From 68e93b08ebdeab7ab20ac26695ad190be526dd74 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Thu, 17 Sep 2020 21:01:31 -0500
Subject: [PATCH] added desc to T1027.004

---
 DefenseEvasion.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/DefenseEvasion.md b/DefenseEvasion.md
index 4400dc5..47993e4 100644
--- a/DefenseEvasion.md
+++ b/DefenseEvasion.md
@@ -34,6 +34,8 @@ Atomics: [T1070.001](https://github.com/redcanaryco/atomic-red-team/blob/master/
 ### T1027.004 Compile After Delivery
 Atomics: [T1027.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md)
 
+Both Atomic tests for this technique leverage csc.exe for compilation of code. The below will detect specific compilation of executables as well as dynamic compilation through detection of csc.exe creating executable files (both dll and exe).
+
 ```
 (TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName  = "csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe","AbtSvcHost_.exe"))
 ```