MITRE ATT&CK Technique
Description
Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts. API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing) To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime. Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2022-08-22T20:42:08.498Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may obfuscate then dynamically resolve API '
'functions called by their malware in order to conceal '
'malicious functionalities and impair defensive analysis. '
'Malware commonly uses various [Native '
'API](https://attack.mitre.org/techniques/T1106) functions '
'provided by the OS to perform various tasks such as those '
'involving processes, files, and other system artifacts.\n'
'\n'
'API functions called by malware may leave static artifacts '
'such as strings in payload files. Defensive analysts may also '
'uncover which functions a binary file may execute via an '
'import address table (IAT) or other structures that help '
'dynamically link calling code to the shared modules that '
'provide functions.(Citation: Huntress API Hash)(Citation: '
'IRED API Hashing)\n'
'\n'
'To avoid static or other defensive analysis, adversaries may '
'use dynamic API resolution to conceal malware characteristics '
'and functionalities. Similar to [Software '
'Packing](https://attack.mitre.org/techniques/T1027/002), '
'dynamic API resolution may change file signatures and '
'obfuscate malicious API function calls until they are '
'resolved and invoked during runtime.\n'
'\n'
'Various methods may be used to obfuscate malware calls to API '
'functions. For example, hashes of function names are commonly '
'stored in malware in lieu of literal strings. Malware can use '
'these hashes (or other identifiers) to manually reproduce the '
'linking and loading process using functions such as '
'`GetProcAddress()` and `LoadLibrary()`. These '
'hashes/identifiers can also be further obfuscated using '
'encryption or other string manipulation tricks (requiring '
'various forms of [Deobfuscate/Decode Files or '
'Information](https://attack.mitre.org/techniques/T1140) '
'during execution).(Citation: BlackHat API Packers)(Citation: '
'Drakonia HInvoke)(Citation: Huntress API Hash)',
'external_references': [{'external_id': 'T1027.007',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1027/007'},
{'description': 'Brennan, M. (2022, February 16). '
'Hackers No Hashing: Randomizing API '
'Hashes to Evade Cobalt Strike '
'Shellcode Detection. Retrieved '
'August 22, 2022.',
'source_name': 'Huntress API Hash',
'url': 'https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection'},
{'description': 'Choi, S. (2015, August 6). '
'Obfuscated API Functions in Modern '
'Packers. Retrieved August 22, 2022.',
'source_name': 'BlackHat API Packers',
'url': 'https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf'},
{'description': 'drakonia. (2022, August 10). HInvoke '
'and avoiding PInvoke. Retrieved '
'August 22, 2022.',
'source_name': 'Drakonia HInvoke',
'url': 'https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avoiding-PInvoke.html?s=03'},
{'description': 'spotheplanet. (n.d.). Windows API '
'Hashing in Malware. Retrieved August '
'22, 2022.',
'source_name': 'IRED API Hashing',
'url': 'https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware'}],
'id': 'attack-pattern--ea4c2f9c-9df1-477c-8c42-6da1118f2ac4',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-04-15T22:24:25.266Z',
'name': 'Dynamic API Resolution',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.0'}