T1027.007 CrowdStrike LogScale · LogScale

Detect Dynamic API Resolution in CrowdStrike LogScale

Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. API functions called by malware leave static artifacts such as strings in payload files and in the Import Address Table (IAT). To avoid static analysis, adversaries use dynamic API resolution: hashes of function names are stored in malware in lieu of literal strings, and malware uses GetProcAddress() and LoadLibrary() to manually reproduce the linking process. Threat actors including Mustang Panda, Lazarus Group, Latrodectus, Bazar, Brute Ratel C4, TONESHELL, PlugX, Raccoon Stealer, AvosLocker, and CHIMNEYSWEEP use this technique.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.007 Dynamic API Resolution
Canonical reference
https://attack.mitre.org/techniques/T1027/007/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = ClassifiedModuleLoad
| ModuleFileName = /(?i)(\\kernel32\.dll|\\kernelbase\.dll|\\ntdll\.dll)$/
| ImageFileName != /(?i)^[Cc]:\\Windows\\/
| ImageFileName != /(?i)^[Cc]:\\Program Files/
| ImageFileName != /(?i)^[Cc]:\\Program Files \(x86\)/
| ImageFileName != null
| groupBy(
    [ComputerName, ImageFileName, TargetProcessId],
    function=[
      count(field=ModuleFileName, distinct=true, as=CoreDLLCount),
      collect(field=ModuleFileName, as=LoadedModules),
      max(field=@timestamp, as=LastSeen),
      selectLast(field=UserName, as=UserName),
      selectLast(field=SHA256HashData, as=ProcessSHA256)
    ]
  )
| CoreDLLCount >= 1
| sort(field=CoreDLLCount, order=asc, limit=100)
| select([ComputerName, UserName, ImageFileName, CoreDLLCount, LoadedModules, ProcessSHA256, LastSeen])
high severity medium confidence

CrowdStrike LogScale (Falcon) query detecting dynamic API resolution by correlating ClassifiedModuleLoad events where core Windows DLLs (kernel32.dll, kernelbase.dll, ntdll.dll) are loaded by processes outside standard system directories. Results are grouped by host, process image, and process ID to surface distinct DLL load counts per process. Processes from non-standard paths with intentionally minimal DLL loads indicate manual API resolution consistent with malware families including PlugX, Raccoon Stealer, AvosLocker, TONESHELL, and CHIMNEYSWEEP.

Data Sources

CrowdStrike Falcon Endpoint (ClassifiedModuleLoad telemetry)Falcon Data Replicator (FDR) event stream

Required Tables

crowdstrike:falcon:json

False Positives & Tuning

  • CrowdStrike Falcon sensor components and other co-installed security products that may generate ClassifiedModuleLoad telemetry from their own non-standard installation paths as part of DLL interception for behavioral monitoring
  • Gaming platforms (Steam, Epic Games Launcher) and media applications installed to custom drive locations outside Program Files that dynamically load core DLLs for performance-critical subsystems
  • IT remote administration tools (RMM agents, patch management clients, endpoint management software) deployed by enterprise IT to organization-defined custom directory paths that legitimately load these system libraries at startup
Download portable Sigma rule (.yml)

Other platforms for T1027.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Demonstrate GetProcAddress Dynamic API Resolution in PowerShell

    Expected signal: Sysmon Event ID 1: PowerShell process creation with Add-Type and DllImport. PowerShell ScriptBlock Log Event ID 4104: the P/Invoke declarations and GetProcAddress call. Sysmon Event ID 7: user32.dll loaded by powershell.exe.

  2. Test 2API Hash Resolution Simulation

    Expected signal: PowerShell ScriptBlock Log Event ID 4104: the hash function implementation and the list of API names being hashed. The output shows API-to-hash mappings as adversarial malware would store them.

  3. Test 3Inspect Binary IAT for Dynamic Resolution Indicators

    Expected signal: Sysmon Event ID 1: dumpbin.exe execution with /imports argument on calc.exe. The findstr filter shows LoadLibrary and GetProcAddress imports if present.

  4. Test 4Create Minimal-Import Executable for Testing

    Expected signal: Sysmon Event ID 1: csc.exe compilation (T1027.004 indicator). Sysmon Event ID 1: dynapi.exe execution from Temp. Sysmon Event ID 7: kernel32.dll and user32.dll loaded by dynapi.exe. The dynapi.exe IAT will contain only LoadLibrary and GetProcAddress.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1027.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.002Software PackingT1055Process InjectionT1106Native APIT1140Deobfuscate/Decode Files or InformationT1620Reflective Code Loading

Same Tactic: Defense Evasion

Popular Detections