T1027.014SubTechniquestealth

T1027.014Polymorphic Code

Sub-technique of T1027

Platforms: Linux · macOS · Windows

ATT&CK version: v19.1

What it is

Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone) Other obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation: polymorphic-medium)

ATT&CK tactics· 1

Stealth

References

  1. https://attack.mitre.org/techniques/T1027/014
  2. https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
  3. https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
  4. https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
  5. https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.