Windows Input Capture Using Credential UI Dll

Try in Splunk Security Cloud

Description

The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network.

• Type: Hunting

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2024-05-11
• Author: Teoderick Contreras, Splunk
• ID: 406c21d6-6c75-4e9f-9ca9-48049a1dd90e

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1056.002	GUI Input Capture	Collection, Credential Access

T1056

Input Capture

Collection, Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

`sysmon` EventCode=7  (ImageLoaded = "*\\credui.dll" AND OriginalFileName = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", "*:\\program files*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_input_capture_using_credential_ui_dll_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• sysmon

windows_input_capture_using_credential_ui_dll_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Image
• ImageLoaded
• process_name
• dest
• EventCode
• Signed
• ProcessId

How To Implement

The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.

Known False Positives

this module can be loaded by a third party application. Filter is needed.

Associated Analytic Story

• Brute Ratel C4

RBA

Risk Score	Impact	Confidence	Message
9.0	30	30	a process $Image$ loaded $ImageLoaded$ in $dest$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
• https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2—powershell—prompt-user-for-password

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2