Obfuscated Files or Information: Compile After Delivery

Other sub-techniques of Obfuscated Files or Information (17)

ID	Name
ATAGS-T1104.001	Binary Padding
ATAGS-T1104.002	Command Obfuscation
ATAGS-T1104.003	Compile After Delivery
ATAGS-T1104.004	Compression
ATAGS-T1104.005	Dynamic API Resolution
ATAGS-T1104.006	Embedded Payloads
ATAGS-T1104.007	Encrypted/Encoded File
ATAGS-T1104.008	Fileless Storage
ATAGS-T1104.009	HTML Smuggling
ATAGS-T1104.010	Indicator Removal from Tools
ATAGS-T1104.011	Junk Code Insertion
ATAGS-T1104.012	LNK Icon Smuggling
ATAGS-T1104.013	Polymorphic Code
ATAGS-T1104.014	Software Packing
ATAGS-T1104.015	Steganography
ATAGS-T1104.016	Stripped Payloads
ATAGS-T1104.017	SVG Smuggling

Threat Actors may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe, csc.exe, or GCC/MinGW.

ID: ATAGS-T1104.003

Sub-technique of: ATAGS-T1104

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.