[T1027.007 ] Obfuscated Files or Information: Dynamic API Resolution β Dynamic API resolution hides which OS functions malware will call until runtime, defeating static inspection and altering file signatures to evade detection. Monitor module loads, suspicious GetProcAddress/LoadLibrary patterns, and unusual string-hash usage to spot this behavior. #DynamicAPIResolution #DefenseEvasion
Keypoints
- Adversaries hide API calls until runtime to avoid static analysis and signature detection.
- Malware often stores hashed or encrypted function names instead of plain strings.
- Common runtime resolution uses LoadLibrary and GetProcAddress to link functions dynamically.
- Detection relies on monitoring module loads, API call patterns, and suspicious string decoding activity.
- Defenders should capture module load events, API execution logs, and memory analysis for indicators.
Description:
- Like a spy replacing names in a contact list with codes until a rendezvous, dynamic API resolution keeps real function names hidden until the program runs so outsiders canβt easily identify intentions.
- Malware stores obfuscated identifiers (hashes/encrypted names) and reconstructs function addresses at runtime using OS linking calls (e.g., LoadLibrary, GetProcAddress), enabling concealed capabilities and making static detection and analysis difficult.
Detection:
- Monitor and alert on excessive or abnormal use of LoadLibrary/GetProcAddress and other runtime linking APIs using EDR or Sysmon (Event ID for module loads and API calls).
- Collect module load and process creation logs; flag processes that load many libraries dynamically or resolve many functions in short time spans.
- Inspect memory for decoded strings or function name patterns at runtime using memory forensics tools (Volatility, Rekall) to find resolved API names not present in the binary.
- Detect hashed or encrypted function-name tables in binaries via static heuristics and entropy analysis; combine with sandbox run-time traces to confirm resolution behavior.
- Correlate file metadata and module load events with known benign baselines to reduce false positives from legitimate software that uses dynamic linking.
- Use behavioral signatures in EDR to catch sequences: string deobfuscation β LoadLibrary β GetProcAddress β suspicious API invocation (e.g., process injection, file manipulation).
- Apply best practices: enable detailed module and API execution logging, run unknown samples in instrumented sandboxes, maintain allowlists, and tune detections for common packing and obfuscation techniques.
Tactics:
Defense Evasion
Platforms:
Windows
Data Sources:
File: File Metadata, Module: Module Load, Process: OS API Execution
Relationship Citations:
(Citation: Latrodectus APR 2024),(Citation: Cybereason Bazar July 2020),(Citation: Kaspersky ToddyCat June 2022),(Citation: NCC Group Team9 June 2020),(Citation: Sekoia Raccoon2 2022),(Citation: Malwarebytes AvosLocker Jul 2021),(Citation: Palo Alto Brute Ratel July 2022),(Citation: Mandiant ROADSWEEP August 2022),(Citation: Lazarus APT January 2022),(Citation: Microsoft Actinium February 2022),(Citation: Sekoia Raccoon1 2022),