Skip to content

Create UI Automation Core DLL Loading Detection #5555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 12 commits into from
Closed

Create UI Automation Core DLL Loading Detection #5555

wants to merge 12 commits into from

Conversation

0xPrashanthSec
Copy link
Contributor

Detects when a process loads UIAutomationCore.dll, which may indicate abuse of Microsoft's UI Automation framework. This technique has been observed in Coyote malware for credential theft from banking applications and cryptocurrency exchanges. The rule monitors for processes that load the UI Automation Core library, which enables automated interaction with UI elements.

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@0xPrashanthSec
Create proc_creation_win_uiautomationcore_susp_loaded.yml
35c092b 
Detects when a process loads UIAutomationCore.dll, which may indicate abuse of Microsoft's UI Automation framework.
This technique has been observed in Coyote malware for credential theft from banking applications and cryptocurrency exchanges. The rule monitors for processes that load the UI Automation Core library, which enables automated interaction with UI elements.
@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Jul 29, 2025
@0xPrashanthSec 0xPrashanthSec changed the title Create proc_creation_win_uiautomationcore_susp_loaded.yml Create UI Automation Core DLL Loading Detection Jul 29, 2025
@0xPrashanthSec
Update and rename proc_creation_win_uiautomationcore_unusual_usage.ym…
b4b72ed 
…l to proc_creation_win_uiacore_unusual_usage.yml
@0xPrashanthSec
Copy link
Contributor Author

Hi All, I tried to change file name in all formats but still its failing. Can someone help me with that?

@swachchhanda000
Copy link
Collaborator

Hi All, I tried to change file name in all formats but still its failing. Can someone help me with that?

It's because you are using the proc_creation prefix for image_load rule.

@0xPrashanthSec
Copy link
Contributor Author

Hi All, I tried to change file name in all formats but still its failing. Can someone help me with that?

It's because you are using the proc_creation prefix for image_load rule.

Ah, got it let me do changes.

swachchhanda000
swachchhanda000 reviewed Jul 31, 2025
View reviewed changes
Copy link
Collaborator

@swachchhanda000 swachchhanda000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rule is already covered by Potential System DLL Sideloading From Non System Locations

@phantinuss
Copy link
Collaborator

@prashanthpulisetti Did you observe/produce matches with these? Then we should integrate it to the existing rule

            - '\narrator.exe'
            - '\osk.exe'
            - '\magnify.exe'
            - '\utilman.exe'
            - '\sethc.exe'
            - '\AtBroker.exe'
            - '\displayswitch.exe'

@0xPrashanthSec
Copy link
Contributor Author

@prashanthpulisetti Did you observe/produce matches with these? Then we should integrate it to the existing rule

            - '\narrator.exe'
            - '\osk.exe'
            - '\magnify.exe'
            - '\utilman.exe'
            - '\sethc.exe'
            - '\AtBroker.exe'
            - '\displayswitch.exe'

Hi @phantinuss , I haven’t tested it yet, but I believe these are legitimate Windows accessibility tools (like Narrator, Magnifier, and On-Screen Keyboard) that typically load UIAutomationCore.dll during normal operation. I added them to the filter to reduce false positives ....

@swachchhanda000
Copy link
Collaborator

Closing as a duplicate for now but if an interesting finding came up, please reopen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swachchhanda000 swachchhanda000 swachchhanda000 left review comments

Assignees
No one assigned
Labels
Duplicate Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@0xPrashanthSec @swachchhanda000 @phantinuss