Detect Polymorphic Code in Microsoft Sentinel
Adversaries use polymorphic (also called metamorphic or mutating) code to evade signature-based defenses by altering the malware's runtime footprint on each execution. The code mutates into a different version while preserving its original functionality — defeating hash-based and pattern-based detection. Mutation engines perform operations like instruction substitution, code transposition, dead code insertion, register reassignment, and encryption key rotation. BendyBear (attributed to APT41/Winnti) is a documented example. Polymorphic code is often combined with other techniques: software packing, command obfuscation, and encrypted/encoded payloads to create layered evasion. Detection must rely on behavioral indicators rather than static signatures.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.014 Polymorphic Code
- Canonical reference
- https://attack.mitre.org/techniques/T1027/014/
KQL Detection Query
// T1027.014 - Polymorphic Code
// Detection focuses on behavioral indicators of mutation engines and self-modifying code
// since static signatures are ineffective by design against polymorphic malware
let SelfModifyingBehavior = DeviceFileEvents
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".scr" or FileName endswith ".bin"
// Self-modification: executable writes a new version of itself or a sibling binary
| where InitiatingProcessFolderPath == FolderPath
| where InitiatingProcessFileName != "setup.exe" and InitiatingProcessFileName != "installer.exe" and InitiatingProcessFileName != "update.exe"
| where FolderPath has_any ("\\Temp\\", "\\AppData\\", "\\ProgramData\\", "\\Users\\Public\\")
| extend DetectionType = "self_modifying_binary_drop";
let MutationEngineTTPs = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where (
// PowerShell or cmd rewriting an executable (common in script-based polymorphic loaders)
(FileName in~ ("powershell.exe", "cmd.exe") and ProcessCommandLine has_any ("[IO.File]::WriteAllBytes", "WriteAllBytes", "-enc", "Set-Content") and ProcessCommandLine has_any (".exe", ".dll", ".scr"))
// Process spawning an executable with identical filename but different hash (detected via rapid create+execute)
or (FileName =~ "cmd.exe" and ProcessCommandLine matches regex @"copy.*\.exe.*&&.*start" )
// VirtualAlloc + WriteProcessMemory API chains (shellcode mutation in memory)
or (FileName in~ ("powershell.exe", "wscript.exe", "cscript.exe") and ProcessCommandLine has_any ("VirtualAlloc", "VirtualProtect", "WriteProcessMemory", "NtWriteVirtualMemory"))
)
| extend DetectionType = "mutation_engine_behavior";
let HighEntropyExecutableDrops = DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\Users\\Public\\")
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| extend DetectionType = "high_entropy_executable_staged";
SelfModifyingBehavior
| union MutationEngineTTPs
| union HighEntropyExecutableDrops
| project-reorder Timestamp, DeviceName, DetectionType, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLinePolymorphic code detection is inherently behavioral rather than signature-based. This query focuses on three indicators: executables modifying themselves or dropping new PE variants in the same staging directory, PowerShell using WriteAllBytes or VirtualAlloc to manipulate binary content, and high-entropy PE files staged by scripting engines. Combine with EDR behavioral detections and memory scanning for better coverage. Confidence is intentionally moderate due to legitimate software updaters using similar patterns.
Other platforms for T1027.014
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Self-Modifying Binary Simulation (PowerShell WriteAllBytes)
Expected signal: Sysmon EventCode 11 (FileCreate) for svchost32.exe written to %TEMP%\polytest. EventCode 1 (ProcessCreate) for powershell.exe with 'WriteAllBytes' in CommandLine. PowerShell Script Block Log EventCode 4104 will capture the full script.
- Test 2High-Entropy Binary Drop to AppData (Simulated Mutated Payload)
Expected signal: Sysmon EventCode 11 for explorer32.exe creation in %APPDATA%\Microsoft\Windows\Themes by powershell.exe. The file will have high entropy due to GZip compression.
- Test 3Binary Copy-Then-Execute Pattern (Mutation Simulation)
Expected signal: Sysmon EventCode 11 (FileCreate) for variant_001.exe and variant_002.exe in %TEMP%. EventCode 1 for cmd.exe with 'copy' and '&&' pattern in CommandLine.
- Test 4Unsigned DLL Load from AppData (Polymorphic DLL Variant)
Expected signal: Sysmon EventCode 11 for theme32.dll written to %APPDATA% by powershell.exe. EventCode 7 (ImageLoad) for rundll32.exe loading the DLL from a non-Windows/Program Files path. EventCode 1 for rundll32.exe process.
References (5)
- https://attack.mitre.org/techniques/T1027/014
- https://unit42.paloaltonetworks.com/bendybear/
- https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
- https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
- https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
Unlock Pro Content
Get the full detection package for T1027.014 including response playbook, investigation guide, and atomic red team tests.