This detection rule identifies instances where the "credui.dll" or "wincredui.dll" is loaded by processes that are not commonly recognized as legitimate sources. Attackers may exploit these DLLs, particularly through the functions "CredUIPromptForCredentials" and "CredUnPackAuthenticationBufferW", to harvest credentials from unsuspecting users. By monitoring for such events, security analysts can effectively flag potential credential theft attempts, especially when the loading process deviates from standard applications such as Windows Explorer or System Settings. The rule uses a selection of specific indicators of compromise (IOCs) while filtering out common and trusted processes to minimize false positives. A detailed examination of the loaded images, their paths, and their typical usage patterns allows this rule to efficiently pinpoint unusual behavior without overwhelming alert systems with benign events.