T1027.014 CrowdStrike LogScale · LogScale

Detect Polymorphic Code in CrowdStrike LogScale

Adversaries use polymorphic (also called metamorphic or mutating) code to evade signature-based defenses by altering the malware's runtime footprint on each execution. The code mutates into a different version while preserving its original functionality — defeating hash-based and pattern-based detection. Mutation engines perform operations like instruction substitution, code transposition, dead code insertion, register reassignment, and encryption key rotation. BendyBear (attributed to APT41/Winnti) is a documented example. Polymorphic code is often combined with other techniques: software packing, command obfuscation, and encrypted/encoded payloads to create layered evasion. Detection must rely on behavioral indicators rather than static signatures.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.014 Polymorphic Code
Canonical reference
https://attack.mitre.org/techniques/T1027/014/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1027.014 - Polymorphic Code: CrowdStrike LogScale (Falcon) Detection

// Branch 1: PE files written to staging directories by script interpreters
#event_simpleName=WriteFile
| FileName = /(?i)\.(exe|dll|scr|bin)$/
| FilePath = /(?i)\\(Temp|AppData|ProgramData|Public)\\/
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta)\.exe$/
| "pe_staged_by_interpreter" as DetectionType
| 65 as RiskScore

// Branch 2: PowerShell using memory manipulation APIs
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)powershell\.exe$/
  | CommandLine = /(?i)(WriteAllBytes|WriteProcessMemory|VirtualAlloc|VirtualProtect|NtWriteVirtualMemory)/
  | "memory_manipulation_api" as DetectionType
  | 85 as RiskScore
]

// Branch 3: cmd.exe copy-and-execute binary chain
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)cmd\.exe$/
  | CommandLine = /(?i)copy.*\.exe.*&&.*start/
  | "binary_copy_execute" as DetectionType
  | 70 as RiskScore
]

// Branch 4: Module loads from staging directories (non-system path DLL loads)
| union [
  #event_simpleName=ClassifiedModuleLoad
  | NOT ImageFileName = /(?i)(\\Windows\\|\\Program Files|System32|SysWOW64)/
  | ImageFileName = /(?i)\\(Temp|AppData|ProgramData|Public)\\/
  | "unsigned_dll_load_staging" as DetectionType
  | 75 as RiskScore
]

| table([timestamp, ComputerName, DetectionType, RiskScore, ImageFileName, CommandLine, FileName, FilePath, UserName])
| sort(RiskScore, order=desc)
high severity medium confidence

CrowdStrike LogScale (Falcon) CQL query detecting T1027.014 polymorphic code TTPs via Falcon telemetry: PE file writes to staging paths by interpreter processes, PowerShell memory manipulation API chains, cmd.exe copy-execute patterns, and DLL loads from non-standard directories.

Data Sources

CrowdStrike Falcon SensorFalcon Data ReplicatorLogScale Falcon event pipeline

Required Tables

#event_simpleName=ProcessRollup2#event_simpleName=WriteFile#event_simpleName=ClassifiedModuleLoad

False Positives & Tuning

  • Software provisioning tools deployed via Falcon Fusion or RMM solutions that legitimately stage executables in AppData during managed deployments
  • PowerShell-based application frameworks (.NET, WinForms apps) that use reflection and WriteAllBytes to extract embedded resources at runtime
  • Security awareness or red team simulation tools (e.g., Atomic Red Team) running authorized T1027 simulation tests
Download portable Sigma rule (.yml)

Other platforms for T1027.014

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Self-Modifying Binary Simulation (PowerShell WriteAllBytes)

    Expected signal: Sysmon EventCode 11 (FileCreate) for svchost32.exe written to %TEMP%\polytest. EventCode 1 (ProcessCreate) for powershell.exe with 'WriteAllBytes' in CommandLine. PowerShell Script Block Log EventCode 4104 will capture the full script.

  2. Test 2High-Entropy Binary Drop to AppData (Simulated Mutated Payload)

    Expected signal: Sysmon EventCode 11 for explorer32.exe creation in %APPDATA%\Microsoft\Windows\Themes by powershell.exe. The file will have high entropy due to GZip compression.

  3. Test 3Binary Copy-Then-Execute Pattern (Mutation Simulation)

    Expected signal: Sysmon EventCode 11 (FileCreate) for variant_001.exe and variant_002.exe in %TEMP%. EventCode 1 for cmd.exe with 'copy' and '&&' pattern in CommandLine.

  4. Test 4Unsigned DLL Load from AppData (Polymorphic DLL Variant)

    Expected signal: Sysmon EventCode 11 for theme32.dll written to %APPDATA% by powershell.exe. EventCode 7 (ImageLoad) for rundll32.exe loading the DLL from a non-Windows/Program Files path. EventCode 1 for rundll32.exe process.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1027.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Same Tactic: Defense Evasion

Popular Detections