Tap Driver Installation - Security

Aug 12, 2024 · attack.exfiltration attack.t1048 ·

Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.

Sigma rule (View on GitHub)

 1title: Tap Driver Installation - Security
 2id: 9c8afa4d-0022-48f0-9456-3712466f9701
 3related:
 4    - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
 5      type: derived
 6status: test
 7description: |
 8        Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
 9references:
10    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
11author: Daniil Yugoslavskiy, Ian Davis, oscd.community
12date: 2019-10-24
13modified: 2022-11-29
14tags:
15    - attack.exfiltration
16    - attack.t1048
17logsource:
18    product: windows
19    service: security
20    definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
21detection:
22    selection:
23        EventID: 4697
24        ServiceFileName|contains: 'tap0901'
25    condition: selection
26falsepositives:
27    - Legitimate OpenVPN TAP installation
28level: low

References

https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers

Read More

Tap Driver Installation - Security

Sigma rule (View on GitHub)

References

https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers

Related rules