Skip to content

DET0091 Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups

Item Value
ID DET0091
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1027.007 (Dynamic API Resolution)

Analytics

Windows

AN0250

Behavioral chain involving suspicious use of GetProcAddress and LoadLibrary following memory allocation and manual mapping, often paired with low entropy strings, abnormal API use without static import tables, or delayed module load behaviors.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
OS API Execution (DC0021) etw:Microsoft-Windows-Kernel-Process API tracing / stack tracing via ETW or telemetry-based EDR
Mutable Elements
Field Description
APILoadWithoutImport Tunable logic to flag suspicious modules used without static IAT entries
TimeWindow Correlates module load to suspicious memory allocation or API lookup within timeframe
EntropyThreshold Used to detect obfuscated strings or hashed function names
StackTraceFilter Optional filtering of known safe modules or patterns from telemetry