1. Home
  2. Detection Strategies
  3. Detection Strategy for Polymorphic Code Mutation and Execution

Detection Strategy for Polymorphic Code Mutation and Execution

Technique Detected:  Polymorphic Code | T1027.014

ID: DET0324
Domains: Enterprise
Analytics: AN0919, AN0920, AN0921
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0919

Identifies self-modifying executables that exhibit changes in binary hash, entropy, or memory sections during or between executions—often tied to dynamic unpacking or decryption behaviors.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Mutable Elements
Field Description
EntropyThreshold Tune based on expected baseline entropy for executables; higher values may indicate polymorphic packing.
TimeWindow Correlate rapid process spawn + image load activity suggesting mutation engine usage.
ParentProcessPatterns Define expected or suspicious parent-child chains (e.g., script runner -> encoded PE)

AN0920

Detects files or processes where execution results in frequent re-creation or modification of ELF binaries or interpreter scripts, often using chmod + execve with abnormal entropy.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Module Load (DC0016) auditd:SYSCALL mmap
File Modification (DC0061) auditd:SYSCALL chmod
Mutable Elements
Field Description
WriteExecThreshold Tune to alert on write followed by chmod + exec in quick succession.
FileEntropyDeviation Detect high deviation from average entropy score of baseline ELF/script files.
ExecutionFrequency Abnormal burst executions of file with identical functionality but varying hash.

AN0921

Tracks modification of executables or interpreter payloads (e.g., Mach-O, dylib) that mutate across runs—using scripting engines, JIT compilers, or side-loaded plugins.

Log Sources
Data Component Name Channel
Process Metadata (DC0034) macos:unifiedlog code signature/memory protection
File Creation (DC0039) fs:fsusage file open/write
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
Process Modification (DC0020) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_MMAP
Mutable Elements
Field Description
ScriptEnginePatterns Detection may vary based on whether Python/Swift/AppleScript is used to mutate payloads.
MachOEntropyThreshold Entropy tuning based on expected baseline for system vs user binaries.
SignedBinaryChangeRate Helps flag apps that change but maintain signed status across invocations.