Detectionmediumtest

CredUI.DLL Loaded By Uncommon Process

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Tue Oct 20Updated Tue Dec 099ae01559-cf7e-4f8e-8e14-4c290a1b4784windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        - ImageLoaded|endswith:
              - '\credui.dll'
              - '\wincredui.dll'
        - OriginalFileName:
              - 'credui.dll'
              - 'wincredui.dll'
    filter_main_generic:
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\SystemApps\'
    filter_main_full:
        Image:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
            - 'C:\Windows\regedit.exe' # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
    filter_optional_opera:
        Image|endswith: '\opera_autoupdate.exe'
    filter_optional_process_explorer:
        Image|endswith:
            - '\procexp64.exe'
            - '\procexp.exe'
    filter_optional_teams:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\Teams\'
        Image|endswith: '\Teams.exe'
    filter_optional_onedrive:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*