Generated docs from job=generate-docs branch=master [ci skip]

2024-02-08 21:36:56 +00:00
parent a9326f2654
commit dea1cd7641
22 changed files with 179 additions and 21 deletions
@@ -548,6 +548,7 @@ defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,2
 defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
 defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
+defense-evasion,T1027.007,Obfuscated Files or Information: Dynamic API Resolution,1,Dynamic API Resolution-Ninja-syscall,578025d5-faa9-4f6d-8390-aae739d507e1,powershell
 defense-evasion,T1055.015,Process Injection: ListPlanting,1,Process injection ListPlanting,4f3c7502-b111-4dfe-8a6e-529307891a59,powershell
 defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
 defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
@@ -368,6 +368,7 @@ defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,2
 defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
 defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
+defense-evasion,T1027.007,Obfuscated Files or Information: Dynamic API Resolution,1,Dynamic API Resolution-Ninja-syscall,578025d5-faa9-4f6d-8390-aae739d507e1,powershell
 defense-evasion,T1055.015,Process Injection: ListPlanting,1,Process injection ListPlanting,4f3c7502-b111-4dfe-8a6e-529307891a59,powershell
 defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
 defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
@@ -718,7 +718,8 @@
  - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
  - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.007 Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1027.007 Obfuscated Files or Information: Dynamic API Resolution](../../T1027.007/T1027.007.md)
+  - Atomic Test #1: Dynamic API Resolution-Ninja-syscall [windows]
 - [T1055.015 Process Injection: ListPlanting](../../T1055.015/T1055.015.md)
  - Atomic Test #1: Process injection ListPlanting [windows]
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -501,7 +501,8 @@
 - [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
  - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
  - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1027.007 Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1027.007 Obfuscated Files or Information: Dynamic API Resolution](../../T1027.007/T1027.007.md)
+  - Atomic Test #1: Dynamic API Resolution-Ninja-syscall [windows]
 - [T1055.015 Process Injection: ListPlanting](../../T1055.015/T1055.015.md)
  - Atomic Test #1: Process injection ListPlanting [windows]
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -170,7 +170,7 @@
 |  |  |  |  | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Obfuscated Files or Information: Dynamic API Resolution](../../T1027.007/T1027.007.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [XSL Script Processing](../../T1220/T1220.md) |  |  |  |  |  |  |  |
@@ -133,7 +133,7 @@
 |  |  |  |  | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) |  |  |  |  |  |  |  |
-|  |  |  |  | Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Obfuscated Files or Information: Dynamic API Resolution](../../T1027.007/T1027.007.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [XSL Script Processing](../../T1220/T1220.md) |  |  |  |  |  |  |  |
@@ -12512,7 +12512,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -12524,6 +12524,7 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1027.007
    atomic_tests: []
  T1055.015:
    technique:
@@ -12487,7 +12487,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -12499,6 +12499,7 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1027.007
    atomic_tests: []
  T1055.015:
    technique:
@@ -12416,7 +12416,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -12428,6 +12428,7 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1027.007
    atomic_tests: []
  T1055.015:
    technique:
@@ -12416,7 +12416,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -12428,6 +12428,7 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1027.007
    atomic_tests: []
  T1055.015:
    technique:
@@ -12720,7 +12720,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -12732,6 +12732,7 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1027.007
    atomic_tests: []
  T1055.015:
    technique:
@@ -12496,7 +12496,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -12508,6 +12508,7 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1027.007
    atomic_tests: []
  T1055.015:
    technique:
@@ -12457,7 +12457,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -12469,6 +12469,7 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1027.007
    atomic_tests: []
  T1055.015:
    technique:
@@ -27409,7 +27409,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -27421,7 +27421,45 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1027.007
+    atomic_tests:
+    - name: Dynamic API Resolution-Ninja-syscall
+      auto_generated_guid: 578025d5-faa9-4f6d-8390-aae739d507e1
+      description: 'This test calls NtCreateFile via API hashing and dynamic syscall
+        resolution. I have dubbed this particular combination of techniques ''Ninja-syscall''.
+        When successful, a new file named ''hello.log'' will be created in the default
+        user''s temporary folder, which is a common location for a dropper.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_binary:
+          description: PE binary
+          type: path
+          default: PathToAtomicsFolder\T1027.007\bin\ninja_syscall1.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Portable Executable to run must exist at specified location
+          (#{exe_binary})
+
+          '
+        prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.007/bin/ninja_syscall1.exe" -OutFile "#{exe_binary}"
+      executor:
+        command: |
+          Start-Process "#{exe_binary}"
+          Start-Sleep -Seconds 7
+          if (Test-Path "C:\Users\Default\AppData\Local\Temp\hello.log") { Remove-Item "C:\Users\Default\AppData\Local\Temp\hello.log" -Force; Write-Host "[+] hello.log removed." }
+        cleanup_command: if (Test-Path "C:\Users\Default\AppData\Local\Temp\hello.log")
+          { Remove-Item "C:\Users\Default\AppData\Local\Temp\hello.log" -Force; Write-Host
+          "[+] hello.log removed." }
+        name: powershell
+        elevation_required: true
  T1055.015:
    technique:
      x_mitre_platforms:
@@ -16072,7 +16072,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -16084,6 +16084,7 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1027.007
    atomic_tests: []
  T1055.015:
    technique:
@@ -14546,7 +14546,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -14558,6 +14558,7 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1027.007
    atomic_tests: []
  T1055.015:
    technique:
@@ -12546,7 +12546,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -12558,6 +12558,7 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1027.007
    atomic_tests: []
  T1055.015:
    technique:
@@ -12416,7 +12416,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -12428,6 +12428,7 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1027.007
    atomic_tests: []
  T1055.015:
    technique:
@@ -22453,7 +22453,7 @@ defense-evasion:
        Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
      modified: '2022-08-23T18:32:46.899Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Dynamic API Resolution
+      name: 'Obfuscated Files or Information: Dynamic API Resolution'
      x_mitre_detection: ''
      kill_chain_phases:
      - phase_name: defense-evasion
@@ -22465,7 +22465,45 @@ defense-evasion:
      - 'Process: OS API Execution'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1027.007
+    atomic_tests:
+    - name: Dynamic API Resolution-Ninja-syscall
+      auto_generated_guid: 578025d5-faa9-4f6d-8390-aae739d507e1
+      description: 'This test calls NtCreateFile via API hashing and dynamic syscall
+        resolution. I have dubbed this particular combination of techniques ''Ninja-syscall''.
+        When successful, a new file named ''hello.log'' will be created in the default
+        user''s temporary folder, which is a common location for a dropper.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_binary:
+          description: PE binary
+          type: path
+          default: PathToAtomicsFolder\T1027.007\bin\ninja_syscall1.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Portable Executable to run must exist at specified location
+          (#{exe_binary})
+
+          '
+        prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.007/bin/ninja_syscall1.exe" -OutFile "#{exe_binary}"
+      executor:
+        command: |
+          Start-Process "#{exe_binary}"
+          Start-Sleep -Seconds 7
+          if (Test-Path "C:\Users\Default\AppData\Local\Temp\hello.log") { Remove-Item "C:\Users\Default\AppData\Local\Temp\hello.log" -Force; Write-Host "[+] hello.log removed." }
+        cleanup_command: if (Test-Path "C:\Users\Default\AppData\Local\Temp\hello.log")
+          { Remove-Item "C:\Users\Default\AppData\Local\Temp\hello.log" -Force; Write-Host
+          "[+] hello.log removed." }
+        name: powershell
+        elevation_required: true
  T1055.015:
    technique:
      x_mitre_platforms:
@@ -0,0 +1,67 @@
+# T1027.007 - Obfuscated Files or Information: Dynamic API Resolution
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/007)
+<blockquote>Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.
+
+API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)
+
+To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
+
+Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Dynamic API Resolution-Ninja-syscall](#atomic-test-1---dynamic-api-resolution-ninja-syscall)
+
+
+<br/>
+
+## Atomic Test #1 - Dynamic API Resolution-Ninja-syscall
+This test calls NtCreateFile via API hashing and dynamic syscall resolution. I have dubbed this particular combination of techniques 'Ninja-syscall'. When successful, a new file named 'hello.log' will be created in the default user's temporary folder, which is a common location for a dropper.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 578025d5-faa9-4f6d-8390-aae739d507e1
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| exe_binary | PE binary | path | PathToAtomicsFolder&#92;T1027.007&#92;bin&#92;ninja_syscall1.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process "#{exe_binary}"
+Start-Sleep -Seconds 7
+if (Test-Path "C:\Users\Default\AppData\Local\Temp\hello.log") { Remove-Item "C:\Users\Default\AppData\Local\Temp\hello.log" -Force; Write-Host "[+] hello.log removed." }
+```
+
+#### Cleanup Commands:
+```powershell
+if (Test-Path "C:\Users\Default\AppData\Local\Temp\hello.log") { Remove-Item "C:\Users\Default\AppData\Local\Temp\hello.log" -Force; Write-Host "[+] hello.log removed." }
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Portable Executable to run must exist at specified location (#{exe_binary})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.007/bin/ninja_syscall1.exe" -OutFile "#{exe_binary}"
+```
+
+
+
+
+<br/>