Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone) Other obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as Software Packing, Command Obfuscation, or Encrypted/Encoded File.(Citation: polymorphic-linkedin)(Citation: polymorphic-medium)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
References
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027.014 | Polymorphic Code |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding or obfuscating.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement protects against Polymorphic Code through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SI-03 | Malicious Code Protection | mitigates | T1027.014 | Polymorphic Code |
Comments
As polymorphic code is difficult to detect via signature-based means, non-signature-based means, pointed out in this control, should be implemented for detection. Additionally, endpoint-level fortifications should be taken to prevent the malware from inflicting damage on systems.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1027.014 | Polymorphic Code |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1027.014 | Polymorphic Code |
Comments
This control can detect obsfucation via polymorphic code.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1027.014 | Polymorphic Code |
Comments
This control can detect obsfucation via polymorphic code.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1027.014 | Polymorphic Code |
Comments
This control can protect against obsfucation via polymorphic code.
References
|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1027.014 | Polymorphic Code |
Comments
This control can protect against obsfucation via polymorphic code.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1027.014 | Polymorphic Code |
Comments
Google Cloud IDS can detect network-based threats like malicious software.
References
|