detection.wiki

Detection rules › Sigma

CredUI.DLL Loaded By Uncommon Process

Severity
medium
Author
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Source
upstream

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1056.002 Input Capture: GUI Input Capture
CollectionT1056.002 Input Capture: GUI Input Capture

Event coverage

ProviderEvent IDTitle
Sysmon7Image loaded

Stages and Predicates

Stage 1: selection

or:
ImageLoaded|endswith: '\credui.dll'
ImageLoaded|endswith: '\wincredui.dll'
OriginalFileName: credui.dll
OriginalFileName: wincredui.dll

Stage 2: not 1 of filter_main_*

or:
Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
Image: 'C:\Windows\explorer.exe'
Image: 'C:\Windows\regedit.exe'
Image|startswith: 'C:\Program Files (x86)\'
Image|startswith: 'C:\Program Files\'
Image|startswith: 'C:\Windows\SysWOW64\'
Image|startswith: 'C:\Windows\System32\'
Image|startswith: 'C:\Windows\SystemApps\'

Stage 3: not 1 of filter_optional_*

or:
Image|endswith: '\Teams.exe'
Image|contains: '\AppData\Local\Microsoft\Teams\'
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
Image|startswith: 'C:\Users\'
Image|endswith: '\opera_autoupdate.exe'
Image|endswith: '\procexp.exe'
Image|endswith: '\procexp64.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \Teams.exe corpus 4 (sigma 4)
  • \opera_autoupdate.exe
  • \procexp.exe corpus 6 (sigma 6)
  • \procexp64.exe corpus 6 (sigma 6)
Imageeq
  • C:\Windows\ImmersiveControlPanel\SystemSettings.exe corpus 4 (sigma 4)
  • C:\Windows\explorer.exe corpus 9 (sigma 9)
  • C:\Windows\regedit.exe
Imagematch
  • \AppData\Local\Microsoft\OneDrive\ corpus 4 (sigma 4)
  • \AppData\Local\Microsoft\Teams\
Imagestarts_with
  • C:\Program Files (x86)\ corpus 14 (sigma 14)
  • C:\Program Files\ corpus 15 (sigma 15)
  • C:\Users\ corpus 7 (sigma 7)
  • C:\Windows\SysWOW64\ corpus 16 (sigma 16)
  • C:\Windows\System32\ corpus 16 (sigma 16)
  • C:\Windows\SystemApps\ corpus 2 (sigma 2)
ImageLoadedends_with
  • \credui.dll corpus 2 (sigma 2)
  • \wincredui.dll
OriginalFileNameeq
  • credui.dll
  • wincredui.dll