC
high severity medium confidence

AQL rule targeting Sysmon EventID 1 (Process Create) for known compiler binaries executing with source files from user-writable directories, spawned from script interpreters. Suspicion scoring mirrors the SPL reference query. Maps to T1027.004.

Data Sources

Sysmon via WinCollect/DSMWindows Security Event Log DSMMicrosoft Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Build servers or developer VMs ingested into QRadar where msbuild/csc regularly run from AppData paths during NuGet restore and build operations
  • PowerShell-based deployment scripts that invoke csc.exe to compile helper utilities as part of a legitimate bootstrapping workflow
  • Security testing labs and red-team infrastructure where compilers are routinely executed by cmd.exe or PowerShell during tool preparation
Download portable Sigma rule (.yml)

Other platforms for T1027.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Compile and Execute C# Payload via csc.exe

    Expected signal: Sysmon Event ID 11: payload.cs created in %TEMP%. Sysmon Event ID 1: csc.exe with /out: argument pointing to %TEMP%. Sysmon Event ID 11: compiled_payload.exe created. Sysmon Event ID 1: compiled_payload.exe execution.

  2. Test 2MSBuild Execution of Inline C# Task (LOLBin Abuse)

    Expected signal: Sysmon Event ID 11: evil.proj created in %TEMP%. Sysmon Event ID 1: MSBuild.exe process creation with %TEMP%\evil.proj argument. The code executes within the MSBuild process itself — no separate child process for the C# code.

  3. Test 3Compile C Source Code with GCC (Linux/macOS)

    Expected signal: Process creation events: gcc with /tmp/payload.c argument, then compiled_payload execution. Syslog/auditd: execve syscalls for gcc and the compiled binary. File creation events for /tmp/payload.c and /tmp/compiled_payload.

  4. Test 4PowerShell Spawning csc.exe to Compile Downloaded Source

    Expected signal: Sysmon Event ID 1: powershell.exe with Set-Content and Start-Process commands. Sysmon Event ID 11: downloaded.cs and output.exe created in %TEMP%. Sysmon Event ID 1: csc.exe with parent PowerShell. Sysmon Event ID 1: output.exe executed.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1027.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1059.001PowerShellT1059.003Windows Command ShellT1127Trusted Developer Utilities Proxy ExecutionT1127.001MSBuildT1566.001Spearphishing AttachmentT1204.002Malicious File

Same Tactic: Defense Evasion

Popular Detections