传递后编译

攻击者可能试图通过将文件作为未编译的代码传递给受害者，从而使有效载荷难以发现和分析。与模糊文件或信息(T1027)相似，基于文本的源代码文件可能会破坏针对可执行文件/二进制文件的保护措施的分析和审查。这些有效负载将需要在执行之前进行编译；通常通过本机实用程序，例如csc.exe或GCC/MinGW。

源代码有效载荷也可以被加密，编码和/或嵌入在其他文件中，例如作为鱼叉式附件(T1193)交付的文件。有效载荷也可能以无法识别的格式传递给本机OS（例如，macOS/Linux上的EXE），本质上是良性的，然后再通过捆绑的编译器和执行框架（重新）编译为适当的可执行二进制文件。

Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to Obfuscated Files or Information(1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Spearphishing Attachment(T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.

程序示例

名称	描述
Cardinal RAT(S0348)	Cardinal RAT(S0348) 及其看门狗组件作为嵌入式未编译的源代码交付给受害者后，便会进行编译和执行。
MuddyWater(G0069)	MuddyWater(G0069) 已使用.NET csc.exe工具从下载的C＃代码编译可执行文件。

Name	Description
Cardinal RAT(S0348)	Cardinal RAT(S0348) and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.
MuddyWater(G0069)	MuddyWater(G0069) has used the .NET csc.exe tool to compile executables from downloaded C# code.

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

检测常见编译器（例如csc.exe和GCC/MinGW）的执行文件路径和命令行参数，并与其他可疑行为相关联，以减少来自正常用户和管理员行为的误报。有效载荷的汇编还可生成文件创建和/或文件写入事件。寻找非本机二进制格式以及跨平台的编译器和执行框架（如Mono），并确定它们在系统上是否具有合法用途。通常，这些仅应在特定和有限的情况下使用，例如用于软件开发。

Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development.

- 译者: 林妙倩、戴亦仑 . source:cve.scap.org.cn