Windows Input Capture Using Credential UI Dll
Description
The following analytic identifies a process that loads the credui.dll module. This legitimate module is typically abused by adversaries, threat actors and red teamers to create a credential UI prompt dialog box to lure users for possible credential theft or can be used to dump the credentials of a targeted host. This hunting query is a good pivot to check why the process loaded this dll and if it is a legitimate file. This hunting query may hit false positive for a third party application that uses a credential login UI for user login.
- Type: Hunting
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2022-08-24
- Author: Teoderick Contreras, Splunk
- ID: 406c21d6-6c75-4e9f-9ca9-48049a1dd90e
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
`sysmon` EventCode=7 (ImageLoaded = "*\\credui.dll" AND OriginalFileName = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", "*:\\program files*"))
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Computer EventCode Signed ProcessId ProcessGuid
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_input_capture_using_credential_ui_dll_filter`
Macros
The SPL above uses the following Macros:
windows_input_capture_using_credential_ui_dll_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Image
- ImageLoaded
- process_name
- Computer
- EventCode
- Signed
- ProcessId
How To Implement
The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.
Known False Positives
this module can be loaded by a third party application. Filter is needed.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
9.0 | 30 | 30 | a process $Image$ loaded $ImageLoaded$ in $Computer$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2—powershell—prompt-user-for-password
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1