T1027.014 Splunk · SPL

Detect Polymorphic Code in Splunk

Adversaries use polymorphic (also called metamorphic or mutating) code to evade signature-based defenses by altering the malware's runtime footprint on each execution. The code mutates into a different version while preserving its original functionality — defeating hash-based and pattern-based detection. Mutation engines perform operations like instruction substitution, code transposition, dead code insertion, register reassignment, and encryption key rotation. BendyBear (attributed to APT41/Winnti) is a documented example. Polymorphic code is often combined with other techniques: software packing, command obfuscation, and encrypted/encoded payloads to create layered evasion. Detection must rely on behavioral indicators rather than static signatures.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.014 Polymorphic Code
Canonical reference
https://attack.mitre.org/techniques/T1027/014/

SPL Detection Query

Splunk (SPL)
spl 
index=windows (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval EventCode=coalesce(EventCode, event_id)
| search EventCode IN (1, 7, 11)
| eval detection_type=case(
    EventCode=11 AND match(lower(TargetFilename), "\.(exe|dll|scr)$") AND match(lower(TargetFilename), "\\(temp|appdata|programdata|public)\\") AND match(lower(Image), "(powershell|cmd|wscript|cscript|mshta)\.exe"), "pe_staged_by_interpreter",
    EventCode=1 AND match(lower(Image), "powershell\.exe") AND match(CommandLine, "(?i)(WriteAllBytes|Set-Content.*\.exe|VirtualAlloc|VirtualProtect|WriteProcessMemory)"), "memory_manipulation_api",
    EventCode=1 AND match(lower(Image), "cmd\.exe") AND match(CommandLine, "(?i)copy.*\.exe.*&&.*start"), "binary_copy_execute",
    EventCode=7 AND NOT match(lower(ImageLoaded), "(windows|program files|system32|syswow64)") AND match(lower(ImageLoaded), "\\(temp|appdata|programdata|public)\\"), "unsigned_dll_load_from_staging",
    true(), null()
)
| search detection_type=*
| eval risk_score=case(
    detection_type="memory_manipulation_api", 85,
    detection_type="binary_copy_execute", 70,
    detection_type="pe_staged_by_interpreter", 65,
    detection_type="unsigned_dll_load_from_staging", 75,
    true(), 50
)
| table _time, Computer, detection_type, risk_score, Image, CommandLine, TargetFilename, ImageLoaded, ParentImage
| sort -risk_score
medium severity medium confidence

EventCode 7 (ImageLoad) for unsigned DLLs loaded from temp/appdata staging directories is a strong indicator of polymorphic loaders that drop and load modified DLL variants. EventCode 1 with PowerShell WriteAllBytes or VirtualAlloc suggests in-memory binary manipulation. Detection confidence is low-medium due to legitimate use; behavioral context from surrounding events is essential.

Download portable Sigma rule (.yml)

Other platforms for T1027.014

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Self-Modifying Binary Simulation (PowerShell WriteAllBytes)

    Expected signal: Sysmon EventCode 11 (FileCreate) for svchost32.exe written to %TEMP%\polytest. EventCode 1 (ProcessCreate) for powershell.exe with 'WriteAllBytes' in CommandLine. PowerShell Script Block Log EventCode 4104 will capture the full script.

  2. Test 2High-Entropy Binary Drop to AppData (Simulated Mutated Payload)

    Expected signal: Sysmon EventCode 11 for explorer32.exe creation in %APPDATA%\Microsoft\Windows\Themes by powershell.exe. The file will have high entropy due to GZip compression.

  3. Test 3Binary Copy-Then-Execute Pattern (Mutation Simulation)

    Expected signal: Sysmon EventCode 11 (FileCreate) for variant_001.exe and variant_002.exe in %TEMP%. EventCode 1 for cmd.exe with 'copy' and '&&' pattern in CommandLine.

  4. Test 4Unsigned DLL Load from AppData (Polymorphic DLL Variant)

    Expected signal: Sysmon EventCode 11 for theme32.dll written to %APPDATA% by powershell.exe. EventCode 7 (ImageLoad) for rundll32.exe loading the DLL from a non-Windows/Program Files path. EventCode 1 for rundll32.exe process.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1027.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Same Tactic: Defense Evasion

Popular Detections