← Back to Explore
sigmamediumHunting
CredUI.DLL Loaded By Uncommon Process
Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
Detection Query
selection:
- ImageLoaded|endswith:
- \credui.dll
- \wincredui.dll
- OriginalFileName:
- credui.dll
- wincredui.dll
filter_main_generic:
Image|startswith:
- C:\Program Files (x86)\
- C:\Program Files\
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\SystemApps\
filter_main_full:
Image:
- C:\Windows\explorer.exe
- C:\Windows\ImmersiveControlPanel\SystemSettings.exe
- C:\Windows\regedit.exe
filter_optional_opera:
Image|endswith: \opera_autoupdate.exe
filter_optional_process_explorer:
Image|endswith:
- \procexp64.exe
- \procexp.exe
filter_optional_teams:
Image|startswith: C:\Users\
Image|contains: \AppData\Local\Microsoft\Teams\
Image|endswith: \Teams.exe
filter_optional_onedrive:
Image|startswith: C:\Users\
Image|contains: \AppData\Local\Microsoft\OneDrive\
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
Author
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Created
2020-10-20
Data Sources
windowsImage Load Events
Platforms
windows
References
- https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
- https://github.com/S12cybersecurity/RDPCredentialStealer
Tags
attack.credential-accessattack.collectionattack.t1056.002
Raw Content
title: CredUI.DLL Loaded By Uncommon Process
id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
status: test
description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
references:
- https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
- https://github.com/S12cybersecurity/RDPCredentialStealer
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2025-12-09
tags:
- attack.credential-access
- attack.collection
- attack.t1056.002
logsource:
category: image_load
product: windows
detection:
selection:
- ImageLoaded|endswith:
- '\credui.dll'
- '\wincredui.dll'
- OriginalFileName:
- 'credui.dll'
- 'wincredui.dll'
filter_main_generic:
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\SystemApps\'
filter_main_full:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- 'C:\Windows\regedit.exe' # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
filter_optional_opera:
Image|endswith: '\opera_autoupdate.exe'
filter_optional_process_explorer:
Image|endswith:
- '\procexp64.exe'
- '\procexp.exe'
filter_optional_teams:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\Teams\'
Image|endswith: '\Teams.exe'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other legitimate processes loading those DLLs in your environment.
level: medium