Home/Detection rules/T1056
Tool

Vendor-native detections for T1056

2 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
technique T1056 ×

Detections

2 shown of 2
Chronicle (YARA-L) Original YARA-L T1056 ↗
the_gocgle_malicious_campaign
Detects Web Skimming Attacks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query 
rule the_gocgle_malicious_campaign {
 meta:
    author = "Osman Demir"
    description = "Detects Web Skimming Attacks  License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
    reference = "https://tdm.socprime.com/tdm/info/LI0qbtGS0Jtv"
    version = "0.01"
    created = "2021-03-09"
    category = "proxy"
    mitre = "T1056, Collection"

  events:
(($selection.principal.hostname = "gocgle-analytics.net" or $selection.principal.hostname = "googlo-analytics.com" or $selection.principal.hostname = "gocgletagmanager.com" or $selection.principal.hostname = "googlc-analytics.com" or $selection.principal.hostname = "gocgle-analytics.cm" or $selection.principal.hostname = "gocgletagmanager.cm" or $selection.principal.hostname = "gocgle-analytics.com" or $selection.principal.hostname = "analytic.is" or $selection.principal.hostname = "qdtf54y6eu7i87t.ga") or ($selection.target.ip = "5.188.9.61" or $selection.target.ip = "5.188.9.33" or $selection.target.ip = "5.188.9.40" or $selection.target.ip = "194.180.224.112"))

  condition:
    $selection
}
Splunk Original SPL T1056.002 ↗
Windows Input Capture Using Credential UI Dll
The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network.
Show query 
`sysmon` EventCode=7  (ImageLoaded = "*\\credui.dll" AND OriginalFileName = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", "*:\\program files*")) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`
Showing 1-2 of 2
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh