MITRE

MITRE Technique [T1027.014] Obfuscated Files or Information: Polymorphic Code

MITRE

[T1027.014 ] Obfuscated Files or Information: Polymorphic Code – Polymorphic code mutates its form on each execution to avoid signature-based detection, allowing malware to persist across Windows, Linux, and macOS environments by changing file content, metadata, or runtime behaviors. Detection requires behavior-based telemetry, file and application logs, and endpoint monitoring to spot anomalies in creation patterns, execution profiles, and mutation engine activity. #PolymorphicCode #DefenseEvasion

Keypoints

  • Polymorphic code changes its binary or script representation at each run to evade signature detection.
  • Mutation engines, packing, and encoding commonly accompany polymorphism to increase stealth.
  • Behavioral detection and runtime telemetry are more effective than static signatures.
  • Monitor file creation, metadata changes, and unusual execution patterns across platforms.
  • Threat hunting uses sandboxing and memory analysis to reveal mutated payloads.

Description:

  • Polymorphic code is like a chameleon wearing a new coat each time it moves; it looks different but behaves the same, so familiar defenses fail to recognize it.
  • The technique mutates code on each execution (via mutation engines, packing, or encoding) so the payload retains functionality while altering its runtime footprint, enabling adversaries to bypass signature-based AV and remain persistent across Windows, Linux, and macOS systems.

Detection:

  • Collect and analyze application logs for repeated executions of similarly behaving binaries with different hashes.
  • Monitor file creation events and file metadata for frequent file replacements, renames, or atypical entropy increases indicating packing or encryption.
  • Capture process creation and command-line telemetry to detect unusual execution sequences or repeated unpacking routines.
  • Use endpoint detection platforms with memory and behavioral analysis to catch runtime mutations that static scanners miss.
  • Deploy sandboxing to execute suspicious samples and compare behaviors across runs to reveal polymorphic transformations.
  • Watch network telemetry for consistent C2 patterns originating from processes that change file signatures or display packing indicators.
  • Correlate high-entropy file detection, repeated signature mismatches, and anomalous file timestamps to reduce false positives and prioritize hunts.

Tactics:
Defense Evasion

Platforms:
Linux, Windows, macOS

Data Sources:
Application Log: Application Log Content, File: File Creation, File: File Metadata

Relationship Citations:
(Citation: Unit42 BendyBear Feb 2021),

Read More: https://attack.mitre.org/techniques/T1027/014