CredUI.DLL Loaded By Uncommon Process

 1title: CredUI.DLL Loaded By Uncommon Process
 2id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
 3status: experimental
 4description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
 5references:
 6    - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
 8    - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
 9    - https://github.com/S12cybersecurity/RDPCredentialStealer
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
11date: 2020/10/20
12modified: 2023/07/28
13tags:
14    - attack.credential_access
15    - attack.collection
16    - attack.t1056.002
17logsource:
18    category: image_load
19    product: windows
20detection:
21    selection:
22        - ImageLoaded|endswith:
23              - '\credui.dll'
24              - '\wincredui.dll'
25        - OriginalFileName:
26              - 'credui.dll'
27              - 'wincredui.dll'
28    filter_main_generic:
29        Image|startswith:
30            - 'C:\Program Files (x86)\'
31            - 'C:\Program Files\'
32            - 'C:\Windows\System32\'
33            - 'C:\Windows\SysWOW64\'
34    filter_main_full:
35        Image:
36            - 'C:\Windows\explorer.exe'
37            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
38            - 'C:\Windows\regedit.exe' # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
39    filter_optional_opera:
40        Image|endswith: '\opera_autoupdate.exe'
41    filter_optional_process_explorer:
42        Image|endswith:
43            - '\procexp64.exe'
44            - '\procexp.exe'
45    filter_optional_teams:
46        Image|startswith: 'C:\Users\'
47        Image|contains: '\AppData\Local\Microsoft\Teams\'
48        Image|endswith: '\Teams.exe'
49    filter_optional_onedrive:
50        Image|startswith: 'C:\Users\'
51        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
52    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
53falsepositives:
54    - Other legitimate processes loading those DLLs in your environment.
55level: medium

References

• UI Prompt For Credentials Function — Security Datasets

  Dataset Description# This dataset represents adversaries leveraging functions such as CredUIPromptForCredentials to create and display a configurable dialog box that accepts credentials information...

  
  Read More

• atomic-red-team/atomics/T1056.002/T1056.002.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• CredUIPromptForCredentialsA function (wincred.h) - Win32 apps

  

  Creates and displays a configurable dialog box that accepts credentials information from a user. (ANSI)

  
  Read More

• GitHub - S12cybersecurity/RDPCredentialStealer: RDPCredentialStealer it's a malware that steal credentials provided by users in RDP using API Hooking with Detours in C++

  

  RDPCredentialStealer it's a malware that steal credentials provided by users in RDP using API Hooking with Detours in C++ - S12cybersecurity/RDPCredentialStealer

  
  Read More

Related rules

• PUA - Mouse Lock Execution
• Automated Collection Command Prompt
• GUI Input Capture - macOS
• 7Zip Compressing Dump Files
• Active Directory Replication from Non Machine Account