LoFP / this module can be loaded by a third party application. filter is needed.

Techniques

• T1003
• T1056
• T1056.002
• T1219
• T1589
• T1589.001

Sample rules

Windows Gather Victim Identity SAM Info

• source: splunk
• technicques:
  • T1589.001
  • T1589

Description

The following analytic identifies a process that loads the samlib.dll module. This module is being abused by adversaries, threat actors and red teamers to access information of SAM objects or access credentials information in DC. This hunting query can be a good indicator that a process is capable of accessing the SAM object.

Detection logic

`sysmon` EventCode=7  (ImageLoaded = "*\\samlib.dll" AND OriginalFileName = "samlib.dll") OR (ImageLoaded = "*\\samcli.dll" AND OriginalFileName = "SAMCLI.DLL") AND NOT (Image IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_gather_victim_identity_sam_info_filter`

Windows Input Capture Using Credential UI Dll

• source: splunk
• technicques:
  • T1056.002
  • T1056

Description

The following analytic identifies a process that loads the credui.dll module. This legitimate module is typically abused by adversaries, threat actors and red teamers to create a credential UI prompt dialog box to lure users for possible credential theft or can be used to dump the credentials of a targeted host. This hunting query is a good pivot to check why the process loaded this dll and if it is a legitimate file. This hunting query may hit false positive for a third party application that uses a credential login UI for user login.

Detection logic

`sysmon` EventCode=7  (ImageLoaded = "*\\credui.dll" AND OriginalFileName = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", "*:\\program files*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_input_capture_using_credential_ui_dll_filter`

Windows Remote Access Software BRC4 Loaded Dll

• source: splunk
• technicques:
  • T1219
  • T1003

Description

The following anomaly detection identifies the behavior related to 4 native Windows DLLs being loaded by a non-standard process. Identified by MDSec during their research into Brute Ratel, MDSec identified a high signal analytic by calling out these 4 DLLs being loaded into a process. LogonCLI.dll is the Net Logon Client DLL and is related to users and other domain services to get authenticated. Credui.dll is Credential Manager User Interface. Credential managers receive notifications when authentication information changes. For example, credential managers are notified when a user logs on or an account password changes. Samcli.dll is the Security Accounts Manager Client DLL. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. Dbghelp.dll is Windows Image Helper. Windows Image Helper is commonly seen in credential dumping due to native functions. All of these modules are important to monitor and track and combined may lead to credentail access or dumping.

Detection logic

`sysmon` EventCode=7 
|bin _time span=30s 
| eval BRC4_AnomalyLoadedDll=case(OriginalFileName=="credui.dll", 1, OriginalFileName=="DBGHELP.DLL", 1, OriginalFileName=="SAMCLI.DLL", 1, OriginalFileName=="winhttp.dll", 1, 1=1, 0) 
| eval BRC4_LoadedDllPath=case(match(ImageLoaded, "credui.dll"), 1, match(ImageLoaded, "dbghelp.dll"), 1, match(ImageLoaded, "samcli.dll"), 1, match(ImageLoaded, "winhttp.dll"), 1, 1=1, 0) 
| stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount by Image  BRC4_LoadedDllPath BRC4_AnomalyLoadedDll dest EventCode Signed 
| where  ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_remote_access_software_brc4_loaded_dll_filter`