Detect Polymorphic Code in IBM QRadar
Adversaries use polymorphic (also called metamorphic or mutating) code to evade signature-based defenses by altering the malware's runtime footprint on each execution. The code mutates into a different version while preserving its original functionality — defeating hash-based and pattern-based detection. Mutation engines perform operations like instruction substitution, code transposition, dead code insertion, register reassignment, and encryption key rotation. BendyBear (attributed to APT41/Winnti) is a documented example. Polymorphic code is often combined with other techniques: software packing, command obfuscation, and encrypted/encoded payloads to create layered evasion. Detection must rely on behavioral indicators rather than static signatures.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.014 Polymorphic Code
- Canonical reference
- https://attack.mitre.org/techniques/T1027/014/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"sourceip",
"username",
QIDNAME(qid) AS event_name,
"URL" AS command_line,
"filename" AS target_file,
CATEGORYNAME(category) AS category_name,
CASE
WHEN "URL" ILIKE '%WriteAllBytes%' OR "URL" ILIKE '%WriteProcessMemory%' OR "URL" ILIKE '%VirtualAlloc%' THEN 'memory_manipulation_api'
WHEN "URL" ILIKE '%copy%.exe%&&%start%' THEN 'binary_copy_execute'
WHEN "filename" ILIKE '%.exe' AND ("filename" ILIKE '%\temp\%' OR "filename" ILIKE '%\appdata\%' OR "filename" ILIKE '%\programdata\%') THEN 'pe_staged_by_interpreter'
ELSE 'unknown'
END AS detection_type,
CASE
WHEN "URL" ILIKE '%WriteAllBytes%' OR "URL" ILIKE '%WriteProcessMemory%' OR "URL" ILIKE '%VirtualAlloc%' THEN 85
WHEN "URL" ILIKE '%copy%.exe%&&%start%' THEN 70
WHEN "filename" ILIKE '%.exe' AND ("filename" ILIKE '%\temp\%' OR "filename" ILIKE '%\appdata\%') THEN 65
ELSE 50
END AS risk_score
FROM events
WHERE
LOGSOURCETYPEID IN (12, 13, 14, 15) -- Windows Security, Sysmon
AND devicetime > NOW() - 1 HOURS
AND (
(QIDNAME(qid) ILIKE '%Process Create%' AND (
("URL" ILIKE '%powershell%' AND ("URL" ILIKE '%WriteAllBytes%' OR "URL" ILIKE '%VirtualAlloc%' OR "URL" ILIKE '%WriteProcessMemory%'))
OR ("URL" ILIKE '%cmd.exe%' AND "URL" ILIKE '%copy%.exe%' AND "URL" ILIKE '%start%')
))
OR (QIDNAME(qid) ILIKE '%File Create%' AND
("filename" ILIKE '%.exe' OR "filename" ILIKE '%.dll') AND
("filename" ILIKE '%\temp\%' OR "filename" ILIKE '%\appdata\%' OR "filename" ILIKE '%\programdata\%') AND
("URL" ILIKE '%powershell%' OR "URL" ILIKE '%wscript%' OR "URL" ILIKE '%cscript%' OR "URL" ILIKE '%mshta%')
)
OR (QIDNAME(qid) ILIKE '%Image Load%' AND
NOT ("filename" ILIKE '%\windows\%' OR "filename" ILIKE '%\program files%' OR "filename" ILIKE '%system32%') AND
("filename" ILIKE '%\temp\%' OR "filename" ILIKE '%\appdata\%' OR "filename" ILIKE '%\programdata\%')
)
)
ORDER BY risk_score DESC, devicetime DESCQRadar AQL query detecting polymorphic code behavioral TTPs: memory manipulation API calls from scripting engines, binary copy-and-execute chains, PE files staged in user-writable directories by interpreter processes, and unsigned DLL loads from staging paths.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers that extract and execute components from %TEMP% during installation workflows
- PowerShell DSC (Desired State Configuration) or WMF update mechanisms that write and execute modules from AppData
- Security software (AV, EDR) that uses memory API calls during scanning or injection for legitimate hooking
Other platforms for T1027.014
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Self-Modifying Binary Simulation (PowerShell WriteAllBytes)
Expected signal: Sysmon EventCode 11 (FileCreate) for svchost32.exe written to %TEMP%\polytest. EventCode 1 (ProcessCreate) for powershell.exe with 'WriteAllBytes' in CommandLine. PowerShell Script Block Log EventCode 4104 will capture the full script.
- Test 2High-Entropy Binary Drop to AppData (Simulated Mutated Payload)
Expected signal: Sysmon EventCode 11 for explorer32.exe creation in %APPDATA%\Microsoft\Windows\Themes by powershell.exe. The file will have high entropy due to GZip compression.
- Test 3Binary Copy-Then-Execute Pattern (Mutation Simulation)
Expected signal: Sysmon EventCode 11 (FileCreate) for variant_001.exe and variant_002.exe in %TEMP%. EventCode 1 for cmd.exe with 'copy' and '&&' pattern in CommandLine.
- Test 4Unsigned DLL Load from AppData (Polymorphic DLL Variant)
Expected signal: Sysmon EventCode 11 for theme32.dll written to %APPDATA% by powershell.exe. EventCode 7 (ImageLoad) for rundll32.exe loading the DLL from a non-Windows/Program Files path. EventCode 1 for rundll32.exe process.
References (5)
- https://attack.mitre.org/techniques/T1027/014
- https://unit42.paloaltonetworks.com/bendybear/
- https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
- https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
- https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
Unlock Pro Content
Get the full detection package for T1027.014 including response playbook, investigation guide, and atomic red team tests.