The hypothesis is that an adversary is leveraging the CredUI.DLL to perform credential stealing or UI-based credential capture through an uncommon process, indicating potential lateral movement or privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage credential theft tactics that could lead to deeper network compromise.
Detection Rule
title: CredUI.DLL Loaded By Uncommon Process
id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
status: test
description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
references:
- https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
- https://github.com/S12cybersecurity/RDPCredentialStealer
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2025-12-09
tags:
- attack.credential-access
- attack.collection
- attack.t1056.002
logsource:
category: image_load
product: windows
detection:
selection:
- ImageLoaded|endswith:
- '\credui.dll'
- '\wincredui.dll'
- OriginalFileName:
- 'credui.dll'
- 'wincredui.dll'
filter_main_generic:
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\SystemApps\'
filter_main_full:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- 'C:\Windows\regedit.exe' # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
filter_optional_opera:
Image|endswith: '\opera_autoupdate.exe'
filter_optional_process_explorer:
Image|endswith:
- '\procexp64.exe'
- '\procexp.exe'
filter_optional_teams:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\Teams\'
Image|endswith: '\Teams.exe'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other legitimate processes loading those DLLs in your environment.
level: medium
DeviceImageLoadEvents
| where ((FolderPath endswith "\\credui.dll" or FolderPath endswith "\\wincredui.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("credui.dll", "wincredui.dll"))) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SystemApps\\") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", "C:\\Windows\\regedit.exe"))))) and (not((InitiatingProcessFolderPath endswith "\\opera_autoupdate.exe" or (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe") or (InitiatingProcessFolderPath startswith "C:\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Teams\\" and InitiatingProcessFolderPath endswith "\\Teams.exe") or (InitiatingProcessFolderPath startswith "C:\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\"))))Scenario: A system administrator is using Process Monitor (Sysinternals tool) to debug a process and inadvertently loads CredUI.DLL as part of its operation.
Filter/Exclusion: Check for ProcessName containing “ProcessMonitor” or “ProcMon” in the event log or process tree.
Scenario: A Windows Scheduled Task is configured to run a script that requires credential prompting, such as using runas or cmdkey, which may load CredUI.DLL.
Filter/Exclusion: Filter events where the process is associated with a scheduled task (e.g., TaskName field) or where the command line includes runas or cmdkey.
Scenario: A Group Policy Preferences (GPP) deployment is being applied, which may involve credential handling and load CredUI.DLL during policy processing.
Filter/Exclusion: Check for processes associated with gpupdate or gpmc and filter based on the ImageFileName or CommandLine.
Scenario: A Windows Update Agent or Windows Defender process loads CredUI.DLL as part of its credential handling during an update or scan.
Filter/Exclusion: Exclude processes with ImageFileName like “wuauserv”, “svchost.exe” (with specific service names), or “MsMpEng.exe”.
Scenario: A PowerShell script or Windows PowerShell ISE is used to manage credentials, such as using Get-Credential, which may trigger CredUI.DLL loading.
Filter/Exclusion: Filter events where the process is powershell.exe or powershell_ise.exe, and check for command lines containing Get-Credential or ConvertTo-SecureString.