title: Compile After Delivery (T1027.004)
id: df00tech-t1027-004
status: experimental
description: "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe (C# compiler), ilasm.exe (.NET assembler), or GCC/MinGW. Source code payloads may also be encrypted or encoded. Threat actors including MuddyWater, Gamaredon Group, Rocke, Cardinal RAT, and DarkWatchman have used this technique to compile malware on victim systems using built-in compiler utilities."
references:
  - https://attack.mitre.org/techniques/T1027/004/
  - https://df00tech.com/detections/T1027.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software development activity on developer workstations where devs compile projects in user home directories
  - MSBuild invocations by Visual Studio or CI/CD build agents that legitimately compile in workspace directories
  - "Package managers and build tools (NuGet, npm, Cargo) that invoke compilers as part of dependency compilation"
  - "System administration scripts that use csc.exe to compile small C# utilities for automation tasks"
level: high