Techniques
Sample rules
Windows InstallUtil Credential Theft
- source: splunk
- technicques:
- T1218.004
Description
The following analytic detects instances where the Windows InstallUtil.exe binary loads vaultcli.dll and Samlib.dll. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because it can indicate an attempt to execute code that bypasses application control and captures credentials using tools like Mimikatz. If confirmed malicious, this behavior could allow an attacker to steal credentials, potentially leading to unauthorized access and further compromise of the system.
Detection logic
`sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN ("*\\samlib.dll", "*\\vaultcli.dll")
| stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_installutil_credential_theft_filter`