1. Home
  2. Techniques
  3. Enterprise
  4. Obfuscated Files or Information
  5. Polymorphic Code

Obfuscated Files or Information: Polymorphic Code

ID Name
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.003 Steganography
T1027.004 Compile After Delivery
T1027.005 Indicator Removal from Tools
T1027.006 HTML Smuggling
T1027.007 Dynamic API Resolution
T1027.008 Stripped Payloads
T1027.009 Embedded Payloads
T1027.010 Command Obfuscation
T1027.011 Fileless Storage
T1027.012 LNK Icon Smuggling
T1027.013 Encrypted/Encoded File
T1027.014 Polymorphic Code
T1027.015 Compression
T1027.016 Junk Code Insertion
T1027.017 SVG Smuggling

Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.[1] With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.[2]
Other obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as Software Packing, Command Obfuscation, or Encrypted/Encoded File.[3][4]

ID: T1027.014
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: TruKno; Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
Version: 1.1
Created: 27 September 2024
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S0574 BendyBear

BendyBear changes its runtime footprint during code execution to evade signature-based defenses.[5]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods.

M1040 Behavior Prevention on Endpoint

On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads

Detection Strategy

ID Name Analytic ID Analytic Description
DET0324 Detection Strategy for Polymorphic Code Mutation and Execution AN0919

Identifies self-modifying executables that exhibit changes in binary hash, entropy, or memory sections during or between executions—often tied to dynamic unpacking or decryption behaviors.
AN0920

Detects files or processes where execution results in frequent re-creation or modification of ELF binaries or interpreter scripts, often using chmod + execve with abnormal entropy.
AN0921

Tracks modification of executables or interpreter payloads (e.g., Mach-O, dylib) that mutate across runs—using scripting engines, JIT compilers, or side-loaded plugins.

References

  1. Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September 27, 2024.
  2. SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples and Challenges. Retrieved September 27, 2024.
  3. Sherwin Akshay. (2024, May 28). Techniques for concealing malware and hindering analysis: Packing up and unpacking stuff. Retrieved September 27, 2024.
  1. Shellseekercyber. (2024, January 7). Explainer: Packed Malware. Retrieved September 27, 2024.
  2. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.