Description
Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone) Other obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as Software Packing, Command Obfuscation, or Encrypted/Encoded File.(Citation: polymorphic-linkedin)(Citation: polymorphic-medium)
Platforms
Mitigations (2)
Behavior Prevention on EndpointM1040
On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0574 | BendyBear | Malware | BendyBear changes its runtime footprint during code execution to evade signature-based defenses.(Citation: Unit42 BendyBear Feb 2021) |
References
- Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September 27, 2024.
- SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples and Challenges. Retrieved September 27, 2024.
- Shellseekercyber. (2024, January 7). Explainer: Packed Malware. Retrieved September 27, 2024.
- Sherwin Akshay. (2024, May 28). Techniques for concealing malware and hindering analysis: Packing up and unpacking stuff. Retrieved September 27, 2024.
Frequently Asked Questions
What is T1027.014 (Polymorphic Code)?
T1027.014 is a MITRE ATT&CK technique named 'Polymorphic Code'. It belongs to the Stealth tactic(s). Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code e...
How can T1027.014 be detected?
Detection of T1027.014 (Polymorphic Code) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.014?
There are 2 documented mitigations for T1027.014. Key mitigations include: Behavior Prevention on Endpoint, Antivirus/Antimalware.
Which threat groups use T1027.014?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.