Tap Driver Installation - Security

Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.

Sigma rule (View on GitHub)

 1title: Tap Driver Installation - Security
 2id: 9c8afa4d-0022-48f0-9456-3712466f9701
 3related:
 4    - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
 5      type: derived
 6status: test
 7description: |
 8        Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
 9references:
10    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
11author: Daniil Yugoslavskiy, Ian Davis, oscd.community
12date: 2019/10/24
13modified: 2022/11/29
14tags:
15    - attack.exfiltration
16    - attack.t1048
17logsource:
18    product: windows
19    service: security
20    definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
21detection:
22    selection:
23        EventID: 4697
24        ServiceFileName|contains: 'tap0901'
25    condition: selection
26falsepositives:
27    - Legitimate OpenVPN TAP installation
28level: low

References

Related rules

to-top