T1027.014 Polymorphic Code Mappings

Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone) Other obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as Software Packing, Command Obfuscation, or Encrypted/Encoded File.(Citation: polymorphic-linkedin)(Citation: polymorphic-medium)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
SI-03 Malicious Code Protection mitigates T1027.014 Polymorphic Code
Comments
As polymorphic code is difficult to detect via signature-based means, non-signature-based means, pointed out in this control, should be implemented for detection. Additionally, endpoint-level fortifications should be taken to prevent the malware from inflicting damage on systems.
References

    VERIS Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.014 Polymorphic Code

    GCP Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    cloud_ids Cloud IDS technique_scores T1027.014 Polymorphic Code