Detect Polymorphic Code in Google Chronicle
Adversaries use polymorphic (also called metamorphic or mutating) code to evade signature-based defenses by altering the malware's runtime footprint on each execution. The code mutates into a different version while preserving its original functionality — defeating hash-based and pattern-based detection. Mutation engines perform operations like instruction substitution, code transposition, dead code insertion, register reassignment, and encryption key rotation. BendyBear (attributed to APT41/Winnti) is a documented example. Polymorphic code is often combined with other techniques: software packing, command obfuscation, and encrypted/encoded payloads to create layered evasion. Detection must rely on behavioral indicators rather than static signatures.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.014 Polymorphic Code
- Canonical reference
- https://attack.mitre.org/techniques/T1027/014/
YARA-L Detection Query
rule t1027_014_polymorphic_code_behavioral {
meta:
author = "Argus Detection Engineering"
description = "Detects behavioral indicators of polymorphic/metamorphic code: self-modifying binaries, mutation engine TTPs, and high-entropy executable staging"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1027.014"
severity = "HIGH"
priority = "HIGH"
events:
// Pattern 1: Script interpreter staging a PE in a user-writable directory
(
$e1.metadata.event_type = "FILE_CREATION"
$e1.principal.process.file.full_path = /(?i)(powershell|cmd|wscript|cscript|mshta)\.exe$/
$e1.target.file.full_path = /(?i)\.(exe|dll|scr)$/
$e1.target.file.full_path = /(?i)\\(temp|appdata|programdata|public)\\/
$e1.principal.hostname = $hostname
)
OR
// Pattern 2: Memory manipulation APIs in PowerShell command line
(
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.principal.process.file.full_path = /(?i)powershell\.exe$/
$e1.target.process.command_line = /(?i)(WriteAllBytes|WriteProcessMemory|VirtualAlloc|VirtualProtect|NtWriteVirtualMemory)/
$e1.principal.hostname = $hostname
)
OR
// Pattern 3: cmd.exe binary copy-and-execute chain
(
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.principal.process.file.full_path = /(?i)cmd\.exe$/
$e1.target.process.command_line = /(?i)copy.*\.exe.*&&.*start/
$e1.principal.hostname = $hostname
)
OR
// Pattern 4: Self-modifying binary (executable writes sibling PE to same directory)
(
$e1.metadata.event_type = "FILE_MODIFICATION"
$e1.target.file.full_path = /(?i)\.(exe|dll|scr|bin)$/
$e1.target.file.full_path = /(?i)\\(temp|appdata|programdata|public)\\/
$e1.principal.process.file.full_path != /(?i)(setup|installer|update)\.exe$/
$e1.principal.hostname = $hostname
)
condition:
$e1Chronicle YARA-L 2.0 rule detecting T1027.014 Polymorphic Code behavioral patterns using UDM events. Covers script-host PE staging, PowerShell memory API calls, cmd.exe copy-execute chains, and self-modifying binary drops in staging directories.
Data Sources
Required Tables
False Positives & Tuning
- Electron application auto-updaters (VS Code, Slack, Teams) that write new app.exe to AppData and relaunch
- Antivirus or EDR products that use VirtualAlloc/VirtualProtect internally for legitimate memory scanning hooks
- CI/CD agents (GitHub Actions runner, GitLab runner) on Windows build nodes that compile and stage executables in temp paths
Other platforms for T1027.014
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Self-Modifying Binary Simulation (PowerShell WriteAllBytes)
Expected signal: Sysmon EventCode 11 (FileCreate) for svchost32.exe written to %TEMP%\polytest. EventCode 1 (ProcessCreate) for powershell.exe with 'WriteAllBytes' in CommandLine. PowerShell Script Block Log EventCode 4104 will capture the full script.
- Test 2High-Entropy Binary Drop to AppData (Simulated Mutated Payload)
Expected signal: Sysmon EventCode 11 for explorer32.exe creation in %APPDATA%\Microsoft\Windows\Themes by powershell.exe. The file will have high entropy due to GZip compression.
- Test 3Binary Copy-Then-Execute Pattern (Mutation Simulation)
Expected signal: Sysmon EventCode 11 (FileCreate) for variant_001.exe and variant_002.exe in %TEMP%. EventCode 1 for cmd.exe with 'copy' and '&&' pattern in CommandLine.
- Test 4Unsigned DLL Load from AppData (Polymorphic DLL Variant)
Expected signal: Sysmon EventCode 11 for theme32.dll written to %APPDATA% by powershell.exe. EventCode 7 (ImageLoad) for rundll32.exe loading the DLL from a non-Windows/Program Files path. EventCode 1 for rundll32.exe process.
References (5)
- https://attack.mitre.org/techniques/T1027/014
- https://unit42.paloaltonetworks.com/bendybear/
- https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
- https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
- https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
Unlock Pro Content
Get the full detection package for T1027.014 including response playbook, investigation guide, and atomic red team tests.