Windows Input Capture Using Credential UI Dll

Try in Splunk Security Cloud

Description

The following analytic identifies a process that loads the credui.dll module. This legitimate module is typically abused by adversaries, threat actors and red teamers to create a credential UI prompt dialog box to lure users for possible credential theft or can be used to dump the credentials of a targeted host. This hunting query is a good pivot to check why the process loaded this dll and if it is a legitimate file. This hunting query may hit false positive for a third party application that uses a credential login UI for user login.

• Type: Hunting

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2022-08-24
• Author: Teoderick Contreras, Splunk
• ID: 406c21d6-6c75-4e9f-9ca9-48049a1dd90e

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1056.002	GUI Input Capture	Collection, Credential Access

T1056

Input Capture

Collection, Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

`sysmon` EventCode=7  (ImageLoaded = "*\\credui.dll" AND OriginalFileName = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", "*:\\program files*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_input_capture_using_credential_ui_dll_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• sysmon

windows_input_capture_using_credential_ui_dll_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Image
• ImageLoaded
• process_name
• dest
• EventCode
• Signed
• ProcessId

How To Implement

The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.

Known False Positives

this module can be loaded by a third party application. Filter is needed.

Associated Analytic Story

• Brute Ratel C4

RBA

Risk Score	Impact	Confidence	Message
9.0	30	30	a process $Image$ loaded $ImageLoaded$ in $dest$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
• https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2—powershell—prompt-user-for-password

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1