title: Dynamic API Resolution (T1027.007)
id: df00tech-t1027-007
status: experimental
description: "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. API functions called by malware leave static artifacts such as strings in payload files and in the Import Address Table (IAT). To avoid static analysis, adversaries use dynamic API resolution: hashes of function names are stored in malware in lieu of literal strings, and malware uses GetProcAddress() and LoadLibrary() to manually reproduce the linking process. Threat actors including Mustang Panda, Lazarus Group, Latrodectus, Bazar, Brute Ratel C4, TONESHELL, PlugX, Raccoon Stealer, AvosLocker, and CHIMNEYSWEEP use this technique."
references:
  - https://attack.mitre.org/techniques/T1027/007/
  - https://df00tech.com/detections/T1027.007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Small portable utilities that genuinely have minimal imports and only use LoadLibrary/GetProcAddress for cross-version compatibility
  - Legitimate security tools and EDR agents that use dynamic loading for compatibility across Windows versions
  - Custom in-house applications written to be compatible with multiple Windows versions using dynamic API loading
  - Certain Go or Rust compiled binaries that have unusual DLL load patterns compared to C/C++ equivalents
level: high