Detect Polymorphic Code in Sumo Logic CSE
Adversaries use polymorphic (also called metamorphic or mutating) code to evade signature-based defenses by altering the malware's runtime footprint on each execution. The code mutates into a different version while preserving its original functionality — defeating hash-based and pattern-based detection. Mutation engines perform operations like instruction substitution, code transposition, dead code insertion, register reassignment, and encryption key rotation. BendyBear (attributed to APT41/Winnti) is a documented example. Polymorphic code is often combined with other techniques: software packing, command obfuscation, and encrypted/encoded payloads to create layered evasion. Detection must rely on behavioral indicators rather than static signatures.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.014 Polymorphic Code
- Canonical reference
- https://attack.mitre.org/techniques/T1027/014/
Sumo Detection Query
// T1027.014 - Polymorphic Code Detection
// Partition 1: PE files staged by interpreter processes
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = 11 OR EventCode = "11"
| parse field=TargetFilename "*" as target_file
| where target_file matches /(?i)\.(exe|dll|scr)$/
| where target_file matches /(?i)\\(temp|appdata|programdata|public)\\/
| parse field=Image "*" as initiating_image
| where initiating_image matches /(?i)(powershell|cmd|wscript|cscript|mshta)\.exe$/
| "pe_staged_by_interpreter" as detection_type
| 65 as risk_score
// Partition 2: Memory manipulation APIs in script hosts
| union [
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = 1 OR EventCode = "1"
| parse field=Image "*" as proc_image
| where proc_image matches /(?i)powershell\.exe$/
| where CommandLine matches /(?i)(WriteAllBytes|WriteProcessMemory|VirtualAlloc|VirtualProtect|NtWriteVirtualMemory)/
| "memory_manipulation_api" as detection_type
| 85 as risk_score
]
// Partition 3: Binary copy-and-execute chains
| union [
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = 1 OR EventCode = "1"
| parse field=Image "*" as proc_image
| where proc_image matches /(?i)cmd\.exe$/
| where CommandLine matches /(?i)copy.*\.exe.*&&.*start/
| "binary_copy_execute" as detection_type
| 70 as risk_score
]
// Partition 4: DLL loads from staging paths
| union [
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = 7 OR EventCode = "7"
| where !(ImageLoaded matches /(?i)(windows|program files|system32|syswow64)/)
| where ImageLoaded matches /(?i)\\(temp|appdata|programdata|public)\\/
| "unsigned_dll_load_staging" as detection_type
| 75 as risk_score
]
| table _time, Computer, detection_type, risk_score, Image, CommandLine, TargetFilename, ImageLoaded
| sort by risk_score descSumo Logic CIP query for T1027.014 Polymorphic Code detection via Sysmon events. Detects PE files written to staging directories by interpreter processes, memory manipulation API usage, cmd.exe copy-execute chains, and DLL loads from non-standard locations.
Data Sources
Required Tables
False Positives & Tuning
- Game launchers (Steam, Epic Games) that self-update by writing new executables to AppData and executing them
- Python/Node.js build tools that compile native extensions to temp directories during package installation
- Enterprise backup agents that use PowerShell cmdlets including Set-Content to stage recovery executables
Other platforms for T1027.014
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Self-Modifying Binary Simulation (PowerShell WriteAllBytes)
Expected signal: Sysmon EventCode 11 (FileCreate) for svchost32.exe written to %TEMP%\polytest. EventCode 1 (ProcessCreate) for powershell.exe with 'WriteAllBytes' in CommandLine. PowerShell Script Block Log EventCode 4104 will capture the full script.
- Test 2High-Entropy Binary Drop to AppData (Simulated Mutated Payload)
Expected signal: Sysmon EventCode 11 for explorer32.exe creation in %APPDATA%\Microsoft\Windows\Themes by powershell.exe. The file will have high entropy due to GZip compression.
- Test 3Binary Copy-Then-Execute Pattern (Mutation Simulation)
Expected signal: Sysmon EventCode 11 (FileCreate) for variant_001.exe and variant_002.exe in %TEMP%. EventCode 1 for cmd.exe with 'copy' and '&&' pattern in CommandLine.
- Test 4Unsigned DLL Load from AppData (Polymorphic DLL Variant)
Expected signal: Sysmon EventCode 11 for theme32.dll written to %APPDATA% by powershell.exe. EventCode 7 (ImageLoad) for rundll32.exe loading the DLL from a non-Windows/Program Files path. EventCode 1 for rundll32.exe process.
References (5)
- https://attack.mitre.org/techniques/T1027/014
- https://unit42.paloaltonetworks.com/bendybear/
- https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
- https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
- https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
Unlock Pro Content
Get the full detection package for T1027.014 including response playbook, investigation guide, and atomic red team tests.