Behavioral chain involving suspicious use of GetProcAddress and LoadLibrary following memory allocation and manual mapping, often paired with low entropy strings, abnormal API use without static import tables, or delayed module load behaviors.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Kernel-Process | API tracing / stack tracing via ETW or telemetry-based EDR |
| Field | Description |
|---|---|
| APILoadWithoutImport | Tunable logic to flag suspicious modules used without static IAT entries |
| TimeWindow | Correlates module load to suspicious memory allocation or API lookup within timeframe |
| EntropyThreshold | Used to detect obfuscated strings or hashed function names |
| StackTraceFilter | Optional filtering of known safe modules or patterns from telemetry |