T1027.014 Elastic Security · Elastic

Detect Polymorphic Code in Elastic Security

Adversaries use polymorphic (also called metamorphic or mutating) code to evade signature-based defenses by altering the malware's runtime footprint on each execution. The code mutates into a different version while preserving its original functionality — defeating hash-based and pattern-based detection. Mutation engines perform operations like instruction substitution, code transposition, dead code insertion, register reassignment, and encryption key rotation. BendyBear (attributed to APT41/Winnti) is a documented example. Polymorphic code is often combined with other techniques: software packing, command obfuscation, and encrypted/encoded payloads to create layered evasion. Detection must rely on behavioral indicators rather than static signatures.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.014 Polymorphic Code
Canonical reference
https://attack.mitre.org/techniques/T1027/014/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=5m
  [file where event.action in ("creation", "overwrite") and
   file.extension in ("exe", "dll", "scr", "bin") and
   file.path : ("*\\Temp\\*", "*\\AppData\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*") and
   process.name : ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")] as event0
  [process where event.action == "start" and
   process.executable : ("*\\Temp\\*", "*\\AppData\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*") and
   process.executable == event0.file.path]

OR

process where event.action == "start" and
  process.name : ("powershell.exe", "cmd.exe") and
  process.args : ("*WriteAllBytes*", "*WriteProcessMemory*", "*VirtualAlloc*", "*VirtualProtect*", "*NtWriteVirtualMemory*", "*Set-Content*") and
  process.args : ("*.exe*", "*.dll*", "*.scr*")

OR

sequence by host.id, process.parent.entity_id with maxspan=2m
  [file where event.action in ("creation", "overwrite") and
   file.extension in ("exe", "dll") and
   file.directory == process.working_directory]
  [process where event.action == "start" and
   process.parent.name == process.name]
high severity medium confidence

Detects polymorphic code behavioral indicators using Elastic EQL sequences: PE files staged by interpreters then executed, memory manipulation API usage in script hosts, and self-modifying binary patterns where a process drops a new executable in its own working directory and immediately executes it.

Data Sources

Elastic EndpointWinlogbeat with SysmonElastic Agent

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

  • Software updaters and patch managers (e.g., Chrome, Firefox auto-update) that download and replace their own binaries in AppData
  • Development tools like npm, pip, or cargo that compile and stage executables in temp directories during legitimate builds
  • Enterprise software deployment tools (SCCM, Chocolatey, Ninite) that use PowerShell to stage and execute installers
Download portable Sigma rule (.yml)

Other platforms for T1027.014

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Self-Modifying Binary Simulation (PowerShell WriteAllBytes)

    Expected signal: Sysmon EventCode 11 (FileCreate) for svchost32.exe written to %TEMP%\polytest. EventCode 1 (ProcessCreate) for powershell.exe with 'WriteAllBytes' in CommandLine. PowerShell Script Block Log EventCode 4104 will capture the full script.

  2. Test 2High-Entropy Binary Drop to AppData (Simulated Mutated Payload)

    Expected signal: Sysmon EventCode 11 for explorer32.exe creation in %APPDATA%\Microsoft\Windows\Themes by powershell.exe. The file will have high entropy due to GZip compression.

  3. Test 3Binary Copy-Then-Execute Pattern (Mutation Simulation)

    Expected signal: Sysmon EventCode 11 (FileCreate) for variant_001.exe and variant_002.exe in %TEMP%. EventCode 1 for cmd.exe with 'copy' and '&&' pattern in CommandLine.

  4. Test 4Unsigned DLL Load from AppData (Polymorphic DLL Variant)

    Expected signal: Sysmon EventCode 11 for theme32.dll written to %APPDATA% by powershell.exe. EventCode 7 (ImageLoad) for rundll32.exe loading the DLL from a non-Windows/Program Files path. EventCode 1 for rundll32.exe process.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1027.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Same Tactic: Defense Evasion

Popular Detections