T1027.014 Polymorphic Code Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1027.014 - Polymorphic Code
// Detection focuses on behavioral indicators of mutation engines and self-modifying code
// since static signatures are ineffective by design against polymorphic malware
let SelfModifyingBehavior = DeviceFileEvents
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".scr" or FileName endswith ".bin"
// Self-modification: executable writes a new version of itself or a sibling binary
| where InitiatingProcessFolderPath == FolderPath
| where InitiatingProcessFileName != "setup.exe" and InitiatingProcessFileName != "installer.exe" and InitiatingProcessFileName != "update.exe"
| where FolderPath has_any ("\\Temp\\", "\\AppData\\", "\\ProgramData\\", "\\Users\\Public\\")
| extend DetectionType = "self_modifying_binary_drop";
let MutationEngineTTPs = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where (
    // PowerShell or cmd rewriting an executable (common in script-based polymorphic loaders)
    (FileName in~ ("powershell.exe", "cmd.exe") and ProcessCommandLine has_any ("[IO.File]::WriteAllBytes", "WriteAllBytes", "-enc", "Set-Content") and ProcessCommandLine has_any (".exe", ".dll", ".scr"))
    // Process spawning an executable with identical filename but different hash (detected via rapid create+execute)
    or (FileName =~ "cmd.exe" and ProcessCommandLine matches regex @"copy.*\.exe.*&&.*start" )
    // VirtualAlloc + WriteProcessMemory API chains (shellcode mutation in memory)
    or (FileName in~ ("powershell.exe", "wscript.exe", "cscript.exe") and ProcessCommandLine has_any ("VirtualAlloc", "VirtualProtect", "WriteProcessMemory", "NtWriteVirtualMemory"))
)
| extend DetectionType = "mutation_engine_behavior";
let HighEntropyExecutableDrops = DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\Users\\Public\\")
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| extend DetectionType = "high_entropy_executable_staged";
SelfModifyingBehavior
| union MutationEngineTTPs
| union HighEntropyExecutableDrops
| project-reorder Timestamp, DeviceName, DetectionType, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

severity confidence

Splunk

spl

index=windows (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval EventCode=coalesce(EventCode, event_id)
| search EventCode IN (1, 7, 11)
| eval detection_type=case(
    EventCode=11 AND match(lower(TargetFilename), "\.(exe|dll|scr)$") AND match(lower(TargetFilename), "\\(temp|appdata|programdata|public)\\") AND match(lower(Image), "(powershell|cmd|wscript|cscript|mshta)\.exe"), "pe_staged_by_interpreter",
    EventCode=1 AND match(lower(Image), "powershell\.exe") AND match(CommandLine, "(?i)(WriteAllBytes|Set-Content.*\.exe|VirtualAlloc|VirtualProtect|WriteProcessMemory)"), "memory_manipulation_api",
    EventCode=1 AND match(lower(Image), "cmd\.exe") AND match(CommandLine, "(?i)copy.*\.exe.*&&.*start"), "binary_copy_execute",
    EventCode=7 AND NOT match(lower(ImageLoaded), "(windows|program files|system32|syswow64)") AND match(lower(ImageLoaded), "\\(temp|appdata|programdata|public)\\"), "unsigned_dll_load_from_staging",
    true(), null()
)
| search detection_type=*
| eval risk_score=case(
    detection_type="memory_manipulation_api", 85,
    detection_type="binary_copy_execute", 70,
    detection_type="pe_staged_by_interpreter", 65,
    detection_type="unsigned_dll_load_from_staging", 75,
    true(), 50
)
| table _time, Computer, detection_type, risk_score, Image, CommandLine, TargetFilename, ImageLoaded, ParentImage
| sort -risk_score

severity confidence

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [file where event.action in ("creation", "overwrite") and
   file.extension in ("exe", "dll", "scr", "bin") and
   file.path : ("*\\Temp\\*", "*\\AppData\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*") and
   process.name : ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")] as event0
  [process where event.action == "start" and
   process.executable : ("*\\Temp\\*", "*\\AppData\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*") and
   process.executable == event0.file.path]

OR

process where event.action == "start" and
  process.name : ("powershell.exe", "cmd.exe") and
  process.args : ("*WriteAllBytes*", "*WriteProcessMemory*", "*VirtualAlloc*", "*VirtualProtect*", "*NtWriteVirtualMemory*", "*Set-Content*") and
  process.args : ("*.exe*", "*.dll*", "*.scr*")

OR

sequence by host.id, process.parent.entity_id with maxspan=2m
  [file where event.action in ("creation", "overwrite") and
   file.extension in ("exe", "dll") and
   file.directory == process.working_directory]
  [process where event.action == "start" and
   process.parent.name == process.name]

high severity medium confidence

Data Sources

Elastic Endpoint Winlogbeat with Sysmon Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Software updaters and patch managers (e.g., Chrome, Firefox auto-update) that download and replace their own binaries in AppData
Development tools like npm, pip, or cargo that compile and stage executables in temp directories during legitimate builds
Enterprise software deployment tools (SCCM, Chocolatey, Ninite) that use PowerShell to stage and execute installers

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "username",
  QIDNAME(qid) AS event_name,
  "URL" AS command_line,
  "filename" AS target_file,
  CATEGORYNAME(category) AS category_name,
  CASE
    WHEN "URL" ILIKE '%WriteAllBytes%' OR "URL" ILIKE '%WriteProcessMemory%' OR "URL" ILIKE '%VirtualAlloc%' THEN 'memory_manipulation_api'
    WHEN "URL" ILIKE '%copy%.exe%&&%start%' THEN 'binary_copy_execute'
    WHEN "filename" ILIKE '%.exe' AND ("filename" ILIKE '%\temp\%' OR "filename" ILIKE '%\appdata\%' OR "filename" ILIKE '%\programdata\%') THEN 'pe_staged_by_interpreter'
    ELSE 'unknown'
  END AS detection_type,
  CASE
    WHEN "URL" ILIKE '%WriteAllBytes%' OR "URL" ILIKE '%WriteProcessMemory%' OR "URL" ILIKE '%VirtualAlloc%' THEN 85
    WHEN "URL" ILIKE '%copy%.exe%&&%start%' THEN 70
    WHEN "filename" ILIKE '%.exe' AND ("filename" ILIKE '%\temp\%' OR "filename" ILIKE '%\appdata\%') THEN 65
    ELSE 50
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15) -- Windows Security, Sysmon
  AND devicetime > NOW() - 1 HOURS
  AND (
    (QIDNAME(qid) ILIKE '%Process Create%' AND (
      ("URL" ILIKE '%powershell%' AND ("URL" ILIKE '%WriteAllBytes%' OR "URL" ILIKE '%VirtualAlloc%' OR "URL" ILIKE '%WriteProcessMemory%'))
      OR ("URL" ILIKE '%cmd.exe%' AND "URL" ILIKE '%copy%.exe%' AND "URL" ILIKE '%start%')
    ))
    OR (QIDNAME(qid) ILIKE '%File Create%' AND
      ("filename" ILIKE '%.exe' OR "filename" ILIKE '%.dll') AND
      ("filename" ILIKE '%\temp\%' OR "filename" ILIKE '%\appdata\%' OR "filename" ILIKE '%\programdata\%') AND
      ("URL" ILIKE '%powershell%' OR "URL" ILIKE '%wscript%' OR "URL" ILIKE '%cscript%' OR "URL" ILIKE '%mshta%')
    )
    OR (QIDNAME(qid) ILIKE '%Image Load%' AND
      NOT ("filename" ILIKE '%\windows\%' OR "filename" ILIKE '%\program files%' OR "filename" ILIKE '%system32%') AND
      ("filename" ILIKE '%\temp\%' OR "filename" ILIKE '%\appdata\%' OR "filename" ILIKE '%\programdata\%')
    )
  )
ORDER BY risk_score DESC, devicetime DESC

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon via Windows Event Log Microsoft Sysmon DSM

Required Tables

events

False Positives

Legitimate software installers that extract and execute components from %TEMP% during installation workflows
PowerShell DSC (Desired State Configuration) or WMF update mechanisms that write and execute modules from AppData
Security software (AV, EDR) that uses memory API calls during scanning or injection for legitimate hooking

Sumo Logic CSE

sql

// T1027.014 - Polymorphic Code Detection
// Partition 1: PE files staged by interpreter processes
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = 11 OR EventCode = "11"
| parse field=TargetFilename "*" as target_file
| where target_file matches /(?i)\.(exe|dll|scr)$/
| where target_file matches /(?i)\\(temp|appdata|programdata|public)\\/
| parse field=Image "*" as initiating_image
| where initiating_image matches /(?i)(powershell|cmd|wscript|cscript|mshta)\.exe$/
| "pe_staged_by_interpreter" as detection_type
| 65 as risk_score

// Partition 2: Memory manipulation APIs in script hosts
| union [
  (_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
  | where EventCode = 1 OR EventCode = "1"
  | parse field=Image "*" as proc_image
  | where proc_image matches /(?i)powershell\.exe$/
  | where CommandLine matches /(?i)(WriteAllBytes|WriteProcessMemory|VirtualAlloc|VirtualProtect|NtWriteVirtualMemory)/
  | "memory_manipulation_api" as detection_type
  | 85 as risk_score
]

// Partition 3: Binary copy-and-execute chains
| union [
  (_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
  | where EventCode = 1 OR EventCode = "1"
  | parse field=Image "*" as proc_image
  | where proc_image matches /(?i)cmd\.exe$/
  | where CommandLine matches /(?i)copy.*\.exe.*&&.*start/
  | "binary_copy_execute" as detection_type
  | 70 as risk_score
]

// Partition 4: DLL loads from staging paths
| union [
  (_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
  | where EventCode = 7 OR EventCode = "7"
  | where !(ImageLoaded matches /(?i)(windows|program files|system32|syswow64)/)
  | where ImageLoaded matches /(?i)\\(temp|appdata|programdata|public)\\/
  | "unsigned_dll_load_staging" as detection_type
  | 75 as risk_score
]

| table _time, Computer, detection_type, risk_score, Image, CommandLine, TargetFilename, ImageLoaded
| sort by risk_score desc

high severity medium confidence

Data Sources

Sysmon via Windows Event Log collector Sumo Logic Windows Event Log source

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Game launchers (Steam, Epic Games) that self-update by writing new executables to AppData and executing them
Python/Node.js build tools that compile native extensions to temp directories during package installation
Enterprise backup agents that use PowerShell cmdlets including Set-Content to stage recovery executables

Google Chronicle / SecOps

yaral

rule t1027_014_polymorphic_code_behavioral {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects behavioral indicators of polymorphic/metamorphic code: self-modifying binaries, mutation engine TTPs, and high-entropy executable staging"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.014"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Pattern 1: Script interpreter staging a PE in a user-writable directory
    (
      $e1.metadata.event_type = "FILE_CREATION"
      $e1.principal.process.file.full_path = /(?i)(powershell|cmd|wscript|cscript|mshta)\.exe$/
      $e1.target.file.full_path = /(?i)\.(exe|dll|scr)$/
      $e1.target.file.full_path = /(?i)\\(temp|appdata|programdata|public)\\/
      $e1.principal.hostname = $hostname
    )
    OR
    // Pattern 2: Memory manipulation APIs in PowerShell command line
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      $e1.principal.process.file.full_path = /(?i)powershell\.exe$/
      $e1.target.process.command_line = /(?i)(WriteAllBytes|WriteProcessMemory|VirtualAlloc|VirtualProtect|NtWriteVirtualMemory)/
      $e1.principal.hostname = $hostname
    )
    OR
    // Pattern 3: cmd.exe binary copy-and-execute chain
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      $e1.principal.process.file.full_path = /(?i)cmd\.exe$/
      $e1.target.process.command_line = /(?i)copy.*\.exe.*&&.*start/
      $e1.principal.hostname = $hostname
    )
    OR
    // Pattern 4: Self-modifying binary (executable writes sibling PE to same directory)
    (
      $e1.metadata.event_type = "FILE_MODIFICATION"
      $e1.target.file.full_path = /(?i)\.(exe|dll|scr|bin)$/
      $e1.target.file.full_path = /(?i)\\(temp|appdata|programdata|public)\\/
      $e1.principal.process.file.full_path != /(?i)(setup|installer|update)\.exe$/
      $e1.principal.hostname = $hostname
    )

  condition:
    $e1

high severity medium confidence

Data Sources

Chronicle UDM Windows Sysmon via Chronicle forwarder Microsoft Defender for Endpoint via Chronicle

Required Tables

UDM Events - FILE_CREATION UDM Events - FILE_MODIFICATION UDM Events - PROCESS_LAUNCH

False Positives

Electron application auto-updaters (VS Code, Slack, Teams) that write new app.exe to AppData and relaunch
Antivirus or EDR products that use VirtualAlloc/VirtualProtect internally for legitimate memory scanning hooks
CI/CD agents (GitHub Actions runner, GitLab runner) on Windows build nodes that compile and stage executables in temp paths

CrowdStrike LogScale (CQL)

cql

// T1027.014 - Polymorphic Code: CrowdStrike LogScale (Falcon) Detection

// Branch 1: PE files written to staging directories by script interpreters
#event_simpleName=WriteFile
| FileName = /(?i)\.(exe|dll|scr|bin)$/
| FilePath = /(?i)\\(Temp|AppData|ProgramData|Public)\\/
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta)\.exe$/
| "pe_staged_by_interpreter" as DetectionType
| 65 as RiskScore

// Branch 2: PowerShell using memory manipulation APIs
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)powershell\.exe$/
  | CommandLine = /(?i)(WriteAllBytes|WriteProcessMemory|VirtualAlloc|VirtualProtect|NtWriteVirtualMemory)/
  | "memory_manipulation_api" as DetectionType
  | 85 as RiskScore
]

// Branch 3: cmd.exe copy-and-execute binary chain
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)cmd\.exe$/
  | CommandLine = /(?i)copy.*\.exe.*&&.*start/
  | "binary_copy_execute" as DetectionType
  | 70 as RiskScore
]

// Branch 4: Module loads from staging directories (non-system path DLL loads)
| union [
  #event_simpleName=ClassifiedModuleLoad
  | NOT ImageFileName = /(?i)(\\Windows\\|\\Program Files|System32|SysWOW64)/
  | ImageFileName = /(?i)\\(Temp|AppData|ProgramData|Public)\\/
  | "unsigned_dll_load_staging" as DetectionType
  | 75 as RiskScore
]

| table([timestamp, ComputerName, DetectionType, RiskScore, ImageFileName, CommandLine, FileName, FilePath, UserName])
| sort(RiskScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor Falcon Data Replicator LogScale Falcon event pipeline

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=WriteFile #event_simpleName=ClassifiedModuleLoad

False Positives

Software provisioning tools deployed via Falcon Fusion or RMM solutions that legitimately stage executables in AppData during managed deployments
PowerShell-based application frameworks (.NET, WinForms apps) that use reflection and WriteAllBytes to extract embedded resources at runtime
Security awareness or red team simulation tools (e.g., Atomic Red Team) running authorized T1027 simulation tests

Polymorphic Code

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections