Try in Splunk Security Cloud


The following analytic identifies a process that loads the credui.dll module. This legitimate module is typically abused by adversaries, threat actors and red teamers to create a credential UI prompt dialog box to lure users for possible credential theft or can be used to dump the credentials of a targeted host. This hunting query is a good pivot to check why the process loaded this dll and if it is a legitimate file. This hunting query may hit false positive for a third party application that uses a credential login UI for user login.

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2022-08-24
  • Author: Teoderick Contreras, Splunk
  • ID: 406c21d6-6c75-4e9f-9ca9-48049a1dd90e




ID Technique Tactic
T1056.002 GUI Input Capture Collection, Credential Access
T1056 Input Capture Collection, Credential Access
Kill Chain Phase
  • Exploitation
  • DE.AE
  • CIS 10
`sysmon` EventCode=7  (ImageLoaded = "*\\credui.dll" AND OriginalFileName = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", "*:\\program files*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_input_capture_using_credential_ui_dll_filter`


The SPL above uses the following Macros:

:information_source: windows_input_capture_using_credential_ui_dll_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • Image
  • ImageLoaded
  • process_name
  • dest
  • EventCode
  • Signed
  • ProcessId

How To Implement

The latest Sysmon TA 3.0 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.

Known False Positives

this module can be loaded by a third party application. Filter is needed.

Associated Analytic Story


Risk Score Impact Confidence Message
9.0 30 30 a process $Image$ loaded $ImageLoaded$ in $dest$

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1