Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion
00:06
today. We're going to briefly look at compile after delivery within the defense evasion phase of the framework.
00:14
So with that, let's go ahead and jump right into our objectives. So the objectives of today's discussion are as follows.
00:21
We're going to describe what compile after delivery means we're going to look at some mitigation techniques, and we're going to look at some detection techniques. So with that, let's go ahead and jump right in.
00:35
Compile after delivery is essentially when the Threat actor delivers code to the victims system in an UN compiled manner. So typically
00:45
when we're using means to catch known variants of code, or of a pay loader of whatever it is that the threat actors using its generally in a compiled manner
00:59
now delivering the code in an UN compound manner is done in an attempt to subvert technical controls by compiling the payload before execution. And so the hope here
01:11
is that instead of sending the code in a compiled man are ready to go, it will put itself together, but in itself up and essentially do that right before it goes to execute, and the hope here again is that it will subvert
01:26
controls or systems and provide a means for the threat actor to get the payload to run.
01:32
So what are some things that we should look for in these cases?
01:36
Well, payloads may be encrypted, so there are some systems that may be able to pick up encrypted payloads or may be able to,
01:46
you know, seek those out and give you feedback on them before they become a new issue.
01:51
They may be encoded within other files and some of scene where we take liken, execute herbal That's from a known source. And we tried to put the payload within that known source and kind of trick the system into believing that something it's not
02:06
delivery can be done via fishing attachments and things of that nature. So if you've got end users that
02:12
aren't well trained, or if you've got end users that are historically good at opening these types of things, then
02:20
that's one way that these could be delivered. Payloads could be in a format that is not native to the operating system that's in Houston, so you may have a window system that's got some limits looking files on it. And in those cases, the systems may not always pick those up because they're not native to the operating system,
02:39
so that maybe one confusing for users. And it may also be an attempt to trick defenses and things that nature from not functioning properly.
02:50
So mitigation techniques with respect to this were listed is somewhat limited because of the complexity and way in which these attacks happen. But we can always say that in user awareness training as a great mitigation technique here because at the end of the day in users are typically the ones who are interacting with the payloads
03:09
or who are going out to different sites may be too *** in things that they think are legitimate.
03:15
Whatever the case may be,
03:16
building awareness where the control sets to actually outright stop These types of a Texas limited
03:23
is always a good step in the right direction because again, and users are likely going to be the ones that interact with this content. No disrespect to my end users out there. We love you. You help us to keep doing what we love doing, but if we help to educate in users. In this case,
03:39
it could greatly limit the potential for one of these types of attacks to be successful or these types of defense evasion techniques to be successful.
03:49
So detection techniques. We do have a few extras here that could be of benefit.
03:54
So monitoring systems for our normal activities, like command line arguments for compilers like CSC and GCC. You know things that are going to take C code and put it into an execute herbal machine readable format. Definitely want to look for those If there are any other compilers out there that may be pertinent to
04:12
your environment, your systems, it would be good to have
04:15
techniques in place to monitor for these types of things and their execution, especially if you're a manufacturer who doesn't do any type of programming. If no one in your environment should be compiling code or doing things of that nature,
04:30
and then these things here should definitely be taken into account and monitored and blocked, even if you can look for non native binary formats and cross platform compilers again, if the Threat actor is using a nonstandard payload or non standard
04:48
format that your system wouldn't understand right out the gate. It doesn't mean that it's benign. It could be done for a purpose or a reason.
04:56
So monitoring for those things could also be beneficial for the organization as well.
05:01
So let's go ahead and do a quick check on learning. True or false, the methods used for compile after delivery are easy to detect and prevent.
05:14
All right, well, if you need some additional time, please pause the video. So in the
05:23
this is not easy to detect and prevent. When we got to the mitigation components, we said, Really, that end user awareness training is kind of the Onley mitigation technique that was described by miter might have really used some language that was
05:39
not in favor of mitigation very heavily. But there are other controls we could implement in tandem with some of the other phases and vectors that will help to reduce the risk of compile after delivery, being easily executed by a threat actor. So
05:55
this is not easy to detect and prevent. So this is a false statement. So let's go ahead and jump into our summary so very short summary. Today we described what compile after delivery is essentially, this is
06:09
the payload gets to us in a manner that is not readable and not execute herbal. It is compiled using
06:15
Cem components that the throne actor would have in their overall package for this payload, and then it would be compiled before execution. We describes the mitigation techniques primarily being in user awareness training.
06:28
And then we describe some detection techniques like looking for compilers that are being ran through command line and environments, especially where coding or programming is not the standard day to day operation. And we also look at
06:45
any binaries that would not be native to the system being a potential red flag as well.
06:51
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor