Find sigma rule

Attack: Obfuscated Files or Information: Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)

MITRE

Tactic

defense-evasion

technique

T1027.004

Test : Go compile

OS

linux
macos

Description:

Compile a go file with golang on FreeBSD, Linux or Macos.

Executor

Sigma Rule

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test