Windows Input Capture Using Credential UI Dll

Original Source: [splunk source]
Name:Windows Input Capture Using Credential UI Dll
id:406c21d6-6c75-4e9f-9ca9-48049a1dd90e
version:3
date:2024-10-17
author:Teoderick Contreras, Splunk
status:production
type:Hunting
Description:The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network.
Data_source:
  • -Sysmon EventID 7
search:`sysmon` EventCode=7 (ImageLoaded = "*\\credui.dll" AND OriginalFileName = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", "*:\\program files*"))
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_input_capture_using_credential_ui_dll_filter`

how_to_implement:The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.
known_false_positives:this module can be loaded by a third party application. Filter is needed.
References:
  -https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
   -https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
 drilldown_searches:
  :
tags:
  analytic_story:
    - 'Brute Ratel C4'
  asset_type:Endpoint
  confidence:30
  impact:30
  message:a process $Image$ loaded $ImageLoaded$ in $dest$
  mitre_attack_id:
    - 'T1056.002'
    - 'T1056'
  observable:
    name:'dest'
    type:'Endpoint'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'Image'
    - 'ImageLoaded'
    - 'process_name'
    - 'dest'
    - 'EventCode'
    - 'Signed'
    - 'ProcessId'
  risk_score:9
  security_domain:endpoint

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log
  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  sourcetype: XmlWinEventLog
  update_timestamp: True
manual_test:None

Related Analytic Stories


Brute Ratel C4

© 2024 DetectionCode Website. All Rights Reserved.