Techniques
Sample rules
CredUI.DLL Loaded By Uncommon Process
- source: sigma
- technicques:
- t1056
- t1056.002
Description
Detects loading of “credui.dll” and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of “CredUIPromptForCredentials” or “CredUnPackAuthenticationBufferW”.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_full:
Image:
- C:\Windows\explorer.exe
- C:\Windows\ImmersiveControlPanel\SystemSettings.exe
- C:\Windows\regedit.exe
filter_main_generic:
Image|startswith:
- C:\Program Files (x86)\
- C:\Program Files\
- C:\Windows\System32\
- C:\Windows\SysWOW64\
filter_optional_onedrive:
Image|contains: \AppData\Local\Microsoft\OneDrive\
Image|startswith: C:\Users\
filter_optional_opera:
Image|endswith: \opera_autoupdate.exe
filter_optional_process_explorer:
Image|endswith:
- \procexp64.exe
- \procexp.exe
filter_optional_teams:
Image|contains: \AppData\Local\Microsoft\Teams\
Image|endswith: \Teams.exe
Image|startswith: C:\Users\
selection:
- ImageLoaded|endswith:
- \credui.dll
- \wincredui.dll
- OriginalFileName:
- credui.dll
- wincredui.dll