CredUI.DLL Loaded By Uncommon Process

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

Sigma rule (View on GitHub)

 1title: CredUI.DLL Loaded By Uncommon Process
 2id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
 3status: test
 4description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
 5references:
 6    - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
 8    - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
 9    - https://github.com/S12cybersecurity/RDPCredentialStealer
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
11date: 2020/10/20
12modified: 2023/07/28
13tags:
14    - attack.credential_access
15    - attack.collection
16    - attack.t1056.002
17logsource:
18    category: image_load
19    product: windows
20detection:
21    selection:
22        - ImageLoaded|endswith:
23              - '\credui.dll'
24              - '\wincredui.dll'
25        - OriginalFileName:
26              - 'credui.dll'
27              - 'wincredui.dll'
28    filter_main_generic:
29        Image|startswith:
30            - 'C:\Program Files (x86)\'
31            - 'C:\Program Files\'
32            - 'C:\Windows\System32\'
33            - 'C:\Windows\SysWOW64\'
34    filter_main_full:
35        Image:
36            - 'C:\Windows\explorer.exe'
37            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
38            - 'C:\Windows\regedit.exe' # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
39    filter_optional_opera:
40        Image|endswith: '\opera_autoupdate.exe'
41    filter_optional_process_explorer:
42        Image|endswith:
43            - '\procexp64.exe'
44            - '\procexp.exe'
45    filter_optional_teams:
46        Image|startswith: 'C:\Users\'
47        Image|contains: '\AppData\Local\Microsoft\Teams\'
48        Image|endswith: '\Teams.exe'
49    filter_optional_onedrive:
50        Image|startswith: 'C:\Users\'
51        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
52    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
53falsepositives:
54    - Other legitimate processes loading those DLLs in your environment.
55level: medium

References

Related rules

to-top