T1027.007 Dynamic API Resolution Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName in~ ("kernel32.dll", "ntdll.dll", "kernelbase.dll")
| where not (InitiatingProcessFolderPath startswith "C:\\Windows\\"
    or InitiatingProcessFolderPath startswith "C:\\Program Files\\"
    or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\")
| summarize
    LoadedModules=make_set(FileName),
    ModuleCount=dcount(FileName),
    TotalLoads=count()
    by DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessSHA256
| where ModuleCount >= 1
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName !in~ ("svchost.exe", "lsass.exe", "services.exe", "explorer.exe")
    | summarize ImportCount=dcount(FileName) by DeviceName, SHA256
) on DeviceName
| project DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath,
         InitiatingProcessSHA256, LoadedModules, ModuleCount
| sort by ModuleCount asc

high severity medium confidence

Data Sources

Module: Module Load Microsoft Defender for Endpoint

Required Tables

DeviceImageLoadEvents DeviceProcessEvents

False Positives

Small portable utilities that genuinely have minimal imports and only use LoadLibrary/GetProcAddress for cross-version compatibility
Legitimate security tools and EDR agents that use dynamic loading for compatibility across Windows versions
Custom in-house applications written to be compatible with multiple Windows versions using dynamic API loading
Certain Go or Rust compiled binaries that have unusual DLL load patterns compared to C/C++ equivalents

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
  (ImageLoaded="*\\kernel32.dll" OR ImageLoaded="*\\kernelbase.dll" OR ImageLoaded="*\\ntdll.dll")
  NOT (Image="C:\\Windows\\*" OR Image="C:\\Program Files\\*" OR Image="C:\\Program Files (x86)\\*")
| stats
    dc(ImageLoaded) as CoreDLLLoads,
    values(ImageLoaded) as LoadedLibs,
    count as TotalEvents
    by host, Image, ProcessGuid
| where CoreDLLLoads >= 1
| join type=left ProcessGuid [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
    NOT (Image="C:\\Windows\\*" OR Image="C:\\Program Files\\*")
    | stats dc(ImageLoaded) as AllModules by ProcessGuid
]
| where AllModules < 5
| table host, Image, CoreDLLLoads, AllModules, LoadedLibs
| sort AllModules asc

high severity medium confidence

Data Sources

Module: Module Load Sysmon Event ID 7

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Portable executable tools with genuinely minimal imports for cross-compatibility reasons
Certain .NET executables that use P/Invoke rather than static imports for cross-version compatibility
Security research tools designed to minimize their import footprint for analysis purposes
Packed legitimate software where the packer stub has minimal imports before decompressing the real binary

Elastic Security (EQL)

eql

library where
  dll.name in~ ("kernel32.dll", "ntdll.dll", "kernelbase.dll") and
  not process.executable like~ "C:\\Windows\\*" and
  not process.executable like~ "C:\\Program Files\\*" and
  not process.executable like~ "C:\\Program Files (x86)\\*" and
  process.executable != null and
  not process.name in~ ("svchost.exe", "lsass.exe", "services.exe", "explorer.exe", "MsMpEng.exe", "SenseIR.exe", "csrss.exe")

high severity medium confidence

Data Sources

Elastic Endpoint Security (DLL load telemetry) Windows Sysmon via Elastic Agent (Event ID 7)

Required Tables

logs-endpoint.events.library-* logs-windows.sysmon_operational-*

False Positives

Portable applications (e.g., portable browsers, standalone utilities) run from user home directories or removable media that legitimately load kernel32.dll or ntdll.dll at startup
Security tooling and debuggers (e.g., x64dbg, WinDbg, IDA Pro, Frida) installed or launched outside standard directories that instrument DLL loading for analysis purposes
Software installers or self-extracting archives that temporarily stage and execute binaries from %TEMP% before copying to their final installation path, causing transient loads from non-standard locations
Enterprise custom applications deployed by IT operations to non-standard directories (e.g., D:\Apps\) that legitimately import from the Windows DLL ecosystem at runtime

IBM QRadar (AQL)

sql

SELECT
  LOGSOURCEADDRESS(logsourceid) AS hostname,
  "SourceImage" AS process_path,
  COUNT(DISTINCT "ImageLoaded") AS core_dll_count,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) ILIKE '%sysmon%'
  AND eventid = 7
  AND (
    "ImageLoaded" ILIKE '%\\kernel32.dll'
    OR "ImageLoaded" ILIKE '%\\kernelbase.dll'
    OR "ImageLoaded" ILIKE '%\\ntdll.dll'
  )
  AND "SourceImage" NOT ILIKE 'C:\\Windows\\%'
  AND "SourceImage" NOT ILIKE 'C:\\Program Files\\%'
  AND "SourceImage" NOT ILIKE 'C:\\Program Files (x86)\\%'
  AND "SourceImage" IS NOT NULL
  AND "SourceImage" NOT ILIKE ''
  LAST 1440 MINUTES
GROUP BY
  hostname,
  process_path
HAVING core_dll_count >= 1
ORDER BY core_dll_count ASC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon DSM (Event ID 7 - Image Load) QRadar Windows Security Event Log DSM

Required Tables

events

False Positives

Custom in-house enterprise applications deployed to non-standard paths (e.g., E:\CompanyApps\) that legitimately load kernel32.dll or ntdll.dll as part of normal Windows process initialization
Portable software bundles distributed via network shares or removable drives that execute outside Program Files and require core system DLL loading at runtime
Security and monitoring agents (SIEM forwarders, EDR sensors) installed in administrator-defined custom directories that instrument DLL loading for telemetry purposes

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventID=7
(ImageLoaded=*kernel32.dll OR ImageLoaded=*kernelbase.dll OR ImageLoaded=*ntdll.dll)
| where !(Image matches "C:\\Windows\\*")
| where !(Image matches "C:\\Program Files\\*")
| where !(Image matches "C:\\Program Files (x86)\\*")
| where Image != ""
| count_distinct(ImageLoaded) as CoreDLLLoads, values(ImageLoaded) as LoadedLibraries by Computer, Image, ProcessGuid
| where CoreDLLLoads >= 1
| join (
    _sourceCategory=windows/sysmon EventID=7
    | where !(Image matches "C:\\Windows\\*")
    | where !(Image matches "C:\\Program Files\\*")
    | where !(Image matches "C:\\Program Files (x86)\\*")
    | count_distinct(ImageLoaded) as TotalModules by Computer, Image, ProcessGuid
  ) on ProcessGuid
| where TotalModules < 5
| fields Computer, Image, CoreDLLLoads, TotalModules, LoadedLibraries
| sort by TotalModules asc

high severity medium confidence

Data Sources

Windows Sysmon Operational Log via Sumo Logic Installed Collector Sumo Logic Windows Source (Event ID 7)

Required Tables

windows/sysmon

False Positives

Minimally-linked legitimate applications written in low-level languages (Rust, Go, Zig) that explicitly call LoadLibrary for a small set of DLLs and run from build output or portable directories
Developer test binaries compiled locally and executed from project build directories that include only essential runtime DLL imports during early-stage development
Containerized or sandboxed execution environments where processes are launched from non-standard mount paths and operate with a restricted DLL load profile by design

Google Chronicle / SecOps

yaral

rule dynamic_api_resolution_core_dll_load {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1027.007 - Dynamic API Resolution via core Windows DLL loads from non-standard process paths"
    severity = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.007"
    reference = "https://attack.mitre.org/techniques/T1027/007/"
    created = "2026-04-13"
    false_positives = "Portable apps, dev tools outside Program Files, custom enterprise software paths"

  events:
    $e.metadata.event_type = "PROCESS_MODULE_LOAD"
    $e.target.file.full_path = /(?i)(kernel32\.dll|kernelbase\.dll|ntdll\.dll)$/
    not $e.principal.process.file.full_path = /(?i)^[Cc]:\\Windows\\/
    not $e.principal.process.file.full_path = /(?i)^[Cc]:\\Program Files/
    not $e.principal.process.file.full_path = /(?i)^[Cc]:\\Program Files \(x86\)/
    not $e.principal.process.file.full_path = ""
    $hostname = $e.principal.hostname
    $process_path = $e.principal.process.file.full_path
    $dll_name = $e.target.file.full_path
    $process_sha256 = $e.principal.process.file.sha256

  match:
    $hostname, $process_path over 5m

  outcome:
    $risk_score = max(65)
    $distinct_core_dlls = count_distinct($dll_name)
    $loaded_dlls = array_distinct($dll_name)
    $observed_hashes = array_distinct($process_sha256)

  condition:
    #e >= 1 and $distinct_core_dlls >= 1
}

high severity medium confidence

Data Sources

Google Chronicle UDM (PROCESS_MODULE_LOAD events) Windows Sysmon via Chronicle Forwarder (Event ID 7) Microsoft Defender for Endpoint via Chronicle integration

Required Tables

udm_events

False Positives

Third-party security products (AV engines, EDR sensors) deployed to custom installation paths that perform DLL instrumentation and interception at the OS level as part of their normal protection mechanism
Developer toolchains including compilers, linkers, build systems, and debuggers that run from build output directories and dynamically load core system libraries during linking or symbol resolution
Enterprise LOB applications deployed via group policy or deployment tools to organization-specific directory structures outside Program Files that legitimately load kernel32.dll and ntdll.dll at process initialization

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ClassifiedModuleLoad
| ModuleFileName = /(?i)(\\kernel32\.dll|\\kernelbase\.dll|\\ntdll\.dll)$/
| ImageFileName != /(?i)^[Cc]:\\Windows\\/
| ImageFileName != /(?i)^[Cc]:\\Program Files/
| ImageFileName != /(?i)^[Cc]:\\Program Files \(x86\)/
| ImageFileName != null
| groupBy(
    [ComputerName, ImageFileName, TargetProcessId],
    function=[
      count(field=ModuleFileName, distinct=true, as=CoreDLLCount),
      collect(field=ModuleFileName, as=LoadedModules),
      max(field=@timestamp, as=LastSeen),
      selectLast(field=UserName, as=UserName),
      selectLast(field=SHA256HashData, as=ProcessSHA256)
    ]
  )
| CoreDLLCount >= 1
| sort(field=CoreDLLCount, order=asc, limit=100)
| select([ComputerName, UserName, ImageFileName, CoreDLLCount, LoadedModules, ProcessSHA256, LastSeen])

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint (ClassifiedModuleLoad telemetry) Falcon Data Replicator (FDR) event stream

Required Tables

crowdstrike:falcon:json

False Positives

CrowdStrike Falcon sensor components and other co-installed security products that may generate ClassifiedModuleLoad telemetry from their own non-standard installation paths as part of DLL interception for behavioral monitoring
Gaming platforms (Steam, Epic Games Launcher) and media applications installed to custom drive locations outside Program Files that dynamically load core DLLs for performance-critical subsystems
IT remote administration tools (RMM agents, patch management clients, endpoint management software) deployed by enterprise IT to organization-defined custom directory paths that legitimately load these system libraries at startup

Dynamic API Resolution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections