title: Polymorphic Code (T1027.014)
id: df00tech-t1027-014
status: experimental
description: "Adversaries use polymorphic (also called metamorphic or mutating) code to evade signature-based defenses by altering the malware's runtime footprint on each execution. The code mutates into a different version while preserving its original functionality — defeating hash-based and pattern-based detection. Mutation engines perform operations like instruction substitution, code transposition, dead code insertion, register reassignment, and encryption key rotation. BendyBear (attributed to APT41/Winnti) is a documented example. Polymorphic code is often combined with other techniques: software packing, command obfuscation, and encrypted/encoded payloads to create layered evasion. Detection must rely on behavioral indicators rather than static signatures."
references:
  - https://attack.mitre.org/techniques/T1027/014/
  - https://df00tech.com/detections/T1027.014
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.014
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Unknown
level: medium